Re: ISP Operators AISURU/Kimwolf botnet

[Suresh Ramasubramanian via NANOG <nanog () lists nanog org>]

Yeah so that’s why third party malware feeds feeding into SP walled gardens are about the only way you can reasonably 
mitigate this.

Can’t be done at the destination, as you say.

--srs
________________________________
From: Mel Beckman <mel () beckman org>
Sent: Sunday, January 18, 2026 3:45:19 PM
To: Suresh Ramasubramanian <ops.lists () gmail com>
Cc: nanog () lists nanog org <nanog () lists nanog org>; Tim Burke <tim () mid net>; Corey Smith <cosmith80001 () gmail 
com>; Roland Dobbins <Roland.Dobbins () netscout com>
Subject: Re: ISP Operators AISURU/Kimwolf botnet


But that’s the problem: you can’t detect even one thing because the attack traffic looks like normal traffic 💯 . It is, 
in fact, normal traffic in the sense that it’s exercising the service, such as HTTP, on the victims network. What makes 
it a distributed DoS attack is that many attackers present a huge load to this victim server while not showing any 
particularly intensive stream on the consumer attacking network. The consumer attacking network is then directed to 
attack many distant victims, but that just looks like more normal traffic to a lot of different web hosts.

In extreme cases, the attacker may max out the upstream capacity of the consumer proxy network. But once again, that’s 
not terribly surprising because some consumers just hit their limit based on gaming or whatever it is, they’re doing. 
It’s not an AUP violation to use all the band with you’re paying for.

-mel via cell

On Jan 17, 2026, at 11:22 PM, Suresh Ramasubramanian <ops.lists () gmail com> wrote:


Yeah that’s why my focus was on isps detecting this outbound - if only through feeds like shadow server - and cutting 
off infected customers.

--srs
________________________________
From: Mel Beckman <mel () beckman org>
Sent: Sunday, January 18, 2026 10:44:34 AM
To: Suresh Ramasubramanian <ops.lists () gmail com>
Cc: nanog () lists nanog org <nanog () lists nanog org>; Tim Burke <tim () mid net>; Corey Smith <cosmith80001 () gmail 
com>; Roland Dobbins <Roland.Dobbins () netscout com>
Subject: Re: ISP Operators AISURU/Kimwolf botnet

Suresh,

Aye, there’s the rub. It’s very difficult to classify DDoS traffic at the ASN level unless you can see it across ASNs 
on the Internet backbone, then and correlate it using sophisticated pattern recognition. This what services such as 
Black Lotus, CloudFlare, and Fastlick do. Especially for small ISPs, this is impossible to do in-house, at least today 
anyway. Hackers quickly learn how all these DDoS recognition services work, so it’s a constant battle or whack-a-mole 
trying to stay ahead of them and their information hiding techniques.

There are CPE devices — NG enterprise firewalls — that can detect and block some large output streams. But customers 
aren’t willing to pay a $2000 setup fee and turn over the shelf space and endure the noise footprint for these products.

But you’re right about one thing: ISPs, where they can identify abusive outbound traffic, can turn off those customers 
and leave it to them clean up their home networks.

 -mel

On Jan 17, 2026, at 5:50 PM, Suresh Ramasubramanian <ops.lists () gmail com> wrote:


Write it and submit it to the NYT and that crowd would just call it mass media lies.  Whatever happened to all the 
walled gardens Comcast and others were working on?

If you see this traffic just cut the connection based on the customer bumming free tv with a knockoff Chinese device, 
if not for the malware.

--srs
________________________________
From: Mel Beckman via NANOG <nanog () lists nanog org>
Sent: Sunday, January 18, 2026 9:41:54 AM
To: Tim Burke <tim () mid net>
Cc: nanog () lists nanog org <nanog () lists nanog org>; Corey Smith <cosmith80001 () gmail com>; Roland Dobbins 
<Roland.Dobbins () netscout com>; Mel Beckman <mel () beckman org>
Subject: Re: ISP Operators AISURU/Kimwolf botnet

You should write the article and submit it to the New York Times technology group. I believe David Pogue still works 
there, and he is a tech guy, so maybe he would be a good vehicle to get it published. I used to work with DAVID at 
Macworld magazine.

But it’s not the job for an ISP, or even something an ISP could get the major media to publish.

-mel via cell

> On Jan 17, 2026, at 4:50 PM, Tim Burke <tim () mid net> wrote:
>
> The problem I see is that an article like this is intended for an IT/security professional audience.
>
> These TV piracy boxes are often used by uneducated folks that would not read such an article. They just want their 
> sports and $cableNewsChannel, and if you tell them it’s illegal or full of malware, they will just tell you you’re 
> wrong, keep using it, and let it cause their 1Gbps circuit to get saturated by botnet traffic, all in the name of 
> “free television”.
>
> I have joined a few social media groups about these devices out of sheer curiosity, and have seen a number of threads 
> from folks that ask why an ISPs security offering (typically Comcast’s “XFi Security” or AT&T’s “Active Armor”) would 
> be complaining about traffic coming from the device… the common trend is to tell people to disable the security 
> services, as “Infinity [SIC] is just trying to force you to buy their cable”.
>
> Hooray for Stockholm syndrome.
>
> > On Jan 16, 2026, at 20:10, Mel Beckman via NANOG <nanog () lists nanog org> wrote:
> >
> > Roland,
> >
> > The Krebs article you cite is even better than the one I linked, because it shows pictures of the many consumer 
> > devices that can be infiltrated. People are likely to immediately recognize any they own, which will drive home the 
> > point that this is their problem.
> >
> > -mel
> >
> > > > On Jan 16, 2026, at 5:43 PM, Dobbins, Roland via NANOG <nanog () lists nanog org> wrote:
> > >
> > > 
> > > > On Jan 16, 2026, at 22:16, Benjamin Hatton via NANOG <nanog () lists nanog org> wrote:
> > >
> > > As a smaller ISP, I think the biggest thing that would help us would be a
> > > 'mainstream' media outlet covering some of it so we have something to show
> > > customers who call in about their internet being bad, us telling them it is
> > > their android streaming box that is taking up their entire connection
> > > moving TBs of data a day, and them responding with "but I bought it from
> > > Walmart/Amazon" or "you are just trying to get me to sign up for your
> > > cable" and refusing to do anything about it because 'free TV'.
> > >
> > > <https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
> > > The Kimwolf Botnet is Stalking Your Local 
> > > Network<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
> > > krebsonsecurity.com<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
> > > [favicon.ico]<https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/>
> > >
> > > _______________________________________________
> > > NANOG mailing list
> > > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/GC4T5N6XUSX3LGV3BQE4QT6CJ6G2ZUNK/
> > _______________________________________________
> > NANOG mailing list
> > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/3LYEDZZ6DQ6FMGD5VXTM3I4PZDIYMPWE/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HZIDJSNEGSCFNHTAZ2IFWZ32ZG6WWU5T/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/VJM4WZOXL3PBWIB4AUE77UOCGD62DEEO/