How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Sean Donelan
sean at donelan.com
Mon Jul 23 21:22:25 UTC 2007
On Mon, 23 Jul 2007, Joe Greco wrote:
>> Would it be better if ISPs just blackholed certain IP addresses associated
>> with Bot C&C servers instead of trying to give the user a message. That
>> doesn't require examining the data content of any messages. The user just
>> gets a connection timeout.
>
> Compared to hijacking DNS and intercepting sessions? Yes. Absolutely.
> See, it isn't that hard to come up with better ideas.
That's what Verizon was doing. Guess what. People complained about it
too.
> Interestingly enough, some of us care. Some of us care enough to run clean
> networks AND to make sure that what we're selling isn't compromised by
> deliberate DNS hijackings and site redirections.
But do include things like patching servers to filter messages that
contain certain strings which might accidently catch a legitimate message
on occasion. People probably complain about those things too.
It sucks when you are the one that gets caught by a false positive.
Unfortunately, every attempt at anti-abuse systems have experienced it
at one time or another. Probably even some of the things you've done
over the years trying to run a clean network has accidently made a
mistake.
More information about the NANOG
mailing list