[98024] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Joe Greco)
Mon Jul 23 17:39:53 2007
From: Joe Greco <jgreco@ns.sol.net>
To: sean@donelan.com (Sean Donelan)
Date: Mon, 23 Jul 2007 15:35:11 -0500 (CDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.64.0707231617550.4495@clifden.donelan.com> from "Sean Donelan" at Jul 23, 2007 04:31:19 PM
Errors-To: owner-nanog@merit.edu
> On Mon, 23 Jul 2007, Joe Greco wrote:
> >> Although this seems to be the first bit mistake in over two years, does
> >> that make the practice unacceptable as another tool to respond to Bots?
> >
> > The practice of blocking public EFnet servers?
>
> As I've said multiple times, sometimes mistakes happen and the wrong
> things end up on a list. I doubt that was the intent.
>
> Many people have suggested blocking C&C servers used by bots over the
> years.
There's a difference between blocking actual C&C servers and blocking
general IRC servers that are incidentally being used as C&C servers.
> > Yes, when there are better solutions to the problem at hand.
>
> Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place them in a garden (no IRC, no nothing,
except McAfee or your favorite AV/patch set).
Wow, I didn't even have to strain myself.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
