To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- At a CLEC that I did some work for we used to just see what anomalous traffic was coming out of the CPE and then just block it via filtering at the CPE.
The usual call would be someone claiming that their internet connection was down. Taking a peek at their interface utilization would immediately let you know something was up when it would be pegged. Trapping the traffic would isolate the particular variant that they were infected with and we would set the filters accordingly. This saved us from having to try to explain the problem to the customer and kept the traffic off of the network. We would still tell them the problem and just leave it up to them to do something about it. Not once did we have someone actually notice which ports we were blocking outbound on the CPE. -----Original Message----- From: Kettlewell, Larry [KO] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 19, 2006 10:20 AM To: Desai, Ashish; Gadi Evron; [email protected] Subject: Re: [botnets] QoS and bot traffic Wonder how/if this would have solved the situation Cox NOC faced a couple of weeks back. As a Cox subscriber at home, I would have welcomed it because it would have eased the drag on access... and of course hopefully I'm not one of those users who get pulled. Larry Kettlewell -----Original Message----- From: Desai, Ashish [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 2:03 PM To: Gadi Evron; [email protected] Subject: Re: [botnets] QoS and bot traffic One approach is to de-activate the customer's network access and hope they call the ISP customer support. When you de-activate, you put a notation against the customer account that they have a BOT/infection. Most ISP/business have decent CRM systems that allow you to put text notations against a customer account. We told the reps to have the customer install Anti-Virus software. You control the deactivation rate, so you can control the flow of calls to the customer support team. It increases the cost of customer support but is a nice way of not having to call the customer. We did this and it works quite well at 10 customers a day. The problem is when the customer continue to get re-infected. Its a little frustating to the customer but the process seems to work. There is no compliance checking model, once the customer calls we re-activate their access. We deactivate after a couple of days if they still show signs of infection. Ashish -----Original Message----- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Monday, October 16, 2006 7:46 AM To: [email protected] Subject: [botnets] QoS and bot traffic ...... How can this be done using today's technology? Does it require re-design of hardware or new systems to be designed? I hope to find out and get a proposal ready, Gadi. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
