[118045] in North American Network Operators' Group
Re: Dutch ISPs to collaborate and take responsibility
daemon@ATHENA.MIT.EDU (Michael Painter)
Fri Oct 9 23:27:18 2009
From: "Michael Painter" <tvhawaii@shaka.com>
To: "Lee" <ler762@gmail.com>,
<nanog@nanog.org>
Date: Fri, 9 Oct 2009 17:26:30 -1000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Lee wrote:
> If an ISP is involved with tracking down DDOS participants or
> something, I can understand how they'd know a system was compromised.
> But any kind of blocking because the ISP sees 'anomalous' traffic
> seems .. premature at best. SANS newsbites has this bit:
> On Thursday, October 8, Comcast began testing a service that alerts its
> broadband subscribers with pop-ups if their computers appear to be
> infected with malware. Among the indicative behaviors that trigger
> alerts are spikes in overnight traffic, suggesting the machine has been
> compromised and is being used to send spam.
>
> When my son comes home from college, there's a huge spike in overnight
> traffic from my house. With all the people advocating immediate
> blocking of pwned systems in this thread, I'm wondering what their
> criteria is for deciding that the system is compromised & should be
> blocked.
>
> Lee
Some info. here (from http://networkmanagement.comcast.net/ ):
5. Detection of Bots
http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03
http://tools.ietf.org/html/draft-livingood-web-notification-00
