Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Mon, 23 Jul 2007, Joe Greco wrote:

> > > Yes, when there are better solutions to the problem at hand.
> >
> > Please enlighten me.
>
> Intercept and inspect IRC packets.  If they join a botnet channel, turn on
> a flag in the user's account.  Place them in a garden (no IRC, no nothing,
> except McAfee or your favorite AV/patch set).

Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost
effective manner. Please also do this on encrypted control channels or
channels not 'irc', also please stay 'cost effective'. Additionally,
please do NOT require in-line placement unless you can do complete
end-to-end telco-level testing (loops, bit pattern testing, etc), also
it'd be a good idea to have a sensible management interface for these
devices (serial port 9600 8n1 at least along with a scriptable
ssh/telnet/text-ish cli).

Looking at DPI (which is required for your solution to work) you are still
talking about paying about 500k/edge-device for a carrier-grade DPI
solution that can reliably do +2gbps line-rate inspection and actions.
This quickly becomes non-cost-effective if your network is more than 1
edge device and less than 500k customers... Adding cost (operational cost
you can only recover via increased user fees) is going to make this not
deployable in any real network.

> Wow, I didn't even have to strain myself.

sarcasim aside, this isn't a simple problem and at scale the solutions
trim down quickly away from anything that seems 'great' :( using DNS
and/or routing tricks to circumvent known bad behaviours are the only
solutions that seem to fall out. Yes they aren't subscriber specific, but
you can't get to subscriber specific capabilities without a fairly large
cost outlay.

-Chris