[97999] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Jul 23 13:43:38 2007
Date: Mon, 23 Jul 2007 12:42:22 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Joe Greco <jgreco@ns.sol.net>
cc: nanog@merit.edu
In-Reply-To: <200707231602.l6NG263j047043@aurora.sol.net>
Errors-To: owner-nanog@merit.edu
On Mon, 23 Jul 2007, Joe Greco wrote:
> So how do you connect to the real IRC server, then? Remember that most
> end users are not nslookup-wielding shell commandos who can figure out
> whois and look up the IP.
If those users are so technically unsophisticated, do you really expect
the other users with infected computers to figure out how to disinfect
their computer and remove the Bots instead?
So you have potentially tens of thousands of infected computers with Bots
making connections to an IRC server. You know many of those bots are
well-known, old bots that have built-in removal commands. But 99% of
those users don't have the technical knowledge to clean their machine
themselves or know what a Bot is. On the other hand, you have 1% of users
are sophisticated enough to use IRC servers. And a few percentage of
overlap between the two groups.
What do you do?
a. nothing
b. terminate tens of thousands of user accounts (of users who are mostly
"innocent" except their computer was compromised)
c. block all IRC
d. redirect IRC connections to a few servers known to be used by Bots
e. something else
