Slashdot Mirror
TimeWarner DNS Hijacking
Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.
In other news Redhat has begun using arp poisoning and TLD hijacking to remove the Malicious and insecure Microsoft Windows installs. After all windows installs are purged there is expected to never ever be a future threat and heavy handed tactics will never be used again. Sometimes the cure is worse than the ailment.
OK DNS Server resolve me to .cu and no body gets hurt.
In Pennsylvania, it sounds like it might fall under Theft of, or Diversion of Services.
Politicians are more concerned with pampering the amok-running entertainment industry, providers are more concerned with keeping their pink contract customers, users are more concerned with getting cheap viagra and don't care about the number of botnets their computers are part of and law enforcement is chasing whoever is tagged with the kiddieporn or terrorism flag.
If admins don't take it into their own hands, nobody is going to do anything.
Police thyself, or others will do the policing for you.
Then they came for IRC, and dammit, I use IRC, and if my ISP blocks it, it's a dealbreaker, even if I have to sue to cancel the contract.
If I have been able to see further than others, it is because I bought a pair of binoculars.
While Cox used to use Time Warner's RoadRunner for their cable internet service, Cox's Internet offerings are In-House now.
Your hair look like poop, Bob! - Wanker.
If Time Warner was really concerned about it wouldnt it be easier and more effective to use their virtual truck (TW Self help) application to redirect the users browser start page to a list of instructions, tools and a support number to clean up their system? I have seen several instances were they redirect users to a "disabled due to non-payment" type pages...would a "Hey idiot your computer is infected" page be that difficult?
Frankly, I think it's about time somebody started ACTING on the problems we face online. Botnets are a huge global issue, and we simply must do all that we can to stop them. Although I suppose this probably could be considered illegal (remotely installing software on somebody's PC without their authorisation breaks pretty much every anti-hacking law in the land), how else can we tackle these issues? Zombie PCs aren't going away any time soon, so more needs to be done. The only problem is as the OP originally stated - botnet control is moving away from IRC networks anyway, so this may also be a case of too little too late. What other methods can be used to help curb the botnet problem?
Anything goes on the Eris Free Network.
So we can expect the next generation of malware to alter systems to use OpenDNS?
Might make some systems a little more useful!
Let's face it, the company with the most responsibility in the Botnet mess, Microsoft, has been sitting on their hands when it comes to dealing with the issue. Well, until they figured out they could make a buck at it.
Botnets are used by organized crime for spam, stock scams and a host of other illegal activities. It's time someone did something...if only for the political effect.
Moose and squirrel beat you again.
Better luck next time!
>Is this the right way to handle the botnet problem?
No. The right way involves castration with rusty linoleum knives, Turkish prisons, and rabid wolverines. If that doesn't work, we should quit being nice and get nasty with these folks. Seriously, this problem will not go away until people start doing some hard time, preferably with a cell mate who does not need Erct|le Member Help!
Some mornings it's hardly worth chewing through the restraints to get out of bed.
...the sudden increase in irc proxy scanners hitting my server over the past week.
Though I'm not sure what kind of explanation justifies doing that.
Wired found someone who approves of breaking the internet:
Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.
Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.
Friends don't help friends install M$ junk.
If I wish to black hole something on my DNS, it is my prerogative to do so. If someone else is using my server for free and complains about the shitty service, then I'll gladly refund his money...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Uhhhh.. see, I'm kinda of the opinion that vigilante action is only bad if there are proper channels. There are none.
How we know is more important than what we know.
only extends to where someone else's nose begins. If someone is harming your chattels, then you have the right to take appropriate action to limit the damage. I'd love to see a botnet operator sue Time Warner - "Judge it is not fair, they hit back first! Waaaaaahhhh..."
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.
I wish I hadn't run out of mod points; this is gold.
That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?
I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.
People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.
I drink to make other people interesting!
I expect that the same people who neglect their PCs by downloading and opening random crap and not even bothering to leave automatic updates running will be as detrimental to OS X or Linux if they ever grow tired of "Windoze" and blame Microsoft (or as you like you call them, "M$") for their inexperience and lack of interest in basic security enough to switch platforms. You know what? You're more than welcome to them. Those of us who choose to run Windows and do it responsibly as with any other OS can certainly do without the "wow this email with a zip attachment from the CIA looks important, I think I'll open it and run it" masses. You can have all of them, and then when there's enough of them and malware writers start targeting them, you can post on Slashdot about how "Linsux" is third rate because it lets these stupid people install stuff on their own computers. I'll be looking forward to that.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
think it cant be done why? they can make them and get detected so why not one that completely goes off like a worm and attacks all this virii and even updates it self.
Question now arises whom do we trust for that.
So not going to happen.
You mean you actually talked to someone in tech support who not only knew what a packet was but also looked up what was happening on their end at a technical level? How many drones did you have to speak to telling you to A)reboot or B)reinstall your machine? Did you use chicken blood or ox blood to perform this magic?
If you wanna get rich, you know that payback is a bitch
I have mod points, but I'd like to collectively reply to a few of the comments I see here. for those of you that are commending this act of vigilantism, stop and think - is this the most effective way to tackle the problem? The way I see it is that being a vigilante is akin to being involved in a constant game of whack-a-mole. The only problem is that when you start taking down bots (or even whole botnets), the people running them begin to realise that their current generation of malware isn't effective enough, and create something that is harder to detect. As the summary notes, we've already seen them trying to improve their resources. There was another post I saw on here that put it more eloquently, essentially saying: vigilantism only helps the bad guys work out where they need to improve.
