Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

← Back to Stories (view on slashdot.org)

Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

Posted by timothy on Thursday May 17, 2012 @07:54AM from the blame-the-feds dept.

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."

114 of 193 comments (clear)

Min score:

Reason:

Sort:

8.8.8.8 by windcask · 2012-05-17 08:01 · Score: 4, Informative

What DNS issues?
1. Re:8.8.8.8 by Anonymous Coward · 2012-05-17 08:04 · Score: 1
  
  +1
  This is much faster than my ISP's DNS, and it doesn't redirect misses to crappy ad-pages either.
2. Re:8.8.8.8 by Anonymous Coward · 2012-05-17 08:10 · Score: 2, Insightful
  
  Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!
3. Re:8.8.8.8 by philip.paradis · 2012-05-17 08:17 · Score: 4, Informative
  
  Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.
  
  --
  Write failed: Broken pipe
4. Re:8.8.8.8 by foradoxium · 2012-05-17 08:21 · Score: 5, Insightful
  
  I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..
  http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288
  all it takes is this legislation to gain footing in a few states, then the rest start caving.
  Google watching you really should be the least of your online privacy worries..
5. Re:8.8.8.8 by EvanED · 2012-05-17 08:27 · Score: 1
  
  Feel free to suggest alternative public DNS servers. I use Google's so that failed requests, you know, fail, unlike the DNS servers that the ISPs around here provide.
6. Re:8.8.8.8 by bws111 · 2012-05-17 08:28 · Score: 2
  
  How many DNS providers (usually your ISP) have business models that depend on knowing as much about people as they possibly can?
7. Re:8.8.8.8 by Anonymous Coward · 2012-05-17 08:40 · Score: 2, Interesting
  
  feel free to operate your own resolvers
  I do. It's easy.
8. Re:8.8.8.8 by Jon+Stone · 2012-05-17 08:41 · Score: 1
  
  feel free to operate your own resolvers.
  Preferably with DNSSEC turned on.
9. Re:8.8.8.8 by Lifyre · 2012-05-17 08:45 · Score: 4, Insightful
  
  These days? I would bet more than 50% by traffic probably A LOT more by traffic...
  Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?
  Even if they don't use it directly many of them are selling it to someone who does.
  
  --
  I'll meet you at the intersection of "Should be" and "Reality"
10. Re:8.8.8.8 by wmbetts · 2012-05-17 08:49 · Score: 1
  
  He got banned?
  
  --
  "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
11. Re:8.8.8.8 by mcavic · 2012-05-17 09:08 · Score: 2
  
  feel free to operate your own resolvers
  Your ISP can still sniff your traffic.
12. Re:8.8.8.8 by Baloroth · 2012-05-17 09:11 · Score: 3, Informative
  
  No they don't. See their FAQ.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
13. Re:8.8.8.8 by PReDiToR · 2012-05-17 09:22 · Score: 3, Informative
  
  If this bothers you, or anyone else, try to use https and secure connections wherever possible.
  This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.
  
  HTTPS-Everywhere helps.
  
  --
  
  Do not meddle in the affairs of geeks for they are subtle and quick to anger
14. Re:8.8.8.8 by Anonymous Coward · 2012-05-17 09:27 · Score: 1
  
  Unless he was using Google's DNS, in which case they'll know.
15. Re:8.8.8.8 by philip.paradis · 2012-05-17 09:36 · Score: 3, Insightful
  
  Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.
  
  --
  Write failed: Broken pipe
16. Re:8.8.8.8 by goombah99 · 2012-05-17 09:48 · Score: 1
  
  I've read that this can bollix things like Limewire to Akamai by sending you to a far away source rather thant near one that your ISP's DNS would select. I won't pretend to understand that.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
17. Re:8.8.8.8 by thebigmacd · 2012-05-17 09:54 · Score: 2
  
  Google DNS uses anycast, which should actually give you a DNS server right close to you.
18. Re:8.8.8.8 by philip.paradis · 2012-05-17 09:55 · Score: 1
  
  Unbound is indeed fantastic. It's my resolver of choice, and I use it heavily.
  
