To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I work at a very small broadband ISP (3500 customers) so what works at this company could be completely infeasible at a much larger ISP or other non ISP organization.... > 1. QoS and traffic limiting tools. > Many tools created in recent years, and used exstensively by many ISP's, > regardless of any Net Neutrality legislation, are at our disposal and > already implemented on our networks. > > Much like, for business reasons, many of us would limit P2P, how about > limiting the traffic to compromised users? > > How, what and when is up to you. I don't see limiting traffic to customers as an effective tool. My experience has been that bot traffic, these days, is not bandwidth intensive like worm traffic, so limiting the actual nasty traffic is not feasible. Nor do I see limiting all traffic to a customer as a reasonable approach - the reason being that customers will complain about degraded performance (and often times the complaint is to their friends, not us). When we identify a compromised host, we contact the customer and inform them that they are infected and that they need to get their computer cleaned up. We disable their modem until they have let us know the problem has been addressed. One of the options we offer customers is that they bring the PC to us for disinfection (for a fee) - we have a couple guys that do tech support and bench work and they have become adept at rooting out all forms of malware. Nearly every customer we contact is thankful that we have alerted them to the problem - we see almost no defection to other providers based on these activities; in fact, we have seen several customers move from other providers to us because of our proactive support approach. > 3. Walled garden and tech support costs. > > Obviously, if any of these users call you (and they VERY OFTEN do), you > lose money on them for a long time to come.. only they will call again. > > A combination of quarantine, complete or partial, might work. We are considering automating the discovery and quarantine, but we are still somewhat reluctant to do the automated quarantine, because we get so much mileage from speaking with the customer directly. When we call the customer, we are able to do a bit of context sensitive education which has proven to be helpful in enlightening our customers. The number of repeat offenders is very low. We do have a policy that allows us to permanently deny service to a customer if they continually get re-infected and they don't appear to be taking action to prevent further infection. We have only had to do this once or twice over the last couple of years. > 4. Stop internal network infections. It is unbelievable how the networks > with the most bots are the networks that allow internal users to connect > wherever they want within the network. This works very well. We do strict anti-spoofing (strict RPF) as close to the customer as possible, we block the usual ports (42, 135, 137-139, 445, 1434, etc) both ingress and egress across our backbone as well as between our customer networks and we run all customer traffic through a web cache/proxy. > > All these come to show that although responsiveness to C&C's is important > (rather than shutting them down), on the scale of the Internet, what > will actually help the Internet is if you take care of it on your own > network. I fully agree that taking care of your own network is what is going to make the difference. Especially if your work influences others to do the same. I know that several other small ISPs have seen what we are doing and have begun to do the same because it reduces their headaches and is good for customer retention. The issue is proving to management that running a reasonably clean, well maintained network (we try) is more cost effective than putting out fires and holding it together with spit and bailing wire. > You don't have to do any of these, or all of these. Just to wake up to the > fact that killing C&C's will mostly not help anyone, and if anything, will > do harm. Using them to deal with problematic users, even if only to block > them from acessing that C&C is more to the point. Using traffic to C&C's to identify infected hosts and then clean those hosts and fortify the host and the customer against future infection is effective. > I would like to hear some opinions on what networks can do, ecnomically, > from people here. Please stick to network operations issues. Your suggestion of only sticking to network operation issues does serve to limit the scope of what we have to deal with (which is always welcome these days), but it's not ever going to solve the problem. These are people issues and technology alone isn't going to solve them. I have made some suggestions for mixing basic detection with person to person contact. The problem is that I'm looking at this from an ISP perspective, you have to be the provider for the infected customer. For those that don't have the infected host on your network (sounds like most of you on this list) you are stuck between a rock and a hard place because you can't address the problem closer to the source (the only place you can gain any traction on the problem), so you can only lash out at C&C's and try to coerce law enforcement and ISPs to do something about the problem. Yours is a frustrating and unenviable position to be in. - -- Mason Schmitt Systems Administrator Sunwave Cable Internet / Shuswap Internet Junction ph: (250) 832-9711 www.sunwave.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4gdjbip6upg8pq8RAr7gAJ9dEl/pFUIHieanwQXJhi2l4SpPNACdFGmQ 4qkEZ7dCEjM51+mq2OsSDAM= =Dn+k -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