So how about instead of trying to fight a brushfire with an extinguisher, we get to the root of the problem and start educating users. Yes, that takes effort. I can't begin to count the hours I've spent trying to explain to folk why using an alternative browser (or OS or whatever) is a good idea, and what they should look for in a reputable site, and so on and so on ad nauseum. It's a slow process, but the more people that are aware of the risks - and more importantly, the reasons for the risks - the less there potential 'marks' there are for all the script kiddeez, rooters and organised criminals out there.
And for us on /. - less requests to fix the family computer when we visit at Christmas.
If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
---AFT (About Fyucking Time) Defense/Offense Corporatist attack a real enemy of US. They (Corporations/associations/laws... RIAA, MPAA, DMCA ...) have been using the law to spy on and attack citizens......
Wow. That is one hell of a rant. Too bad it's just full of sticking points towards every group you hate. That adds nothing.
---If you want to win you must always be on the offense. Offense or Defense will always win a battle, but only offense can win the war.
Your key supposition is this.
What is winning to Time-Warner? They wish to make money.
Can attacking lead to elimination of threat? Yes, it can.
Can attacking lead to more money lost due to unforeseen complications? Yes, it can.
What is the percentage that is lost? It is a great percentage. Why? Because IP addresses are not checked to verify whether source/destination are correct.
If the majority of companies went to 1'st strike like what you wish, then I, as one person could imitate that of a rival company and engage each other in a cyberwar. If you dont understand this, I am simply blending in the prisoners dilemma and tragedy of the commons.
Thats probably why you were -1'ed.
I'm a student at Clemson University. After some problems with IRC-based badware 4-5 years ago, the University decided to block the default IRC port for students to try to help.
Thing is, they never removed the block. And at a University, well, when someone does this, you're pretty much boned.
(Yes, I know there are multiple ports on many IRC servers -- but not all of them.)
I have Cox Communications, and i just checked, irc.mzima.net is still hijacked...
:
;; ANSWER SECTION:
More interestingly, (i think), the website 'crackz.ws' is permanently hijacked by Cox
crackz.ws. 300 IN A 68.0.15.8
it redirects to a "Scam Blocked" page...
I think my network was the first full network hit, although FDF did have a singular server issue about a year ago and there were some smaller instances as much as two years ago. I've been keeping a collection of reports and information on a blog page found here: http://anthony.blogs.ablenet.org/time_warner_aol_r oadrunner_and_verizon_kill_irc
It started with TW/AOL and then Verizon and lastly Cox. At first I thought were were on a blacklist somewhere, but when that didn't check out, I was totally baffled!
This isn't the perfect or ideal way to do things. But its about damned time the ISPs did something.
There is simply **NO** excuse for a bot to be running on any ISP for more than the time it takes to detect it pumping out massive volumes of email. My solution, as I've stated several times, would be to disconnect the offending computer, and then fire them off a snailmail letter stating that they will not be permitted back until their computer is disinfected. But since that would cost them customers, no one will do that.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Leet-man dedazo insultingly blames the users again:
The botnet's root cause is not "Windoze", it's the people who are ignorant or lazy enough to let their computers be taken over by trojans and worms. Since it's stupidly simple to avoid that, the problem lies squarely between keyboard and chair.
Both ignorance and apathy would be cured by kicking off infected computers. I'd be looking forward to "responsible user" dedazo being kicked off but I think the PR firm he works for uses a botnet to post all it's pro M$ blather, so he could stay one step ahead of the terminations.
Interestingly enough, he scornfully proposes the right solution:
[lots of namecalling for normal computer users] You know what? You're more than welcome to them.
That wold be cool. Steve Jobs does not have a problem with average users on Apple. Sun does not have a problem with Solaris in hospitals. No one but M$ has a problem and liberating their users would be a great thing for everyone. It can't be done by force but it will happen when people have knowledge and choices.
Friends don't help friends install M$ junk.
This is really no different from when I used ISA server to redirect ad sites to a benign company graphic that eliminated pop-up ads, cookies and quickened page loading times. Cox and other ISP's operate a private network up to the point they peer, and they are allowed to control the traffic on their network by using DNS seeding on their own servers to redirect client traffic from within their own network to another server on their own network. I'm sure some verbiage is buried in their terms of use policy, but if you object to their cleaning bots off of your systems, then police yourself or get a different ISP.
Nothing to see here but us trolls...move along...
Michael Dell estimates that 25% of the computers he sells ends up controlled by a bot net. Botnets used to abuse IRC while launching spam and DNS. The problem is Windows, but you would like to blame and punish IRC servers and users. Why?
Your plan does not even make sense. Botherders have already moved to their own distributed command and control systems that have nothing to do with IRC.
The only people disrupted by this are IRC users, who mostly use gnu/linux and other systems that don't have botnet problems. People with infected computers are not IRC users.
Friends don't help friends install M$ junk.
Botnets used to abuse IRC while launching spam and DNS.
That's supposed to be Botnets used to abuse IRC while launching spam and DoS (denial of service attacks).
Friends don't help friends install M$ junk.
http://secureme.blogspot.com/2005_06_01_archive.ht ml/
Scroll down to the very bottom of that page. Notice the date.