  --
  Write failed: Broken pipe
19. Re:8.8.8.8 by Spikeles · 2012-05-17 10:16 · Score: 1
  
  Maybe someone should let Google know that it doesn't work.
  nslookup a1.phobos.apple.com 8.8.8.8 Name: a1.da1.akamai.net Address: 203.106.85.64 tracert 203.106.85.64 7 pos0-3-0.bdr2.nrt1.internode.on.net (203.16.211.6) 180.163 ms 180.985 ms 182.178 ms 8 as4788.ix.jpix.ad.jp (210.171.224.194) 229.548 ms 213.651 ms 214.562 ms 9 * * * 10 203.106.85.64 (203.106.85.64) 230.374 ms 228.848 ms 229.060 ms nslookup a1.phobos.apple.com Name: a1.da1.akamai.net Address: 203.206.129.16 7 te1-4.syd-ult-bdr1.iinet.net.au (203.215.20.31) 77.949 ms 79.208 ms 80.695 ms 8 203-206-129-16.deploy.akamaitechnologies.net (203.206.129.16) 82.029 ms 66.178 ms 66.436 ms
  
  --
  I don't need to test my programs.. I have an error correcting modem.
20. Re:8.8.8.8 by Anonymous Coward · 2012-05-17 10:20 · Score: 1
  
  http://server.privacyfoundation.de/index_en.html
  87.118.100.175
  94.75.228.2
  62.141.58.13
  87.118.104.203
  87.118.109.2
  Even supports access on port 110 in case your ISP blocks port 53. You're welcome.
21. Re:8.8.8.8 by Spikeles · 2012-05-17 10:26 · Score: 1
  
  Read the first couple of paragraphs here.
  
  --
  I don't need to test my programs.. I have an error correcting modem.
22. Re:8.8.8.8 by andydread · 2012-05-17 10:39 · Score: 1
  
  meh ... sudo apt-get install bind9
23. Re:8.8.8.8 by GuidoW · 2012-05-17 11:26 · Score: 1
  
  Anyone know how to make djbdns DNSSEC aware? (Yes, I know that djb himself is opposed to DNSSEC and is trying to push DNSCURVE instead...)
  
  --
  If it's so secret, then how come I've never heard of it?
24. Re:8.8.8.8 by philip.paradis · 2012-05-17 12:50 · Score: 1
  
  You must have missed the fact that I was addressing potential concerns stemming from Google logging DNS queries and using them for (insert something horrible here). In fact, I said "Any DNS provider you use can do the same thing." This is a true statement. Note that I never said there weren't alternate DNS resolver services in operation; of course there are dozens, and they all theoretically suffer from the same potential issues as Google's service.
  Specifically, one of the services you listed (OpenDNS) has taken a massive amount of flack in the not-too-distant past for intercepting NXDOMAIN responses and serving up ad pages instead of actually conveying the appropriate status. Varios ISPs have done precisely the same thing with their resolvers as well. Perhaps it will clarify things a bit to mention that I actually use 8.8.8.8 as my default resolver in many places, although I do run my own resolvers (unbound) in many other places as well. In any event, what was your point again?
  
  --
  Write failed: Broken pipe
25. Re:8.8.8.8 by mcavic · 2012-05-17 13:03 · Score: 1
  
  I'm not worried, just pointing out that there's no absolute security. VPN connections are very handy for several reasons if you have the means.
26. Re:8.8.8.8 by marcosdumay · 2012-05-17 13:47 · Score: 1
  
  They can still discover what pages you are visiting, that was the original complaint. SSL won't protect you against that.
  
  --
  Rethinking email
27. Re:8.8.8.8 by marcosdumay · 2012-05-17 13:49 · Score: 1
  
  Yep, that also takes setting the DHCP server to relay the correct DNS server (the machine you just installed bind).
  
  --
  Rethinking email
28. Re:8.8.8.8 by marcosdumay · 2012-05-17 13:55 · Score: 1
  
  I relay the queries that my local server doesn't know to OpenDNS.
  I really don't know if they are good, maybe they're there, reading the name of every new page I visit. I never bothered to verify.
  My ISP's DNS is pure garbage. Lookup failures don't fail, it fails to find pages that exist (but the lookup doesn't fail, because of the first part), it is slow and the uptime isn't that good, thus, I don't use it. Anyway, nothing can beat a local server in speed and, if you are using your desktop as server, uptime.
  
