How should ISPs notify customers about Bots (Was Re: DNS Hijacking )

Chris L. Morrow christopher.morrow at verizonbusiness.com
Tue Jul 24 21:15:57 UTC 2007




On Tue, 24 Jul 2007, Paul Ferguson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- Christopher Morrow <christopher.morrow at verizonbusiness.com> wrote:
>
> >I'd love to see CPE dsl/cable-modem providers integrate with a 'service'
> >that lists out 'bad' things. it'd be nice if the user could even tailor
> >that list (just C&C or C&C + child-porn or C&C older not than X
> >days/hours/minutes) ... I think it might even help, and be vendor
> >>agnostic (from a provide and hardware) perspective.
>
> Ironically, that is exactly part of a product announcement that
> we (Trend Micro) are making on 30 July.

neat, if only our marketting folks would see such benefits :( good for
you! :)

>
> Since this topic arose, I saw Trend mentioned as a possible
> product "culprit" in this scenario, but it isn't. Yet. :-)

not a culprit so much as a way that this sort of dns redirection could
have been done, in a vendor supplied/supported device even.

>
> The particular service to be announced on Monday (BIS, or Botnet
> Identification Service), is nothing more than a BGP feed of _known_
> and _vetted_ botnet C&Cs as /32s, intended to be a black-hole feed.
>
> Interested folks should either e-mail me off-list, or just wait for
> the official announcement on 30 July.
>

note that this will take out vhost systems... unless they are vetted off
the list, which is certainly possible of course.



More information about the NANOG mailing list