If it was my IRC Server that they hijacked I'd sue Timewarner to the maximum extend..
No matter the collateral damage? Protecting freedom by restricting rights again, are we?
This might give us some brief reprieve, timewarner needed to do this to prevent their network getting banned in places, i already banned it from my mailservers. the botnetters will just use ip addresses next...
If you mod me down, I will become more powerful than you can imagine....
"So we can expect the next generation of malware to alter systems to use OpenDNS?"
I remenber a fella named Kashpuereff tried this once...
Need Mercedes parts ?
I can easily understand the urge to disable as many bots as possible, particularly those that are making their network look bad.
At the same time, they're blocking legitimate accesses to legitimate services without even notifying their users.
I don't really mind that they're manipulating the machines given that they only affect owned machines.
This does seem to be a vigilante action, but it's not as if "legitimate" law enforcement seems to have any interest at all in catching cyber-criminals even when they and victim are in the same jurisdiction unless, of course, the victim is a large corporation. Whenever legitimate law enforcement is absent, vigilantes tend to fill the vacuum.
The problem is the assholes who take over people's computers to send spam and flood web sites. The solution is a well funded police force to hunt them down.
Start in Redmond. No really. Start rooting around the PR firms they pay and see what you find.
Then you can move on to Madison Avenue where big name companies like American Express, Home Depot, American Airlines and others have been busted paying these assholes to take over people's computers. Think those companies got more than a slap on the wrist? No, they had "plausible deniability" and all of them claimed absolute shock that these things were done in their name - shock I tell you, while they continue to support laws that make the internet look like broadcast TV and force the same thing.
Honeynets are a nice way to start tracking these things down but it's not going to work when the herds are all moved over to redundant and decentralized command and control structures. Police effort will dig up thousands of home users who know nothing about what's happened to their computers, unless you can make a TIA network as big as the plannet. The crooks will then add their own networks to the official one and you are back at square one.
No, the only way to get rid of the problem is to make it expensive though platform diversity. Making the user aware of the problem and making it cost the user time and trouble is the first step. At some point the network will be so degraded that users will start dropping off anyway.
Friends don't help friends install M$ junk.
And I care WHY?
Is hijacking DNS legal?
"Tortious interference," is part of english common law roughly defined as the causing of harm by disrupting something that belongs to someone else. The original example was a guy who repeatedly drove ducks away from his neighbors' pond by firing a gun in the air on his own property.
So no, its not legal. But if you want to pursue it in court, you have only one of the weaker common-law torts to rely on.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Since it sounds like they were doing it with their DNS servers. While it would be illegal for me to break in to your DNS server and modify it, it is not illegal for me to modify my DNS server, even if you use it. If you dislike it, you can use another service, but unless I have a contract with you there's nothing wrong with it (legally). You can argue it is a bad idea, but changing their equipment on their network is well within their rights.
208.67.222.222
208.67.220.220
I don't work for OpenDNS, but they've got some nice DNS servers out there for use. http://www.opendns.com/
Kind of sad, the first thing I thought about when I started reading about this was, "Wow... Who'd a thought you needed TOR to get proper DNS resolution?"
Why use anything else? (Except maybe 4.2.2.2).
I'm a TW/RR customer, and I have no problems reaching external DNS from my local proxy.
Well, when I had less of a commute and more free time, I taught computer classes at the local library (they already had classes set up, they just needed a lecturer... it wasn't hard). At first, we just did really basic stuff, but I eventually managed to teach one on security.
Unfortunately, even for a free class like that, I could barely get 10-15 people and we're in a pretty large city. Classes were one-night affairs, twice a week or so.
I'd love to educate more users, but it's pretty hard. Honestly, I wish someone could get them to make a TV show out of it, but it'd have to be someone with a clue. And I wonder how much content you could even manage? There are only so many scams to tell people about.
Half of security is knowing who I trust for my information. A bit of "paranoia" has saved my ass more than once when dealing with something I thought was a little off.
There is simply **NO** excuse for a bot to be running on any ISP for more than the time it takes to detect it pumping out massive volumes of email.
So, all they'd have to do is to watch egress traffic, and if somebody was sending mail to, say, more than 20 different e-mail servers in the course of an hour (perhaps with a ramp-up capability), then suspect they're a spammer and either a) get them on a whitelist if they're not, or b) prevent them from sending more mail unless it's properly relayed.
Now, how do you scale that kind of system to 20 million subscribers?
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This is just another attack on the free software community as outlined in the Haloween Documents.
Actualy they only modified their own DNS server. This is not breaking the Ineternet. This is breaking Cox/Time Warner walled garden ISP DNS.
If you don't like the faulty DNS, feel free to change to one of the other public DNS servers such as the public Verison DNS Server at 4.2.2.1. You don't have to use your ISP's DNS server. Go into your router setup and switch from dynamic DNS to Static and plug in 2 or 3 public DNS servers and you are back to real DNS results.
The truth shall set you free!
TWC gives fairly cheap/fast cablemodems to some people here in NYC. Like $50:mo for 1Mbps/600Kbps up/down. Not bad, for the US.
But their DNS really sucks. Every connection to the Net requires a slow DNS lookup. And several times a week, sometimes several times a day, DNS goes down, or really slow (>60s per lookup). These botnets aren't the culprit. It's a lame IT staff.
