On Mon, 23 Jul 2007, Joe Greco wrote:
Yes, when there are better solutions to the problem at hand.
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place them in a garden (no IRC, no nothing,
except McAfee
On Mon, 23 Jul 2007, Joe Greco wrote:
Yes, when there are better solutions to the problem at hand.
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place them in a garden (no IRC, no nothing,
except
On 7/24/07, Chris L. Morrow [EMAIL PROTECTED] wrote:
Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost
effective manner. Please also do this on encrypted control channels or
channels not 'irc', also please stay 'cost effective'. Additionally,
Right. However one
On Tue, 24 Jul 2007, Suresh Ramasubramanian wrote:
On 7/24/07, Chris L. Morrow [EMAIL PROTECTED] wrote:
Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost
effective manner. Please also do this on encrypted control channels or
channels not 'irc', also please stay
On 7/24/07, Joe Greco [EMAIL PROTECTED] wrote:
The problem is isolating the traffic in question. Since you DO NOT HAVE
GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking
101-style question. A /32 host route is going to be effective.
Manipulating DNS is definitely the
On Jul 24, 2007, at 8:59 AM, Joe Greco wrote:
But, hey, it can be done, and with an amount of effort that isn't
substantially different from the
amount of work Cox would have had to do to accomplish what they did.
Actually, it's requires a bit more planning and effort, especially if
one
On 7/24/07, Joe Greco [EMAIL PROTECTED] wrote:
The problem is isolating the traffic in question. Since you DO NOT HAVE
GIGABITS OF TRAFFIC destined for IRC servers, this becomes a Networking
101-style question. A /32 host route is going to be effective.
Manipulating DNS is definitely
On Tue, 24 Jul 2007, Joe Greco wrote:
So I'm supposed to invent a solution that does WAY MORE than what Cox
was trying to accomplish, and then you'll listen? Forget that (or
pay me).
Since it was a false positive, isn't the correct answer to not include
irc.vel.net in the Bot CC list rather
On Jul 24, 2007, at 8:59 AM, Joe Greco wrote:
But, hey, it can be done, and with an amount of effort that isn't
substantially different from the
amount of work Cox would have had to do to accomplish what they did.
Actually, it's requires a bit more planning and effort, especially if
On Tue, 24 Jul 2007 12:00:40 CDT, Joe Greco said:
Hardly unexpected. The continuing evolution is likely to be pretty
scary. Disposables are nice, but the trouble and slowness in seeding
makes them less valuable. I'm expecting that we'll see
compartmentalized bots, where each bot has a
On Tue, Jul 24, 2007 at 12:00:40PM -0500, Joe Greco wrote:
Yes there are a few bots around still using IRC but a lot of them have
moved to other, better things (and there's fun headless bots too,
hardcoded with instructions and let loose so there's no CC, no
centralized domain or
Obviously, botnet authors are lazy, and not motivated to do all that
work to do
all that extra stuff, when we're still focusing on the *last*
generation of
use a well-known IRC net for CC bots, and haven't really address the
*current* use a hijacked host running a private IRC net bots yet.
Most
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Christopher Morrow [EMAIL PROTECTED] wrote:
I'd love to see CPE dsl/cable-modem providers integrate with a 'service'
that lists out 'bad' things. it'd be nice if the user could even tailor
that list (just CC or CC + child-porn or CC older not
On Tue, 24 Jul 2007, Joe Greco wrote:
So I'm supposed to invent a solution that does WAY MORE than what Cox
was trying to accomplish, and then you'll listen? Forget that (or
pay me).
Since it was a false positive,
Fact not in evidence, as much as it'd be good if it were so.
... JG
On Tue, 24 Jul 2007, Joe Greco wrote:
On Mon, 23 Jul 2007, Joe Greco wrote:
Yes, when there are better solutions to the problem at hand.
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris L. Morrow [EMAIL PROTECTED] wrote:
On Tue, 24 Jul 2007, Paul Ferguson wrote:
The particular service to be announced on Monday (BIS, or Botnet
Identification Service), is nothing more than a BGP feed of _known_
and _vetted_ botnet CCs
On Tue, 24 Jul 2007, Joe Greco wrote:
On Mon, 23 Jul 2007, Joe Greco wrote:
Yes, when there are better solutions to the problem at hand.
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn
on
a flag in the user's
On Mon, 23 Jul 2007, Joe Greco wrote:
Intercept and inspect IRC packets. If they join a botnet
channel, turn on
a flag in the user's account. Place them in a garden (no IRC,
no nothing,
except McAfee or your favorite AV/patch set).
