On Sat, 17 Jan 2026, Mike Simpson via NANOG wrote:
Again tho.
What does it matter to the customer. It’s not impacting on their bottom
line. They are used to fairly rubbish service for a huge multitude of
reasons so their bandwidth being a bit slashdotted doesn’t matter to
them. That’s why it’s a ddos.
It matters to the customer when the various infected devices on their
network start causing problems they (or their neighbors) notice. DDoS
is far from the only thing compromised things is used for. There's spam
sending bots, brute force auth attempt bots, etc.
I thought I'd dealt with the spam bots a year or two ago with port 25
filters. Looking at the ACL counters, I can see those bots are still
constantly trying. But now there appear to be spam bots using
authenticated/encrypted SMTP Submission. Likely, this is related to the
bots doing brute force authentication bypass attempts on large provider
IMAP servers (getting our IPs internally blacklisted by those providers,
resulting in customer support calls "XYZ is saying my IP is temporarily
blacklisted when I try checking my mail.").
The more gear in a customer's home network that's compromised, the more
vectors there are for getting into their computers, phones, etc., and then
there's the chance of RATs being installed, data theft, etc.
It's far from just an issue of our outband traffic capacity possibly being
"stolen" and misused. That's probably the least of my concerns. For me,
IP reputation is probably the top one, though customer safety is right up
there next to it.
Getting the customer gear cleaned up, seems to me, to be a non-starter.
Attempting this could easily be a full time job...and I have done the
exercise of picking a customer known to be infected[1], getting into their
CPE, identifying the internal IP/MAC of the infected "thing" [it wasn't
the CPE], but that's as far as I could get. The MAC resolved to some
company in China I'd never heard of, so it provided no clue to me as to
what the device is. Imagine trying to talk a customer through identifying
some random device on their home network by IP/MAC. I could break its
Internet connectivity with a filter on their CPE, but even if we find it
by then looking for the thing that's fallen off the network, then what?
If it's a streaming TV device, thermostat, or other IoT device, how are
they supposed to clean off the malware, and what's going to stop it from
getting re-infected? In the case of insecure gear that can be compromised
by any other device on the local network, do we tell them "you just can't
have that on your network...throw it away, or demand a refund from
whoever you bought it from."?
[1] We're currently in a trial of Spamhaus's "BGP Firewall" that provides
a feed of known botnet C&C IPs (for null routing to break their
communication with & control of bots on our network). Rather than just
null routing that traffic, we're sending it to a system where we can
capture the packets...so I've identified at least a subset of our infected
customers.
The Spamhaus data is clearly helpful, but doesn't seem to be a complete
cure for the issue...so I'm curious if there are other similar services
that could be combined to get more/better coverage?
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
Blue Stream Fiber, Sr. Neteng | therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/[email protected]/message/JL2GUN46XA6GTQFVYCKCLG5KLPN7HWPJ/
