Comment Re:Of course... (Score 1) 486
As someone who runs a small ISP, it's really not hard to tell the difference between botnet and P2P activity. Some things to check for. It'd be better as a flowchart, but I'll just make a list:
1) Is it mostly outgoing traffic? P2P does upload, but mostly botnets ONLY upload. So is the traffic lopsided like this?
2) Is it hitting sequential or seemingly random masses of IP blocks (>100 or so)?
3) Is the port fairly uniform or random?
4) Is it TCP or UDP?
Just with those four criteria, and with something like trafshow just to see the connection states RT, you can (with experience) VERY easily discern if large activity is legitimate downloading of movies (Netflix, Hulu, Youtube is ALL download from 1-2 hosts). Bittorrent (Normally synchronous U/D, but even if lopsided, connections tend to be in the reasonable 30-120 or so host connections), or Botnet (Computer is spewing out to massive IP blocks at random, with little/no incoming data on the connection).
* If any of that traffic is with the normal mail ports ( 25, 465, 587, 110, 143, 993, 995) AND you're seeing buttloads of connections, then they're infected.
* If you start seeing totally random things that vaguely resemble portscans (Lots of hosts, same/similar ports, lost of unreachable/ no return packs), they're infected.
This isn't really rocket science, it's fairly easy to setup a IDS to detect this, and warn/slam the brake on this crap. And, as a small ISP, the LAST thing you need is to be shitlisted on a bazillion blacklists, some of which (SORBS especially) are virtually impossible to get off of without being extorted.
As a small ISP, I'd rather lose one customer that can't get their shit together than lose 15 because I didn't terminate that one and got blacklisted.