Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking

[Joe Greco <jgreco () ns sol net>]

> On Mon, 23 Jul 2007, Joe Greco wrote:
> > I think there's a bit of a difference, in that when you're using every
> > commercial WiFi hotspot and hotel login system, that they redirect
> > everything.  Would you truly consider that to be the same thing as one
> > of those services redirecting "www.cnn.com" to their own ad-filled news
> > page?
>
> Let's get "real."  That's not what those ISPs are doing in this case.

I never said it was, but if you don't want to compare the situations
using reasonable comparisons (redirecting one thing is different than
redirecting all), then I have no interest in debating with you, and you
"win" for some sucky definition of "win."

> They aren't pretending to be the real IRC server (the redirected IRC 
> server indicates its not the real one).  The ISP isn't send ad-fill 
> messages.  The irc.foonet.com server clearly sends several cleaning 
> commands used by several well-known, and very old, Bots.  I might have 
> given the server a different name, but its obviously not trying to 
> impersonate the real irc server.

So how do you connect to the real IRC server, then?  Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.

And what happens when the ISP redirects by IP instead, if we're going to
play that game?

> Do you prefer ISPs to break everything, including the users VOIP service 
> (can't call 9-1-1), e-mail service (can't contact the help desk), web 
> service (can't look for help)?  Or should the ISP only disrupt the minimum 
> number of services needed to clean the Bot?

All right, here we go.  Please explain the nature of the bot on my freshly
installed (last night) FreeBSD 6.2R box.

# ls -ld /; date; uname -r; uname -s
drwxr-xr-x  28 root  wheel  512 Jul 22 23:04 /
Mon Jul 23 10:56:57 CDT 2007
6.2-RELEASE
FreeBSD
# echo "nameserver 68.4.16.30" > /etc/resolv.conf
# host irc.vel.net
irc.vel.net has address 70.168.71.144

Hint: there is no bot.  My traffic is being redirected regardless.  Were I
a Cox customer (and I'm not), I'd be rather ticked off.

Interfering with services in order to clean a bot would be a much more
plausible excuse if there was a bot.  There is no bot.

So, to reiterate your own point:

> Or should the ISP only disrupt the minimum 
> number of services needed to clean the Bot?

Yes, exactly.  And that's obviously not what Cox is doing.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.