Re: ISP Operators AISURU/Kimwolf botnet

[Jon Lewis via NANOG <nanog () lists nanog org>]

On Sat, 17 Jan 2026, Mike Simpson via NANOG wrote:

> Again tho.
> What does it matter to the customer. It’s not impacting on their bottom 
> line. They are used to fairly rubbish service for a huge multitude of 
> reasons so their bandwidth being a bit slashdotted doesn’t matter to 
> them. That’s why it’s a ddos.

It matters to the customer when the various infected devices on their 
network start causing problems they (or their neighbors) notice.  DDoS 
is far from the only thing compromised things is used for.  There's spam 
sending bots, brute force auth attempt bots, etc.

I thought I'd dealt with the spam bots a year or two ago with port 25 
filters.  Looking at the ACL counters, I can see those bots are still 
constantly trying.  But now there appear to be spam bots using 
authenticated/encrypted SMTP Submission. Likely, this is related to the 
bots doing brute force authentication bypass attempts on large provider 
IMAP servers (getting our IPs internally blacklisted by those providers, 
resulting in customer support calls "XYZ is saying my IP is temporarily 
blacklisted when I try checking my mail.").

The more gear in a customer's home network that's compromised, the more 
vectors there are for getting into their computers, phones, etc., and then 
there's the chance of RATs being installed, data theft, etc.

It's far from just an issue of our outband traffic capacity possibly being 
"stolen" and misused.  That's probably the least of my concerns.  For me, 
IP reputation is probably the top one, though customer safety is right up 
there next to it.

Getting the customer gear cleaned up, seems to me, to be a non-starter. 
Attempting this could easily be a full time job...and I have done the 
exercise of picking a customer known to be infected[1], getting into their 
CPE, identifying the internal IP/MAC of the infected "thing" [it wasn't 
the CPE], but that's as far as I could get.  The MAC resolved to some 
company in China I'd never heard of, so it provided no clue to me as to 
what the device is.  Imagine trying to talk a customer through identifying 
some random device on their home network by IP/MAC.  I could break its 
Internet connectivity with a filter on their CPE, but even if we find it 
by then looking for the thing that's fallen off the network, then what? 
If it's a streaming TV device, thermostat, or other IoT device, how are 
they supposed to clean off the malware, and what's going to stop it from 
getting re-infected?  In the case of insecure gear that can be compromised 
by any other device on the local network, do we tell them "you just can't 
have that on your network...throw it away, or demand a refund from 
whoever you bought it from."?

[1] We're currently in a trial of Spamhaus's "BGP Firewall" that provides 
a feed of known botnet C&C IPs (for null routing to break their 
communication with & control of bots on our network).  Rather than just 
null routing that traffic, we're sending it to a system where we can 
capture the packets...so I've identified at least a subset of our infected 
customers.

The Spamhaus data is clearly helpful, but doesn't seem to be a complete 
cure for the issue...so I'm curious if there are other similar services 
that could be combined to get more/better coverage?

----------------------------------------------------------------------
 Jon Lewis, MCP :)              |  I route
 Blue Stream Fiber, Sr. Neteng  |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/JL2GUN46XA6GTQFVYCKCLG5KLPN7HWPJ/