Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

[Sean Donelan <sean () donelan com>]

On Mon, 23 Jul 2007, Joe Greco wrote:
> > Would it be better if ISPs just blackholed certain IP addresses associated
> > with Bot C&C servers instead of trying to give the user a message.  That
> > doesn't require examining the data content of any messages.  The user just
> > gets a connection timeout.
>
> Compared to hijacking DNS and intercepting sessions?  Yes.  Absolutely.
> See, it isn't that hard to come up with better ideas.

That's what Verizon was doing.  Guess what.  People complained about it 
too.

> Interestingly enough, some of us care.  Some of us care enough to run clean
> networks AND to make sure that what we're selling isn't compromised by
> deliberate DNS hijackings and site redirections.

But do include things like patching servers to filter messages that 
contain certain strings which might accidently catch a legitimate message 
on occasion.  People probably complain about those things too.

It sucks when you are the one that gets caught by a false positive. 
Unfortunately, every attempt at anti-abuse systems have experienced it
at one time or another.  Probably even some of the things you've done
over the years trying to run a clean network has accidently made a 
mistake.