Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
On Mon, 23 Jul 2007, Joe Greco wrote:
So how do you connect to the real IRC server, then? Remember that most end users are not nslookup-wielding shell commandos who can figure out whois and look up the IP.
If those users are so technically unsophisticated, do you really expect
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Sean Donelan <sean@donelan.com> wrote: the other users with infected computers to figure out how to disinfect their computer and remove the Bots instead?
I would imagine that if we're talking about "unsophisticated" users, the majority of them have no idea what IRC is anyway -- most of them are using AIM, or Yahoo! IM, or.... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGpO2Uq1pz9mNUZTMRArtXAKD/gF0YM9MYcLA6AZ2InaNBrlgaHACgngiP kzDzfUd+9BsdcbxDz1Z9xig= =OoHG -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
I would imagine that if we're talking about "unsophisticated" users, the majority of them have no idea what IRC is anyway -- most of them are using AIM, or Yahoo! IM, or....
Quite true. I do know of a small fraction, however, that when Yahoo stopped supporting the chats for their groups, that went over to a Java IRC client. Granted, they still don't know that its IRC, but they'll still end up running into something totally unexplained. Tuc/TBOH
On Mon, 23 Jul 2007, Tuc at T-B-O-H.NET wrote:
I would imagine that if we're talking about "unsophisticated" users, the majority of them have no idea what IRC is anyway -- most of them are using AIM, or Yahoo! IM, or....
Quite true. I do know of a small fraction, however, that when Yahoo stopped supporting the chats for their groups, that went over to a Java IRC client. Granted, they still don't know that its IRC, but they'll still end up running into something totally unexplained.
and the sympton TODAY is 'irc', but in reality if cox spoke up I'd bet they are doing this with much more than just this one irc server (or set of irc servers)... So, to back this up and get off the original complaint, if a service provider can protect a large portion of their customer base with some decent intelligence gathering and security policy implementation is that a good thing? keeping in mind that in this implementation users who know enough and are willing to forgoe that 'protection' (for some value of protection) can certainly circumvent/avoid it. It's perfectly plausible that cox implemented some trend-micro-like (or maybe trend micro actual) device to do this work for them... just to pick on one vendor of solutions in this space. -Chris
On Mon, 23 Jul 2007, Chris L. Morrow wrote:
So, to back this up and get off the original complaint, if a service provider can protect a large portion of their customer base with some decent intelligence gathering and security policy implementation is that a good thing? keeping in mind that in this implementation users who know enough and are willing to forgoe that 'protection' (for some value of protection) can certainly circumvent/avoid it.
Joe St Sauver covers some of these topics. http://www.uoregon.edu/~joe/zombies.pdf Should ISPs attempt to block Bot Command and Control connections (which is more general than just IRC C&C Bots), assuming ISPs try to avoid "legitimate" servers although mistakes might happen?
On 7/24/07, Chris L. Morrow <christopher.morrow@verizonbusiness.com> wrote:
So, to back this up and get off the original complaint, if a service provider can protect a large portion of their customer base with some decent intelligence gathering and security policy implementation is that a good thing? keeping in mind that in this implementation users who know enough and are willing to forgoe that 'protection' (for some value of protection) can certainly circumvent/avoid it.
Right. Let us get to best practices rather than debating ethics. So how would you keep your network clean of infected PCs? * Gather information (log parsers, darknet / honeynet traffic monitoring, feeds from XBL type blocklists) * Redirect "common" bot abused services like IRC by default either across your network or on whatever part of your network you see bot activity as evidenced from darknet etc observation (and run the risk that right after you get that IP information, the infected XP box on that IP is replaced not by another XP box but by a fully loaded geek install of freebsd, rather than by an infected win2k box, a patched vista etc) * Walled garden type outbound IDS to quarantine an IP completely when malware activity is noted. Yes, irc bots arent the only kind of bots - those are positively old fashioned, yes there can be multiple malware on a single PC, yes, port 25 blocking to stop bots is treating lung cancer with cough sirup (tip of the hat to Joe St.Sauver) .. etc etc etc. A good BCP would be a nice thing to have around. srs
participants (5)
-
Chris L. Morrow -
Paul Ferguson -
Sean Donelan -
Suresh Ramasubramanian -
Tuc at T-B-O-H.NET