[AusNOG] Killing the bots with user help. WAS Re: NBN must avoid becoming 'failed state'

Terry Manderson terry at terrym.net
Tue Oct 5 11:04:13 EST 2010

Sorry to drag up an old thread but saw this on slashdot this morning (and probably so did you).

On 21/09/2010, at 9:35 PM, Terry Manderson wrote:
> I won't go into the details of how some bots already interact with their C&C with the use of fast flux domains and other 'cool' cyrpto things but I will say through the awareness of local network traffic an operator can get enough of a picture (using heuristics, hashes, etc) to place a bot in a walled garden automatically. Thus saving the user from loosing more data than they may have already and taking yet another bot out of a bot herder's collective or better, providing a clue to the bot herder's modus operandi. There are a number of ISPs/ASPs around the world that employ such efforts and from what I hear their customers love them for it. Okay so 'love' might be a bit of an overstatement, but the respect is there.


Essentially Comcast is addressing their botnet issues by emailing their infected customers and overlaying an browser advisory notice on websites the customer visits.

Interesting idea. Doesn't completely wall the user off, but makes it reasonably clear that they are affected/infected.
(until, I guess, the bot herder installs an 'advisory notice blocker program') 

Comcast is using Dambella as their source of intelligence rather than any in-house awareness, so I'm not sure I have a strong opinion on that yet. But what is heartening is that large a trend setter is making a go of it. Clearly they have reputation assets at stake, and a huge customer base and thus a huge saving in traffic related 'events' from bot activity. I wonder if this would down scale to smaller ISPs, ie in Australia? Is the support component too much of a hit to approach this? ie unable to apportion the costs of this elsewhere?


More information about the AusNOG mailing list