Wow, you are recommending ISPs wiretap their
Hiya,
Plenty of boxes can do redirection in the middle such as Redback,
Ellacoya etc.
We redirect customers who are infected to a web page when the first
connect. Then every few hours they get re-directed again, just enough so
it's a bit annoying.
If they ignore this for a few weeks, they get
On Sun, 22 Jul 2007, Joe Greco wrote:
We can break a lot of things in the name of saving the Internet. That
does not make it wise to do so.
Since the last time the subject of ISPs taking action and doing something
about Bots, a lot of people came up with many ideas involving the ISP
On Mon, 23 Jul 2007, Joe Greco wrote:
I think there's a bit of a difference, in that when you're using every
commercial WiFi hotspot and hotel login system, that they redirect
everything. Would you truly consider that to be the same thing as one
of those services redirecting www.cnn.com to
On 7/23/07, Sean Donelan [EMAIL PROTECTED] wrote:
What should be the official IETF recognized method for network operators
to asynchronously communicate with users/hosts connect to the network for
various reasons getting those machines cleaned up?
Most large carriers that are also MAAWG
On Mon, 23 Jul 2007, Joe Greco wrote:
I think there's a bit of a difference, in that when you're using every
commercial WiFi hotspot and hotel login system, that they redirect
everything. Would you truly consider that to be the same thing as one
of those services redirecting www.cnn.com
On Mon, 23 Jul 2007, Suresh Ramasubramanian wrote:
What should be the official IETF recognized method for network operators
to asynchronously communicate with users/hosts connect to the network for
various reasons getting those machines cleaned up?
Most large carriers that are also MAAWG
On Mon, 23 Jul 2007, Joe Greco wrote:
So how do you connect to the real IRC server, then? Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.
If those users are so technically unsophisticated, do you really expect
the other
On Mon, 23 Jul 2007 11:39:35 EDT, Sean Donelan said:
messages. The irc.foonet.com server clearly sends several cleaning
commands used by several well-known, and very old, Bots.
Old and well-known bots. Remember that for a moment, and think 6 month old
antivirus signatures for a bit
On Mon, 23 Jul 2007, Joe Greco wrote:
On Sun, 22 Jul 2007, Joe Greco wrote:
We can break a lot of things in the name of saving the Internet. That
does not make it wise to do so.
Since the last time the subject of ISPs taking action and doing something
about Bots, a lot of
On 7/23/07, Sean Donelan [EMAIL PROTECTED] wrote:
But, like other attempts to respond to network abuse (e.g. various
block lists), sometimes there are false positives and mistakes. When
it happens, you tweak the filters and undue the wrong block. Demanding
zero chance of error before ISPs
On Mon, 23 Jul 2007, Joe Greco wrote:
Hint: there is no bot. My traffic is being redirected regardless. Were I
a Cox customer (and I'm not), I'd be rather ticked off.
Hint: the bots are on computers connecting to the irc server, not the irc
server.
Interfering with services in order to
On 7/23/07, Joe Greco [EMAIL PROTECTED] wrote:
All right, here we go. Please explain the nature of the bot on my freshly
installed (last night) FreeBSD 6.2R box.
%age of freshly installed freebsd 6.2R boxes v/s random windows boxes
on cox cable?
Like anything else, its a numbers game.
On Mon, 23 Jul 2007 12:42:22 EDT, Sean Donelan said:
b. terminate tens of thousands of user accounts (of users who are mostly
innocent except their computer was compromised)
Given how often compromised computers have *multiple* installs of badware on
them, just cleaning off *one* bot that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Sean Donelan [EMAIL PROTECTED] wrote:
On Mon, 23 Jul 2007, Joe Greco wrote:
So how do you connect to the real IRC server, then? Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the
Running email abuse desks for about a decade now makes me
tend to agree with you .. and completely unfiltered pipes to
the internet for customer broadband are a pipe dream, most places.
If ISPs were able to standardize consumer Internet access services using
a gateway box, then the
I would imagine that if we're talking about unsophisticated users,
the majority of them have no idea what IRC is anyway -- most of them
are using AIM, or Yahoo! IM, or
Quite true. I do know of a small fraction, however, that when Yahoo
stopped supporting the chats for their
On Mon, 23 Jul 2007 [EMAIL PROTECTED] wrote:
Running email abuse desks for about a decade now makes me
tend to agree with you .. and completely unfiltered pipes to
the internet for customer broadband are a pipe dream, most places.
If ISPs were able to standardize consumer Internet
On 7/23/07, Joe Greco [EMAIL PROTECTED] wrote:
All right, here we go. Please explain the nature of the bot on my freshly
installed (last night) FreeBSD 6.2R box.
