[98065] in North American Network Operators' Group
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Tue Jul 24 13:29:38 2007
Date: Tue, 24 Jul 2007 22:02:50 +0530
From: "Suresh Ramasubramanian" <ops.lists@gmail.com>
To: "Joe Greco" <jgreco@ns.sol.net>
Cc: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>,
nanog@merit.edu
In-Reply-To: <200707241559.l6OFxLUY074393@aurora.sol.net>
Errors-To: owner-nanog@merit.edu
On 7/24/07, Joe Greco <jgreco@ns.sol.net> wrote:
> The problem is isolating the traffic in question. Since you DO NOT HAVE
> GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking
> 101-style question. A /32 host route is going to be effective.
> Manipulating DNS is definitely the less desirable method, because it has
> the potential for breaking more things. But, hey, it can be done, and
> with an amount of effort that isn't substantially different from the
> amount of work Cox would have had to do to accomplish what they did.
Yup - though I still dont see much point in specialcasing IRC. It
would probably be much more cost effective in the long run to have
something rather more comprehensive.
Yes there are a few bots around still using IRC but a lot of them have
moved to other, better things (and there's fun "headless" bots too,
hardcoded with instructions and let loose so there's no C&C, no
centralized domain or dynamic dns for takedown.. you want to make a
change? just release another bot into the wild).
