[mdlug] It's about time.
Joseph C. Bender
jcbender at bendorius.com
Sat Oct 10 12:35:02 EDT 2009
Raymond McLaughlin wrote:
> Aaron Kulkis wrote:
>> Botnet-hosting subscribers soon to get warnings from Comcast
>>
>> <http://arstechnica.com/security/news/2009/10/botnet-hosting-subscribers-soon-to-get-warnings-from-comcast.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss>
>>
>
> This could be a good thing. One thing that concerns me is to what extent
> ssh traffic and the like will look like botnet activity to programs
> like this.
>
Nope. Assuming a good IDS or IDP, botnet traffic sticks out like a
sore thumb. SSH traffic looks like, well, SSH traffic.
There's also a pattern of traffic. Most ISP customers aren't in the
habit of connecting to random hosts in Brazil, China, Russia or
Bulgaria. Even if the traffic was destined to port 22 and "looked" like
SSH, chances are the end-user doesn't have shell accounts over there.
This can only be a step in the right direction.
-JCB
More information about the mdlug
mailing list