%age of freshly installed freebsd 6.2R boxes v/s random windows boxes
on cox cable?
That's fairly irrelevant. The fact is
On Mon, 23 Jul 2007, Joe Greco wrote:
So how do you connect to the real IRC server, then? Remember that most
end users are not nslookup-wielding shell commandos who can figure out
whois and look up the IP.
If those users are so technically unsophisticated, do you really expect
the
On Mon, 23 Jul 2007, Joe Greco wrote:
So are you claiming no bots ever try to connect to that server?
I don't care if bots ever try to connect to that server. I can effectively
stop the bots from connecting to servers by shutting down the Internet, but
that doesn't make that solution
On Mon, 23 Jul 2007, Tuc at T-B-O-H.NET wrote:
I would imagine that if we're talking about unsophisticated users,
the majority of them have no idea what IRC is anyway -- most of them
are using AIM, or Yahoo! IM, or
Quite true. I do know of a small fraction, however, that
On Mon, 23 Jul 2007, Joe Greco wrote:
So are you claiming no bots ever try to connect to that server?
I don't care if bots ever try to connect to that server. I can effectively
stop the bots from connecting to servers by shutting down the Internet, but
that doesn't make that solution
On Mon, 23 Jul 2007, Chris L. Morrow wrote:
So, to back this up and get off the original complaint, if a service
provider can protect a large portion of their customer base with some
decent intelligence gathering and security policy implementation is that a
good thing? keeping in mind that in
On Mon, Jul 23, 2007 at 02:48:05PM -0500, Joe Greco wrote:
On 7/23/07, Joe Greco [EMAIL PROTECTED] wrote:
All right, here we go. Please explain the nature of the bot on my freshly
installed (last night) FreeBSD 6.2R box.
%age of freshly installed freebsd 6.2R boxes v/s random
On Mon, 23 Jul 2007, Joe Greco wrote:
Although this seems to be the first bit mistake in over two years, does
that make the practice unacceptable as another tool to respond to Bots?
The practice of blocking public EFnet servers?
As I've said multiple times, sometimes mistakes happen and the
On Mon, 23 Jul 2007, Joe Greco wrote:
Although this seems to be the first bit mistake in over two years, does
that make the practice unacceptable as another tool to respond to Bots?
The practice of blocking public EFnet servers?
As I've said multiple times, sometimes mistakes happen
On Mon, Jul 23, 2007 at 02:48:05PM -0500, Joe Greco wrote:
On 7/23/07, Joe Greco [EMAIL PROTECTED] wrote:
All right, here we go. Please explain the nature of the bot on my
freshly
installed (last night) FreeBSD 6.2R box.
%age of freshly installed freebsd 6.2R boxes v/s
On Mon, 23 Jul 2007, Joe Greco wrote:
Hint: there is no bot. My traffic is being redirected regardless. Were I
a Cox customer (and I'm not), I'd be rather ticked off.
Hint: the bots are on computers connecting to the irc server, not the irc
server.
Hint: I know. As I said, for the
On Mon, 23 Jul 2007, Joe Greco wrote:
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place them in a garden (no IRC, no nothing,
except McAfee or your favorite AV/patch set).
Wow, you are recommending ISPs
On Mon, 23 Jul 2007, Joe Greco wrote:
Please enlighten me.
Intercept and inspect IRC packets. If they join a botnet channel, turn on
a flag in the user's account. Place them in a garden (no IRC, no nothing,
except McAfee or your favorite AV/patch set).
Wow, you are recommending
On Mon, 23 Jul 2007, Joe Greco wrote:
Some privacy advocates will be upset with ISP's doing what Cox is doing.
Maybe you missed that. If we assume that it is okay for Cox to actually
intercept the IRC sessions of their users, we're wa far into that
mess anyways. I'm saying do it right if
On Mon, 23 Jul 2007, Joe Greco wrote:
Some privacy advocates will be upset with ISP's doing what Cox is doing.
Maybe you missed that. If we assume that it is okay for Cox to actually
intercept the IRC sessions of their users, we're wa far into that
mess anyways. I'm saying do it
On Mon, 23 Jul 2007, Joe Greco wrote:
Would it be better if ISPs just blackholed certain IP addresses associated
with Bot CC servers instead of trying to give the user a message. That
doesn't require examining the data content of any messages. The user just
gets a connection timeout.
On 7/24/07, Chris L. Morrow [EMAIL PROTECTED] wrote:
So, to back this up and get off the original complaint, if a service
provider can protect a large portion of their customer base with some
decent intelligence gathering and security policy implementation is that a
good thing? keeping in mind
52 matches
Mail list logo