  --
  Rethinking email
29. Re:8.8.8.8 by JWSmythe · 2012-05-17 14:47 · Score: 2
  
  Are you sure it's Google, and not your local provider? Botched routing tables can do that. What is your other DNS server? Is it a temporary issue? Is it only with a1.phobos.apple.com? Anycast should get a response back from the fastest server to respond.
  I'll guess that you're in Australia, since I noticed the .au router you crossed. It doesn't look like Google has a datacenter there yet. I wouldn't be surprised if they have a presence in locations that are not official "Google Datacenters" though.
  http://www.google.com/about/datacenters/locations/index.html
  The list could very likely be incomplete also. I know they had a presence in 111 8th Ave, New York, NY, and bought the whole building a couple years ago. That's not on the list at all. With the carriers that had a presence there, I'd seriously doubt they'd gut it and make it just office space.
  It's working perfectly for me, and everyone that I've had switch over to it because their residential provider DNS is too slow.
  # nslookup a1.phobos.apple.com 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53
  Non-authoritative answer: a1.phobos.apple.com canonical name = a1.phobos.apple.com.edgesuite.net. a1.phobos.apple.com.edgesuite.net canonical name = a1.da1.akamai.net. Name: a1.da1.akamai.net Address: 208.44.23.112 Name: a1.da1.akamai.net Address: 208.44.23.98
  # traceroute 208.44.23.112 traceroute to 208.44.23.112 (208.44.23.112), 30 hops max, 60 byte packets [SNIP] 4 0.xe-7-3-0.BR3.ATL4.ALTER.NET (152.63.5.129) 17.254 ms 17.248 ms 17.286 ms 5 204.255.168.222 (204.255.168.222) 16.425 ms 16.438 ms 16.407 ms 6 atx-edge-03.inet.qwest.net (205.171.21.50) 17.285 ms 17.430 ms 17.311 ms 7 208-44-23-112.dia.static.qwest.net (208.44.23.112) 20.176 ms 20.341 ms 20.287 ms
  # traceroute 208.44.23.98 traceroute to 208.44.23.98 (208.44.23.98), 30 hops max, 60 byte packets [SNIP] 4 0.xe-7-3-0.BR3.ATL4.ALTER.NET (152.63.5.129) 17.287 ms 17.359 ms 17.344 ms 5 204.255.168.222 (204.255.168.222) 16.476 ms 16.440 ms 16.429 ms 6 atx-edge-03.inet.qwest.net (205.171.21.50) 51.325 ms 48.945 ms 17.179 ms 7 208-44-23-98.dia.static.qwest.net (208.44.23.98) 17.560 ms 17.553 ms 17.620 ms
  # traceroute a1.phobos.apple.com traceroute to a1.phobos.apple.com (23.67.53.75), 30 hops max, 60 byte packets [SNIP] 4 0.xe-3-0-2.XL3.MIA4.ALTER.NET (152.63.4.9) 10.664 ms 10.733 ms 10.718 ms 5 0.xe-11-0-0.XL1.MIA19.ALTER.NET (152.63.85.74) 11.683 ms 11.671 ms 11.654 ms 6 0.xe-10-1-0.GW1.MIA19.ALTER.NET (152.63.81.10) 9.971 ms 10.009 ms 10.081 ms 7 akamai.customer.alter.net (63.65.188.50) 11.995 ms 11.985 ms 12.045 ms 8 a23-67-53-75.deploy.akamaitechnologies.com (23.67.53.75) 10.153 ms 10.355 ms 10.355 ms
  Google DNS resolved to Atlanta, which I believe is the closest Google datacenter, roughly 450 miles away and about 17.5ms.
  Locally (my own DNS server on the same machine I tested from), resolved to Miami, which isn't the closest Akamai site, but may be the closest Apple mirror. That's roughly 280 miles and 10.3ms.
  Using your own resolver is always an excellent choice, and will provide the best results for your location. For those who don't even know how to log into their router, much less run their own DNS server, Google's public DNS is fine.
  
  --
  Serious? Seriousness is well above my pay grade.
30. Re:8.8.8.8 by bradkittenbrink · 2012-05-17 14:55 · Score: 1
  
  You realize you've just described the basic architecture of TOR, right?
31. Re:8.8.8.8 by TheLink · 2012-05-17 15:02 · Score: 1
  
  Huh? I think you don't get it. Google's DNS servers are on 8.8.8.8 (and 8.8.4.4).
  
  What the OP is saying is 8.8.8.8 will generally be close to you. So if you use 8.8.8.8 you will get DNS responses fast (if they are cached already).
  
