Slashdot Mirror
TimeWarner DNS Hijacking
Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.
OK DNS Server resolve me to .cu and no body gets hurt.
In Pennsylvania, it sounds like it might fall under Theft of, or Diversion of Services.
If Time Warner was really concerned about it wouldnt it be easier and more effective to use their virtual truck (TW Self help) application to redirect the users browser start page to a list of instructions, tools and a support number to clean up their system? I have seen several instances were they redirect users to a "disabled due to non-payment" type pages...would a "Hey idiot your computer is infected" page be that difficult?
So we can expect the next generation of malware to alter systems to use OpenDNS?
Might make some systems a little more useful!
>Is this the right way to handle the botnet problem?
No. The right way involves castration with rusty linoleum knives, Turkish prisons, and rabid wolverines. If that doesn't work, we should quit being nice and get nasty with these folks. Seriously, this problem will not go away until people start doing some hard time, preferably with a cell mate who does not need Erct|le Member Help!
Some mornings it's hardly worth chewing through the restraints to get out of bed.
Wired found someone who approves of breaking the internet:
Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.
Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.
Friends don't help friends install M$ junk.
If I wish to black hole something on my DNS, it is my prerogative to do so. If someone else is using my server for free and complains about the shitty service, then I'll gladly refund his money...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Uhhhh.. see, I'm kinda of the opinion that vigilante action is only bad if there are proper channels. There are none.
How we know is more important than what we know.
Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.
I wish I hadn't run out of mod points; this is gold.
That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?
I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.
People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.
I drink to make other people interesting!
You mean you actually talked to someone in tech support who not only knew what a packet was but also looked up what was happening on their end at a technical level? How many drones did you have to speak to telling you to A)reboot or B)reinstall your machine? Did you use chicken blood or ox blood to perform this magic?
If you wanna get rich, you know that payback is a bitch
I have mod points, but I'd like to collectively reply to a few of the comments I see here. for those of you that are commending this act of vigilantism, stop and think - is this the most effective way to tackle the problem? The way I see it is that being a vigilante is akin to being involved in a constant game of whack-a-mole. The only problem is that when you start taking down bots (or even whole botnets), the people running them begin to realise that their current generation of malware isn't effective enough, and create something that is harder to detect. As the summary notes, we've already seen them trying to improve their resources. There was another post I saw on here that put it more eloquently, essentially saying: vigilantism only helps the bad guys work out where they need to improve.
So how about instead of trying to fight a brushfire with an extinguisher, we get to the root of the problem and start educating users. Yes, that takes effort. I can't begin to count the hours I've spent trying to explain to folk why using an alternative browser (or OS or whatever) is a good idea, and what they should look for in a reputable site, and so on and so on ad nauseum. It's a slow process, but the more people that are aware of the risks - and more importantly, the reasons for the risks - the less there potential 'marks' there are for all the script kiddeez, rooters and organised criminals out there.
And for us on /. - less requests to fix the family computer when we visit at Christmas.
If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
Since it sounds like they were doing it with their DNS servers. While it would be illegal for me to break in to your DNS server and modify it, it is not illegal for me to modify my DNS server, even if you use it. If you dislike it, you can use another service, but unless I have a contract with you there's nothing wrong with it (legally). You can argue it is a bad idea, but changing their equipment on their network is well within their rights.
Do do do do, dah dah dah dah, is all I have to say to you.
I think this action is right-on. The parts of the equation missing are trust and accountability.
We don't trust vigilantes, not because we don't agree with them, but because we don't trust them to always act in the greater good. Their future actions and motivations are unknowns. Since their identities may even be secret, there's no way to hold them accountable.
Why are we ok with the police taking the same actions as a vigilante would take? Because of trust earned through accountability. To retask a familiar saying: "Put all your eggs in one basket and then watch that basket". That basket is the police, and we've put all our eggs in it. That means the public at large can watch the police, who are well-known and generally easy to spot. It means that internal controls can be set up, and rules of engagement can be put in place. We trust the police as much as we do because we know that, ultimately, they're under the control of the general public, who can exert pressure on them when they act badly. This is why we tend to put more trust in organizations, rather than individuals. Organizations are easier to censure.
Understanding that, it's easy to see what the course of action needs to be. As much as we here at /. tend to have a love/hate relationship with authorities, I think one needs to be set up specifically to deal with these problems. They need to be given what power is necessary to deal with the problems like spam, trojans, botnets, whatever, but at the same time, they need to be directly accountable to the public in a similar manner to police forces. Legitimize the vigilante action by coupling it with accountability.
I don't really know the specifics of setting up something like this, but I think using the police as a model would be the way to go. Rules and procedures, all the requisite bureaucracy, but also the ability to launch tactical "busts", "cyber" or otherwise. They'd need all the same approvals, warrants, etc. They'd have branches in all concerned countries, and would work through the legal systems in their home countries. In some countries, they might be a part of the police force, since much of the administrivia would be similar. Ultimately, I'd think CERT or something like it would be a good headquarters or parent organization for such a group.
