[98034] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Jul 23 18:45:34 2007
Date: Mon, 23 Jul 2007 17:22:25 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: Joe Greco <jgreco@ns.sol.net>
cc: nanog@merit.edu
In-Reply-To: <200707232106.l6NL6w8n073363@aurora.sol.net>
Errors-To: owner-nanog@merit.edu
On Mon, 23 Jul 2007, Joe Greco wrote:
>> Would it be better if ISPs just blackholed certain IP addresses associated
>> with Bot C&C servers instead of trying to give the user a message. That
>> doesn't require examining the data content of any messages. The user just
>> gets a connection timeout.
>
> Compared to hijacking DNS and intercepting sessions? Yes. Absolutely.
> See, it isn't that hard to come up with better ideas.
That's what Verizon was doing. Guess what. People complained about it
too.
> Interestingly enough, some of us care. Some of us care enough to run clean
> networks AND to make sure that what we're selling isn't compromised by
> deliberate DNS hijackings and site redirections.
But do include things like patching servers to filter messages that
contain certain strings which might accidently catch a legitimate message
on occasion. People probably complain about those things too.
It sucks when you are the one that gets caught by a false positive.
Unfortunately, every attempt at anti-abuse systems have experienced it
at one time or another. Probably even some of the things you've done
over the years trying to run a clean network has accidently made a
mistake.