  So for your post to be relevant you should be doing a tracert (or traceroute if on Linux) to 8.8.8.8 not 203.106.85.64.
  --
  
  Too many replies beneath your current threshold
32. Re:8.8.8.8 by TheLink · 2012-05-17 15:04 · Score: 1
  
  Oh I think I didn't get your post. Now I get it... Doh.
  
  Maybe Google doesn't like Apple for some reason ;).
  --
  
  Too many replies beneath your current threshold
33. Re:8.8.8.8 by hairyfeet · 2012-05-17 15:14 · Score: 1
  
  Actually the GP above you was talking about how Google knows too much about you which if you are not using Google for everything? They can't know too much about you. For anyone to build a full profile of me that would have to have Google's Gmail AND Yahoo Mail AND Bing Search AND Comodo DNS. the odds that ALL of these companies are gonna share data? non existent.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
34. Re:8.8.8.8 by philip.paradis · 2012-05-17 16:21 · Score: 1
  
  You don't appear to understand how data mining and behavioral modeling on a massive scale actually work. I'm sorry to have to be the one to inform you of this, but (1) you're leaking data like a sieve every day, regardless of what you think you are or aren't signed into, and (2) you are not the unique, delicate flower you might perceive yourself to be. If anything, a month's worth of your DNS queries is more than adequate to build a surprisingly accurate model of "you." Have fun with that thought, and think a little more about every point of contact you have every day in terms of communications. If you really need me to break if down further for you, let me know, and I'll be happy to get in touch with you off this thread.
  
  --
  Write failed: Broken pipe
35. Re:8.8.8.8 by jandrese · 2012-05-17 16:55 · Score: 1
  
  HTTPs won't do anything about them sniffing your DNS traffic.
  
  --
  
  I read the internet for the articles.
36. Re:8.8.8.8 by Spikeles · 2012-05-17 18:45 · Score: 2
  
  You're right, I'm in Australia. Google does have a presence here and I get a ping of about 64ms to 8.8.8.8.
  8 google-public-dns-a.google.com (8.8.8.8) 82.579 ms 64.420 ms 65.664 ms
  I've tried the 8.8.8.8 resolver a couple of times, and in all cases iTunes will give slow downloads, simply due to not optimal resolution of the CDN host. Switch it to another DNS resolver, and everything is fine again. Querying the DNS of our ISP (Internode):
  #nslookup a1.phobos.apple.com 192.231.203.132 Server: 192.231.203.132 Address: 192.231.203.132#53 Non-authoritative answer: a1.phobos.apple.com canonical name = a1.phobos.apple.com.edgesuite.net. a1.phobos.apple.com.edgesuite.net canonical name = a1.da1.akamai.net. Name: a1.da1.akamai.net Address: 203.206.129.11 Name: a1.da1.akamai.net Address: 203.206.129.16 #traceroute 203.206.129.16 [snip] 8 203-206-129-16.deploy.akamaitechnologies.net (203.206.129.16) 81.438 ms 67.101 ms 67.139 ms
  
  This kind of issue isn't exactly Unknown.
  
  In addition, in Australia we have quotas for most of our internet plans. If you were on an ISP such as iiNet, then you could end up using up your quota since iiNet provides "unmetered" downloads from iTunes, on the condition that it comes from their mirror. iiNet mirrors Apple servers, and uses their DNS to redirect to those own mirrors. If you were to use 8.8.8.8 for someone on iiNet, you'd end up with them being charged extra since it probably wouldn't resolve to their mirror.
  
  --
  I don't need to test my programs.. I have an error correcting modem.
37. Re:8.8.8.8 by JWSmythe · 2012-05-17 19:23 · Score: 1
  