$50:mo is a lot, on top of an additional $50:mo TV charge, plus what they get for "triple play" including phone service. And of course pay-per-view. In a city of 8M people, the large majority of whom subscribe, with really low per-dwelling costs because we're all living in such a small area with complete infrastructure. Oh, and they're a monopoly in a captive market at the center of the global media market.
TWC should pay another $10M more a year to keep their DNS running like a greased snake. Including cleaning up the botnets that attack them, without making such a big deal about a minority of their problem.
--
make install -not war
How is disabling a bot a bad thing unless you are...one of...the...hijackers? It's a conspiracy!!!!!111
im not huge on rights being violated but if their (the isp) service is being abused they should be well within their power to stop it and should stop it, particularly when it comes to bots
IRC stopped being a geek thing back in the 90's or so. I have plenty of friends who hang out on IRC (you are aware that you can go on IRC with a Java applet aren't you?) but I wouldn't trust them with cleaning up their own computer.
And, what is suggested here, is practically speaking quite simple to do. Configure your network so that problematic or high risk (infection indicating) packets raise alarm bells. Or even if you have nothing else, download full blocklist zones and grepcidr the lists to see if your own customers appear. All of this with minimal disruption to legitimate, uninfected hosts.
First, as a person who owns and operates many networks, I would be rather annoyed that someone has hijacked one of my domains, for any purpose.
To me, a domain name is the equivalent to a land deed, it's a peace of virtual real-estate. It's a representation and label identifying a group of IP addresses which may or may not be associated to a physical device or service. If I have a problem with some other network, I attempt to contact the powers-that-be of the offending network; in good faith, that they would be cooperative.
Now, I assume many offensive networks out there might not cooperate, or might think that what their network is doing is either legal, moral, or of no harm. Well... I do admit, I block all of APNIC to my mail servers, though, I do not service "customers" either. If I did, I would assume my customer demographic might include a need or desire for correspondence with those in APNIC, and permit the traffic. While I might, on case by case scenerios, filter a range of IPs known for SPAM or whatever, things I certainly wouldn't do is hi-jack a domain, and most disturbingly, attempt to execute code on a clients machine without direct consent for each instance, each time. Basically, what you're doing then is intentionally deceiving a computer system, breaking standards, breaking and entering said computer system, and influencing change which permanently alters HOW that computer operates. And, knowing the practices and the broad generalized sweeping tactics of Cox Communications (for example), I must say I do NOT trust what they MIGHT consider as "malicious" code to delete off my computer "at their whim".
If this becomes "legal", then what's to stop Cox Communications (for example), from considering my MP3s as "malicious or of questionable origin" and on behalf of RIAA, delete my mp3s? How are they going to know?
Now, on to San Diego Cox Communications. While I agree that if you are on someones network, you do what they say. However, as already implied above, if my intention is to provide "Internet Service", then I DO inherently forfeit some of that overall power. And Cox Cable, blocking incoming and outgoing ports is really not within their moral obligation to do so. Nothing illegal about them doing it, no doubt some here might agree with them. But, if I'm going to sell someone "Internet Service", as I have in the past, they get "Internet Service" in full. I don't want a parent above me, and most certainly, I should be allowed unaltered Internet Service from Cox Communications on request against the default safegaurds in-place for the sake of the laymen.
But, Cox Communications does NOT permit one to exercise all of the technologies available. They notoriously block ports, and muck with the traffic. Why? Who knows, and I don't mean to be elitist, but their explanations of some Windows worm really doesn't apply to my Linux box. Besides, if I was running Windows, I still wouldn't appreciate all the port blocking and crap. I'll handle that myself.
As a result, I refuse to use Cox Cable or Time Warners Road Runner services. (Aside from the fact I'm banned from San Diego Cox Cable's network for running VPN clouds on their network, among other things like DoS'ing everyone on my subnet to boost my download speeds...), I warmly welcome other high-speed services that do NOT play parenthood. Sadly, one practically has to purchase a "Business" line instead of a "Home" connection. So, that's in fact what I have so if I want to launch my own webserver/mailserver, SQL Server or whatever, it's simply a matter of just configuring and launching the daemon.
In short, I feel hi-jacking is wrong. And I feel that people should not use Cox Cable as they are the "AOL" of today anyways. Such actions are so typical of Cox Cable... it's truelly ridiculous.
Why can not people effected by this problem simply put the right answer in their hosts files?
If you don't like the faulty DNS, feel free to change to one of the other public DNS servers such as the public Verison DNS Server at 4.2.2.1.
How long will it be before they block access to alternatives or the alternatives themselves can not be trusted? Breaking something as fundamental as DNS breaks the an important agreement that makes the internet work.
Friends don't help friends install M$ junk.
I'm all for fighting the botnet problem, but is DNS hijacking the way to fight them? Customers of any ISP should be able to feel confident that, when they enter in slashdot.org, they get the IP for Slashdot, and not for a BADBOTBAD channel!
Instead, why don't they invest in a technology that will keep an eye out for spam like activity (e.g. Port 23 monitoring), and advise customers when they feel they have been compromised?
This sig left intentionally blank.
I bet she was fugly..
In fact, only TRON has a billion users, and TRON doesn't seem to have the problems you describe.
That's because Tron fights for the Users.
Knowledge is power. Knowledge shared is power multiplied.
