How should ISPs notify customers about Bots (Was Re: DNS Hijacking

> We can break a lot of things in the name of "saving the Internet." That
> does not make it wise to do so.

Since the last time the subject of ISPs taking action and doing something
about Bots, a lot of people came up with many ideas involving the ISP
answering DNS queries with the addresses of ISP cleaning servers.

Just about every commercial WiFi hotspot and hotel login system uses a
fake DNS server to redirect users to its login pages.

I think there's a bit of a difference, in that when you're using every
commercial WiFi hotspot and hotel login system, that they redirect
everything. Would you truly consider that to be the same thing as one
of those services redirecting "www.cnn.com" to their own ad-filled news
page?

While I'm not a fan of it, I know that when I go to a hotel, I should
try to pull up "www.cnn.com" (which is actually what I use, because I
so rarely use that URL, so it doesn't pollute my browser cache). If I
get CNN, then I'm live. If I have to click a button and agree to some
terms, then I'm live a bit later.

However, if I were to go to a hotel, and they intercept random (to me)
web sites, I'd consider that a very bad thing.

Many universities
use a fake DNS server to redirect student computers to cleaning sites.

I'm not sure I entirely approve of that, either, but at least it is more
like the hotel login scenario than the hotel random site redirection
scenario.

What should be the official IETF recognized method for network operators
to asynchronously communicate with users/hosts connect to the network for
various reasons getting those machines cleaned up?

That's a good question. It would actually be good to have a system in
place, something competent, instead of the mishmash of broken trash in
use by hotels to "log in" users, etc. I'd see it as an overall benefit.

... JG

Let's get "real." That's not what those ISPs are doing in this case.

They aren't pretending to be the real IRC server (the redirected IRC server indicates its not the real one). The ISP isn't send ad-fill messages. The irc.foonet.com server clearly sends several cleaning commands used by several well-known, and very old, Bots. I might have given the server a different name, but its obviously not trying to impersonate the real irc server.

Do you prefer ISPs to break everything, including the users VOIP service (can't call 9-1-1), e-mail service (can't contact the help desk), web service (can't look for help)? Or should the ISP only disrupt the minimum number of services needed to clean the Bot?

> > We can break a lot of things in the name of "saving the Internet." That
> > does not make it wise to do so.
>
> Since the last time the subject of ISPs taking action and doing something
> about Bots, a lot of people came up with many ideas involving the ISP
> answering DNS queries with the addresses of ISP cleaning servers.
>
> Just about every commercial WiFi hotspot and hotel login system uses a
> fake DNS server to redirect users to its login pages.

I think there's a bit of a difference, in that when you're using every
commercial WiFi hotspot and hotel login system, that they redirect
everything. Would you truly consider that to be the same thing as one
of those services redirecting "www.cnn.com" to their own ad-filled news
page?

That's only on initial login, prior to login I suppose. I'm fairly certain
their servers could return other 'invalid' responses after login if they
wanted, they might even see some revenue savings by redirecting a list of
'known bad things' off to 127.0.0.1 (for instance, pick your preferred
place).

However, if I were to go to a hotel, and they intercept random (to me)
web sites, I'd consider that a very bad thing.

What if it was things you didn't use, didn't know about and were there for
some measure of your protection? (or your grandmother's protection even)

> Many universities
> use a fake DNS server to redirect student computers to cleaning sites.

I'm not sure I entirely approve of that, either, but at least it is more
like the hotel login scenario than the hotel random site redirection
scenario.

The problem is that there is very little difference... and it's very
'easy' to say (as a provider) "hey, I can help my customers, and the
Intertubes as a whole..." (btw, how's this all different than opendns?)

One of the highlights of this discussion is that people get upset when you
mess with 'basic plumbing' in a non-obvious manner. I suppose if you KNOW
that it's happening (change your resolv.conf to opendns servers) that's
one thing, though do you know or can you config opendns to NOT redirect
(example) irc.vel.net but DO irc.badguy.net? messing with DNS brings with
it consequences, some good ones and some bad ones...

messages. The irc.foonet.com server clearly sends several cleaning
commands used by several well-known, and very old, Bots.

Old and well-known bots. Remember that for a moment, and think "6 month old
antivirus signatures" for a bit....

service (can't look for help)? Or should the ISP only disrupt the minimum
number of services needed to clean the Bot?

Is there any indication that the commands actually pushed have a *significant*
chance of actually wiping any resident bots, or is it "That's an old worn-out
magic word" time? It's one thing if 95% of the time, hijacking the connection
and pushing command strings actually cleans a bot up. It's another thing
entirely if it only works 5 or 10% of the time because most of the bots
currently out there are no longer susceptible to that cleaning method.