The point is that we've already worked this out in the "Real World". Applying it to The Internet shouldn't be a patent-worthy exercise. While I wish we didn't need government involvement, much of the authority required is the type of authority that only government can legitimately grant, such as the ability to seize equipment.
I aplogize that this isn't as eloquently described as I'd have liked, but I think the general idea is there. You may now procede to flame me for advocating the Policing of the Intertubes but ultimately, I think that's where we're headed.
I too agree that breaking NXDOMAIN is a bad thing, but OpenDNS at least does let you change this yourself. It just has the wrong default, so to speak.
I strongly urge you to signup for a free account, and look over their settings available, before you judge.
-- Jon
I think a well-funded spec-ops team would do even more. Make these guys disappear. I mean, hell, if we're gonna live in a police state, we might as well enjoy a few of the fringe benefits.
The higher the technology, the sharper that two-edged sword.
First, as a person who owns and operates many networks, I would be rather annoyed that someone has hijacked one of my domains, for any purpose.
To me, a domain name is the equivalent to a land deed, it's a peace of virtual real-estate. It's a representation and label identifying a group of IP addresses which may or may not be associated to a physical device or service. If I have a problem with some other network, I attempt to contact the powers-that-be of the offending network; in good faith, that they would be cooperative.
Now, I assume many offensive networks out there might not cooperate, or might think that what their network is doing is either legal, moral, or of no harm. Well... I do admit, I block all of APNIC to my mail servers, though, I do not service "customers" either. If I did, I would assume my customer demographic might include a need or desire for correspondence with those in APNIC, and permit the traffic. While I might, on case by case scenerios, filter a range of IPs known for SPAM or whatever, things I certainly wouldn't do is hi-jack a domain, and most disturbingly, attempt to execute code on a clients machine without direct consent for each instance, each time. Basically, what you're doing then is intentionally deceiving a computer system, breaking standards, breaking and entering said computer system, and influencing change which permanently alters HOW that computer operates. And, knowing the practices and the broad generalized sweeping tactics of Cox Communications (for example), I must say I do NOT trust what they MIGHT consider as "malicious" code to delete off my computer "at their whim".
If this becomes "legal", then what's to stop Cox Communications (for example), from considering my MP3s as "malicious or of questionable origin" and on behalf of RIAA, delete my mp3s? How are they going to know?
Now, on to San Diego Cox Communications. While I agree that if you are on someones network, you do what they say. However, as already implied above, if my intention is to provide "Internet Service", then I DO inherently forfeit some of that overall power. And Cox Cable, blocking incoming and outgoing ports is really not within their moral obligation to do so. Nothing illegal about them doing it, no doubt some here might agree with them. But, if I'm going to sell someone "Internet Service", as I have in the past, they get "Internet Service" in full. I don't want a parent above me, and most certainly, I should be allowed unaltered Internet Service from Cox Communications on request against the default safegaurds in-place for the sake of the laymen.
But, Cox Communications does NOT permit one to exercise all of the technologies available. They notoriously block ports, and muck with the traffic. Why? Who knows, and I don't mean to be elitist, but their explanations of some Windows worm really doesn't apply to my Linux box. Besides, if I was running Windows, I still wouldn't appreciate all the port blocking and crap. I'll handle that myself.
As a result, I refuse to use Cox Cable or Time Warners Road Runner services. (Aside from the fact I'm banned from San Diego Cox Cable's network for running VPN clouds on their network, among other things like DoS'ing everyone on my subnet to boost my download speeds...), I warmly welcome other high-speed services that do NOT play parenthood. Sadly, one practically has to purchase a "Business" line instead of a "Home" connection. So, that's in fact what I have so if I want to launch my own webserver/mailserver, SQL Server or whatever, it's simply a matter of just configuring and launching the daemon.
In short, I feel hi-jacking is wrong. And I feel that people should not use Cox Cable as they are the "AOL" of today anyways. Such actions are so typical of Cox Cable... it's truelly ridiculous.
Well as some have pointed out you can use other DNS servers. However, many people don't have the time/knowledge/or need to mess with this and they really shouldn't have to. Messing with DNS for these purposes is a questionable activity. However, especially in the case of EFNet servers, I find this especially strange. EFNet does have some botnets that end up with them, but they are very few and far between.. and small in nature. These things are taken down pretty rapidly on EFNet and that's part of the reason they're not used frequently. DALnet -- a whole other story. There's tons of active botnets there now. EFNet is definitely much smaller in scale n terms of the number, the size, and the lifespan. This is pretty sad. Redirecting a hacked server being used by an IRCD is one thing. Doing it selective IRCDs on a huge *legit* network.. that's a whole other story.