You're the bright person who submitted this story, which is actually about Cox, only you said it was Time Warner. Your own page has TW in the title, but only talks about Cox. Do you know something about a merger between the two that isn't yet public knowledge?
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
The university I went to adopted just that kind of policy after the Blaster worm took the entire network offline. You had to register your MAC with the IT services and then go run (or say you ran) the clean-up CD and then they'd let you back on the network if they didn't see any crap coming from your MAC address on the network. Unknown MACs were blocked from accessing the network and you would also be blocked from accessing the network if your machine became zombified and started putting out traffic that indicated it. You'd have to call the IT guys after you ran the clean-up CD and then they'd let you back on if the network traffic from the machine looked fine.
I don't see how this would be any harder for any other ISP to handle, considering that the university has something well over 65k machines on the network, roughly 90k actual IIRC. That's probably more than quite a few smaller ISPs have. We haven't had much trouble with internal DOSes since, so apparently the tactic works.
Just "gittin-r-done," day after day.
Well as some have pointed out you can use other DNS servers. However, many people don't have the time/knowledge/or need to mess with this and they really shouldn't have to. Messing with DNS for these purposes is a questionable activity. However, especially in the case of EFNet servers, I find this especially strange. EFNet does have some botnets that end up with them, but they are very few and far between.. and small in nature. These things are taken down pretty rapidly on EFNet and that's part of the reason they're not used frequently. DALnet -- a whole other story. There's tons of active botnets there now. EFNet is definitely much smaller in scale n terms of the number, the size, and the lifespan. This is pretty sad. Redirecting a hacked server being used by an IRCD is one thing. Doing it selective IRCDs on a huge *legit* network.. that's a whole other story.
Or rather, didn't comprehend. The whole "to which he is not entitled" part, means if you take control of something that doesn't belong to you. Time Warner's DNS belongs to them, hence it doesn't apply.
There are about to be some very public, very terminate-with-extreme-prejudice actions coming from the FBI against a number of spammers and bot-masters. This is not a good time to be a spammer or botnet wrangler based in the US. A number of individuals in both categories who, as of this very evening, probably think they're operating under the radar... Are in fact nearing federal indictments.
Watch the news transpire over the next 60 days. Most of us will, for once, be proud of how our tax money is being spent.
I can see someone's loving his OS just a little too much. Have a bit of an open mind.
I run both Windows and Linux on my machines and the only major advantage to running Linux in this type of situation is the fact that these infections are mainly designed to infect windows machines. I keep my Windows machine running cleanly, with regular virus scanning and full disclosure on my software firewall (aka, asks about everything) and I haven't unintentionally gotten a virus or spyware at all in the last few years. I have set up a separate hard drive where I installed some viruses so I could watch them play and learn how to clean them off of someone else's machine.
The problem with this is that I understand computers so when I see a new process I'm not recognizing I'll look up info on it, which is something very few people do. Most people just fire off the normal "Click OK" and keep going.
I've seen two ways that the people I do support for handle these things. Either they are like my roommate who manages to regularly infect his machine with mass quantities of stuff in his search for pr0n or they're like one client I have who is so worried about anything getting in that they've heavily overdone it on programs to keep themselves clean and their machine runs just as poorly as one infested with crap. Granted, that second category doesn't attempt to infect other machines so that is a step up.
If as you say all of these Windows people who aren't interested in learning how to protect their machines leave and go to a Mac OS or Linux OS then the people who are writing all of this stuff will start to work on targeting that platform. Even with the faster patching that goes on to fix issues that assumes these already lazy people will likely not install the patch, or install it but not clean off their infection, which they probably aren't aware of.
dedazo makes some great points and you come off sounding like a pretty sad fanboy when you bash him and say he's just trying to make Microsoft look good. Even so at the very end you say that when people have knowledge and choices things will get better but the whole point Dedazo is making is that people don't want to get that knowledge, or see that they have choices.
A DNS response to a widespread bot infection, a worm attack, or other overwhelming threat would be to claim SOA for the offending domain on your network, and resolve the entire domain to 127.0.0.1. Even that's sketchy, but it's what we might call the internet equivalent of Generally Accepted Accounting Principles. I've seen registrars themselves nullroute a domain and in general there's not much objection, because extreme action is only taken in extreme circumstances. That isn't what happened here at all.
What happened here is that multiple ISPs rerouted legitimate connection attempts to legitimate network servers to their own, pseudo-C&C servers. Through the hijacked connections, they issued commands (in the
It would certainly not be legal for me, as Joe Blow, to intercept your packets (for any purpose, good or evil), nor would it be legal for me, as Joe Blow, to use those intercepted packets to attempt to "uninstall" software from your computer, regardless of what that software is. Why, then, is it okay for ISPs to do the same?
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I bet she was fugly..
Funnily enough, not. She was of european descent and in the good kind of way... too bad she was a farking moron.
I drink to make other people interesting!
Actually blaming the criminal.
Weird moderation. "Troll" I could see, but this is a valid analogy.
In short: Who appointed you judge?
At length: Stopping botnets may be a noble cause, but who gets to decide what's a botnet and what's not, or which services/servers may be blocked and which ones may not? If TimeWarner is allowed to do this, what's stopping them from blocking downloads of Firefox, or preventing you from browsing to, say comcast.net?
