TimeWarner DNS Hijacking

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

New Update since i submited this yesterday

[Exstatica]

Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.

Re:What???

[Martin+Blank]

Actually, if you can get past the first level of drones (and sometimes the second level, depending on the company), you'll talk to people who know not only what a packet is, but also can do actual troubleshooting on the modem connection and make some sense of it. I've experienced this with Comcast, Adelphia, and Time-Warner (it was completely absent, so far as I could tell, from MediaOne when they were around); in one case, I got a very thorough explanation of the problem as it related to head-end equipment and what needed to be done to fix it from the tech as she was entering it into the work order.

The problem, of course, is that almost all users that call in don't need more than scripted hand-holding, and those of us that know what we're talking about call in and hit that wall, through which it can be very difficult to find an open window through which to crawl to find a knowledgeable person.

Re:What???

[DigiShaman]

Remember, the job of a TSR and CSR is among the jobs with the highest turn-over rate.

The people that apply (and get) these jobs fall in two main categories. The first being entry level. The second being highly skilled IT professionals who got laid off and need something to pay the bills until the find a better job. As such, you will get a nice mix of idiots and very brilliant staff manning the phone queue.

Transcript of IRC

[simpleguy]

[ simple1 @ saturn ] ~ $ dig @ns1.dc.cox.net irc.mzima.net
irc.mzima.net. 300 IN A 70.168.70.4

Connecting to 70.168.70.4 (70.168.70.4) port 6667.

[JOIN] You are now talking on #martian_
[MODE] localhost.localdomain sets mode +n #martian_
[MODE] localhost.localdomain sets mode +t #martian_
[TOPIC] Topic for #martian_ is .bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007 .bot.remove .remove .uninstall
  !bot.remove
  !remove
  !uninstall

Thats it.