How should ISPs notify customers about Bots (Was Re: DNS Hijacking )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd love to see CPE dsl/cable-modem providers integrate with a 'service'
that lists out 'bad' things. it'd be nice if the user could even tailor
that list (just C&C or C&C + child-porn or C&C older not than X
days/hours/minutes) ... I think it might even help, and be vendor

agnostic (from a provide and hardware) perspective.

Ironically, that is exactly part of a product announcement that
we (Trend Micro) are making on 30 July.

Since this topic arose, I saw Trend mentioned as a possible
product "culprit" in this scenario, but it isn't. Yet. :slight_smile:

The particular service to be announced on Monday (BIS, or Botnet
Identification Service), is nothing more than a BGP feed of _known_
and _vetted_ botnet C&Cs as /32s, intended to be a black-hole feed.

Interested folks should either e-mail me off-list, or just wait for
the official announcement on 30 July.

Cheers,

- - ferg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>I'd love to see CPE dsl/cable-modem providers integrate with a 'service'
>that lists out 'bad' things. it'd be nice if the user could even tailor
>that list (just C&C or C&C + child-porn or C&C older not than X
>days/hours/minutes) ... I think it might even help, and be vendor
>>agnostic (from a provide and hardware) perspective.

Ironically, that is exactly part of a product announcement that
we (Trend Micro) are making on 30 July.

neat, if only our marketting folks would see such benefits :frowning: good for
you! :slight_smile:

Since this topic arose, I saw Trend mentioned as a possible
product "culprit" in this scenario, but it isn't. Yet. :slight_smile:

not a culprit so much as a way that this sort of dns redirection could
have been done, in a vendor supplied/supported device even.

The particular service to be announced on Monday (BIS, or Botnet
Identification Service), is nothing more than a BGP feed of _known_
and _vetted_ botnet C&Cs as /32s, intended to be a black-hole feed.

Interested folks should either e-mail me off-list, or just wait for
the official announcement on 30 July.

note that this will take out vhost systems... unless they are vetted off
the list, which is certainly possible of course.

Unless you use it as part of a feed of "stuff our abuse department might
want to investigate further" ..

Adrian