Tell you what -- I don't really mind what they intercept and read, since I use crypto for anything I really care about. So the right thing for them to do here would be, sniff the network, and send email to the owner of any machine that appears to be infected. Then, let them deal with it.
Don't thank God, thank a doctor!
[ simple1 @ saturn ] ~ $ dig @ns1.dc.cox.net irc.mzima.net
.bot.remove .remove .uninstall .bot.remove .remove .uninstall
irc.mzima.net. 300 IN A 70.168.70.4
Connecting to 70.168.70.4 (70.168.70.4) port 6667.
[JOIN] You are now talking on #martian_
[MODE] localhost.localdomain sets mode +n #martian_
[MODE] localhost.localdomain sets mode +t #martian_
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
!bot.remove
!remove
!uninstall
Thats it.
It's a pretty retarded setup. You can redirect my traffic any which way you like, you won't command my computer to do shit. It doesn't accept remote commands like that. You also won't get any information, all my important traffic is encrypted. I don't trust that nobody is listening in on what is happening, so I ensure that end-to-end things are protected.
That's how you should do it. Assuming that your ISP is supposed to protect you is stupid. Your computer ought to be setup such that if its connection is hijacked, that doesn't do anything. It isn't like that can't happen from some random malicious place, never mind your ISP. That's proper security.
Also, if you don't like your ISP's DNS servers, don't use them. I use my ISPs servers because they work well and I believe them to be accurate. There have been times in the past when I've been on an ISP and I haven't. Had one where their DNS was really flaky, connection was good, just DNS was bad. So I used different servers. Likewise, if I felt that my ISPs DNS servers were giving me information that wasn't useful, I'd change to use others.
I don't care if you like it or not, if you don't, don't use Time Warner, however that doesn't make it at all illegal. There's no law that says that you have to offer a certain kind of DNS service. DNS is all just convention anyhow. Most DNS servers trust the ICANN roots. Some don't, some do their own thing entirely (Windows domains are sometimes all internal with no public component). Nobody is forcing it to be that way, it is just the way most people do it. There's nothing stopping you, or your ISP, or anyone from doing it different. DNS was designed so you can.
TWC: "Sir, you have an IRC bot on your machine that's making DDoS attacks."
Majority Computer User: "'IRC'? I'm seeing who??? Who am I seeing and when? Why am I seeing them? What're you talking about?!? Am I being charged for this?!? OMG, did Billy download music or movies or something?!? Oh Jesus Christ I'm going to kill that brat! Oh God, did you report me?!? I'm going to jail, aren't I?!?"
TWC: (sweatdrop)
So. Explain to me how castrating bots without disturbing or distressing the vast and overwhelming majority of computer users is a bad thing?
[End Of Line]
I don't see how this would be any harder for any other ISP to handle, considering that the university has something well over 65k machines on the network, roughly 90k actual IIRC. That's probably more than quite a few smaller ISPs have. We haven't had much trouble with internal DOSes since, so apparently the tactic works.
It's not the number of machines, it's the level of access the ISPs have that is different. Access to wire protocol information and managed network equipment is spotty, some co-locations are unbelievably primitive even today.
So it could be done, but it would have to be done at a much higher level, which means it costs them money to build the system (they can't use standard and built in network management tools that the university have), costs them money to adminster and runs the risk of sending customers to a competitor. From a business point of view it is all cost, no benefit.
The only way to get ISPs to hold their customers responsible is for some form of higher authority to hold the ISPs themselves responsible. Vigilante action has resulted in balkanization of the net, but no real improvement in the problem.
OP asks "Is this the right way to handle the botnet problem? Is hijacking DNS legal?""
A good question. Let me check for you.... Hang on... looking up Time Warner's Bank Balance. Uh huh... HOLY COW!
In answer to your question, yes, DNS hijacking is most definitely legal.
I would like to agree with you, but I can't. How many bots have you helped prevent by educating people--five, ten? Now how many worms have been shut down by this vigilantism? I'm willing to bet that it is more.
People are lazy and don't really want to "be educated" unless it provides them some sort of direct personal benefit. Trying to educate people about things that affect them indirectly, after time, or in the aggregate--such as bot nets, pollution, or AIDS prevention--never has and probably never will really do much good. There's no stick for failing to learn and no carrot for succeeding, and thus no incentive other than knowing you're probably doing the right thing.
The Clean Air Act and law enforcement had more effect on air pollution than a million teachers, and it will probably take a law and someone to enforce it to solve this problem as well. The flipside of vigilantes showing criminals where they need to do a better job is that they also show law enforcement where they need to do a better job.
Bored With ProgressQuest?
Could a system of application DRM prevent bots on Windows?
By requiring a development license to create an application, which could be trivially obtainable from Microsoft validating user identity, no unknown application would be allowed to run on a machine that isn't the developers or alternate machinces once the application is 'published'. Using a system of centrally maintained and verifiable application IDs, destructive or errant software could then be denied the right to execute via a Microsoft security patch or a publically maintained database of elected 'bad' applications.
I'd be surprised if something similar isn't already in the pipeline.
Yes, the solution you propose is possible, and indeed, in progress.
You've probably seen something similar when you have to install an ActiveX control in IE (for a bank, or Windows Update). It asks i) if you'd like to install it and ii) If you'd like to trust the publisher in the future.
The binary is cryptographically signed which assures the computer that it is a product of the authorised holder of a particular crypto key. MS already uses this scheme for device drivers on 64-bit versions of Vista - at present, it can be disabled by a technically oriented user, but there's no guarantee that ability will persist.
The downside is twofold - firstly, for this measure to have any teeth, you have to remove the ability of the user to ignore it. Secondly, it provokes ideas like Microsofts "Trusted Computing" initiative (aka "Palladium"), which hands over full control of your computer to a short list of people who know the secret keys embedded in your motherboard. The main motivator for requiring signed drivers in Vista is to prevent the loading of things like virtual devices which can be used to capture perfect digital copies of DRM protected media. A secondary consideration is quality assurance.
http://www.gnu.org/philosophy/can-you-trust.html
At some point it is inevitable that MS operating systems will produce an API that permits calling programs to determine the presence of unsigned drivers or software, and refuse to perform certain functions (like playback of DRMed media). Heck, this shouldn't be hard to implement right now with a little effort. With TP, because the only trusted root certificates will be stored in inaccessible firmware, there will be no way for the user to sign drivers himself and mark them as trusted. Therefore MS (and anyone they care about pleasing) will be in control of what your computer can or cannot do.
It's safe to say many people don't get it. This problem isn't even about IRC.
As I see it, letting this one go will reduce the barrier for various interest groups to put pressure on ISPs to 'dns blackhole' content, which is going to undermine the DNS system as we know it. How long until forums and blogs will get redirected over 'inappropriate content'?
Only by challenging deliberate DNS hijacking (esp of legal services, like the ones in TFA) can we prevent Western countries going the way of Iran and China.
...you've been looking for.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
I can see both sides of this. On one hand you have the individuals who could consider this an invasion of privacy as the cable companies are making changes to the way your system operates. However I can also see where the cable companies come from. They are paying for bandwidth to send out junk from these botnet's that are running on your grandmothers machine and clearly grandma has no clue that the computer is doing anything wrong. I think a different approach could have been taken such as creating a list of potentially infected clients, contacting them via e-mail and informing them of what was going to happen days ahead and allowing them to remove themselves from this filtering. It would have been a pain for the cable company but could have been done.
Personally I am happy to see someone doing something to help ease the traffic of these botnets. I run a small mail server for our company with about 30 users and we receive over 2000 pieces of "spam" each day. We only usually receive 100+- real e-mails. Thus 95% of our e-mail is "spam" and I would guess that a vast majority of that is created by botnet's. I think that more people should take the time to look for these networks and try to slow there traffic. I would hope that every network administrator is taking some time out of his busy day to capture traffic from his network and see where potential security risk are within his domain.
Parent is correct, let's actually blame the people who are causing the problem, and here's a hint: it's not the PC user no matter how infrequently they update antivirus.
Also, calling Windows "Windoze" is just completely and utterly stupid. Let's at least try to talk like grown-ups.
Has anyone in the /. crowd been out of diapers long enough to remember Eugene Kashperuff and the Alternic?
He went to jail in 1997 for redirecting DNS queries.
http://en.wikipedia.org/wiki/AlterNIC
Why is it OK now? Does the end now justify the means?
I find it ironic that Time Warner is going at this from the wrong end of the problem. If they filtered port 25 traffic from broadband DUL space, the spammers wouldn't be interested in invading their customers' machines. It's almost always about spam. The fact that most of these ISPs do little to stop their customers' machines from being zombied, or anything to reduce the viability of them being exploited, shows how much they really care about the customers. All broadband ISPs should now be filtering SMTP traffic on their networks. Anyone that wants to run their own mail server can set up alternate ports and use special IP space designated for SMTP traffic. This would make the botnets obsolete.
Whilst I can understand that the blight of bots we are seeing other there, can we ever justify implementation that effectively lies to users? In my mind this produces a lack of trust between ISPs and its users, although the trust that is there is minimal anyway.
I am glad to see something highlighting the issues that face ISPs but this isn't the way to solve botnets.
BOO
And in 1998 Pa's license plates were changed to "promote the Commonwealth's award winning and highly visited official website".0 499.htm
http://philadelphia.about.com/library/weekly/aa10
They were the first to do this, because PA was being trumpted as 'revolutionary' and 'embracing the internet' IIRC. LOL!
Our IRC network which currently is 4 different client servers has had the IPs blocked by Verizon completely. They cannot even ping these servers or anything, they have completely blocked all routing to these IPs.
We are also seeing the Timewarner/AOL/RR issue as well and the Cox issue with one of the DNS to our network.
Hmm.. as opposed to Americans who are of a somehow "non-European" descent? :)
I guess the IRC script kiddies stroked COX the wrong way? Left un-satisfied the mighty COX went and fucked DNS.
If it's alright for them to "shut down a bot" on MY machine, then answer me this:
Why can't I break into Sprint to fix a billing mistake that keeps coming up on my bill?
How is that any different? It's definitely a mistake on their end. No doubt about that. So why can't I just get into their system and fix it for them? Oh yea, that's right: because we have laws against that.
In sum, shutting off the network connection: fine. Directly hacking into a customer's machine to "fix" whatever problem there is: not fine. This is not a matter of opinion. This is a matter of what is legal and what is not. Unauthorized computer tampering is, most decidedly, illegal. In almost all cases. That is the line that was crossed here. Rationalizing it does not change the facts.
Your ISP uses the hijacked botnet to install a rootkit so they can "update your antivirus" on a regular basis.
Then they sell filesystem access to the RIAA, MPAA, NSA, and "legitimate" spammers (like their own marketing departments).
You can call it paranoia, but I call it good business sense. Once the opportunity is there for them to do it, some PHB will see the potential for corporate synergy.
When a subscriber agrees to the TOS, they automatically signed some autonomy over to TW, which is a normal thing for contracts. This isn't because TW wants to invade your privacy -- it is because they could be held criminally liable for actions taken on their network. Despite your furor over privacy, any court will grant the company a good amount of leniency over actions taken to protect themselves. Questions of effectiveness aside, I see nothing wrong with what TW did. I imagine that this must be a substantial problem for the service if they went to such lengthy steps to set up this operation.
forget it.
A little humor for the clueless never hurts, but it does disturb their reality.
... (from my reality ...)
7 12252a reness [wikipedia.org]
.... http://majikthise.typepad.com/majikthise_/2006/01/ wikipedia_block.html [typepad.com]
... It is the new government, business, religion ... SOP
... will get their comeuppances by a serious
IOW: A troll rating, I can sometimes consider a compliment not an insult.
Reading will help you and maybe others understand
The USA, Germany, Japan, and France are not the leaders in this entertaining activity.
Old News of the better know, definitely not the only news on the cyberwar subject:
http://yro.slashdot.org/article.pl?sid=07/07/22/1
China Titan Rain: http://en.wikipedia.org/wiki/Titan_Rain [wikipedia.org]
US DARPA TIA: http://en.wikipedia.org/wiki/Total_information_aw
Wikipedia defensively blocked the USA [Wiki-Vandel] Offensive Congress IP address block,
as to why
EU, Russia, Arabs, Israel, UN
for CoOp spycraft and cyberwar. US ain't the only one on the block, globally they are
all on pot calling the kettle black. As I always say, "Reality is self...."
Cyberwar is happening and has been happening for almost a decade. The general public
is limited, by law, to individual passive/defensive cyber-fights, by wisdom (a true sense
of reality) the individual chooses not to play a [individual]David&Goliath[organizations]
battle. Is the wild-wild-west Internet/WWW, better than organized civilized cyberwar?
I do hope Time-Warner, Halliburton, China
counter-attack. The good side, this is low intensity warfare, not boots-on-the-ground
kill'em all war. Who knows maybe we will all learn how to live in virtual-peace.
FUBAR by design is an intended mess.
!HAVEFUN!
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Did the summary writer read the article? Did the editor? Cox is NOT Time Warner.
Yoda of Borg am I! Assimilated shall you be! Futile resistance is, hmm?
in that they are conducting their vigilante justice in public spaces. The problem is that there doesn't exist a governing body with enough clout, knowledge of the subject and power to enforce any fair use of what amounts to a public resource. Hijacking a hijacker's own car doesn't clear the streets of the problem - if anything it enforces the notion that it's a viable way to get attention and/or address a grievance.
I do like programming things that work super quickly, especially when they work super quickly, super quickly.
The only legitimate users who would cry their eyes out on this one are people with the ability to use an upstream dns server anyway. This is a nonissue.
.. I expect to see Spam drop by 80% almost immediately.
I'll even hold my breath until it happens!
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Yeah ... they'll just block or corrupt EVERY SINGLE PUBLIC NAMESERVER IN THE WORLD.
Or they could just block it at the cable modem.
But reality manifestly has no place in your nice cozy conspiracy theories.
What are you talking about?
Friends don't help friends install M$ junk.
If someone did this for me while I was gone, I'd be kind of annoyed and maybe a little creeped out. I most certainly would prefer they'd asked permission first, because while in all likelihood I would rather have it fixed, it's my door, and for all they know, I was the one who kicked it in, and I was doing a photo study on it, or making a home movie, or something.
It's also not just one door. They're fixing thousands, automatically. Which means it's not like my one door, where I notice it and say "Hey, thanks!" Thousands means you're much more likely to run into that one person who really didn't want you to fix it, and had a good reason not to.
I actually do have a real-world example of something like this: For the first month or so of college, I had a roommate, we'll call him J. Now, J wasn't a bad guy, and he had a stereo and a TV, which was cool, but he was also a farm kid, liked sports, etc, so while we were both in computer science, we had little in common -- and I would doubt he's still comp sci.
During that first month or so, the easiest way to make friends was to simply leave the door to your room open -- people would just wander in. Or you could walk down the hall to someone else's door and wander in. This is how I met the people next door, which was actually a bit like me and my roommate -- K was like me, was very much into tinkering with computers, was Leftist (had Michael Moore DVDs), and so on. His roommate, whose name I don't remember, but call him L, was Republican, into sports, etc.
I can't say I didn't see it coming. After all, I spent quite a bit of time in K's room, watching his Family Guy collection with him. And then I went back to my room, and played Quake 3 with him over the network -- which meant we were shouting loudly enough to hear each other from next door...
So one day, I came back from class to find J gone from my room and K finishing setting up his custom-built bunk. They had mentioned the idea for me, but effectively, they traded roommates on me without my knowledge or consent.
I was happy with the change, though -- most of my pseudo-righteous-indignation was just because it was so damned funny -- but really, it would have been nice to at least have a little warning.
Don't thank God, thank a doctor!