  Well, in your case it is best to stay with the ISP DNS. Then again, it avoids the problem of the story entirely. If you weren't using the provider DNS, and it redirected you to the other DNS servers, you'd be hit with some pretty serious fees.
  I don't know for sure, but I suspect that iTunes probably uses Akamai also. Well, unless that is what a1.phobos.apple.com is. :) If they're a large provider, Akamai would have cut a deal with them. Their whole business model is to put stuff on the network, or at least as close as possible to the end users. In the case of your provider, it has an extreme financial advantage. Akamai probably pays to have it there, *and* they don't have to pay for the uplink bandwidth you'd be using for those requests.
  Akamai doesn't mind in the least. They're getting paid by the companies who want their stuff mirrored.
  What could be the case in this situation is that the hosts that you're resolving to with your ISP's DNS servers only resolve to those hosts if you're using them. It may not be part of their global CDN, so when it sees a request from a Google DNS server, it passes off to the public CDN servers.
  If bandwidth is expensive in general in Australia (I don't know. I've never lived there nor contracted for services there), Japan may be the better location for them anyways.
  I know a while back when the company I was at did global work, bandwidth in Europe cost us an awful lot more than it did in the US. Due to some pretty pathetic routing at the time most clients complained about how slow our European servers were. What it ended up being is that they were routed from their location, to New York, and back to the European servers. We decided to save one leg of the trip, and call a group of servers in New York our "European" servers. No one ever noticed where they really were, or at least never said anything about it. They did thank us for "improving" our European presence. :) It was cheaper for us, so we were good with it.
  There was still some notable difference between the East and West coast of the US, so we still maintained 3 locations around the US and made everyone happy.
  
  --
  Serious? Seriousness is well above my pay grade.
38. Re:8.8.8.8 by icebraining · 2012-05-17 20:14 · Score: 1
  
  OpenDNS? Ugh, they hijack NXDOMAINs.
  
  --
  Dilbert RSS feed
39. Re:8.8.8.8 by MichaelSmith · 2012-05-17 22:05 · Score: 1
  
  Yeah but do the mums and dads know about it? We already know that the /. crowd will find a way to fix the problem.
  
  --
  http://michaelsmith.id.au
40. Re:8.8.8.8 by metalgamer84 · 2012-05-18 06:00 · Score: 1
  
  Yeah, your point? Instead of hitting a page that says "bad domain" you hit one that says "OpenDNS suggestions". Woopty freaking doo, means the same to me essentially. I have been using OpenDNS for many years and never once been redirected the their ad/suggestion pages.
41. Re:8.8.8.8 by icebraining · 2012-05-18 06:26 · Score: 1
  
  Web browsers aren't the only thing that does DNS requests, you know.
  
  --
  Dilbert RSS feed
42. Re:8.8.8.8 by hairyfeet · 2012-05-18 06:29 · Score: 1
  
  First of all with Treewalk DNS running in a corner box i only go to each site ONCE and then from then on its cached so having my DNS records from Comodo wouldn't show much of nothing. BTW I do this not for privacy reason but for speed, taking out DNS hops really gives surfing a major kick in the ass.
  Second what EXACTLY do you think I'm "leaking"? I have HTTP Referrer headers blocked,all third party content is blocked, ads are blocked and the ONLY cookies are those on a whitelist which is VERY small, less than 5 sites and since the browser is sandboxed in a much lower permission level trying to access those cookies by anyone not on the whitelist would raise a flag. I've already been to those sites that try to tell what you have or don't have based on cookies and referrer and all they can tell me is I'm on SOMETHING based on Chromium and that have have the Flash plugin, that's it.
  So I don't see what data you think anybody is gonna get. All Google could tell you is that I watch the history channel on youtube and get a bunch of spam (since that's my spamdump), all Yahoo would be able to tell you is I have a bunch of REALLY clueless relatives and customers, all Bing could tell you is I like wallpapers of hot babes like Scarlet Johannson (like who doesn't?) and all Comodo could tell you is which sites i have been to one time in the past 30 days. Again if you were say the NSA, to where you could get the data from ALL of these services? then sure, but if you are the NSA you could just put a tap on the ISP and save yourself the trouble. the rest only have a small piece of the big picture, like the old parable of the blind men and the elephant.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
43. Re:8.8.8.8 by windcask · 2012-05-20 23:40 · Score: 1
  
  I was thinking this myself after I posted the comment, but hey; I'll take my +5 Informative, thank you very much.
  If the router was infected and the client machine was set to 8.8.8.8, it would pass the Botnet DNS, though.
44. Re:8.8.8.8 by MaraDNS · 2012-05-25 10:01 · Score: 1
  
  djbdns has not been updated since 2001 and even the unofficial forks have not addressed important issues like the security problem CVE-2012-1191.
  If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.
  
  --
  MaraDNS is an open-source DNS server.
Why not warn them? by l_bratch · 2012-05-17 08:01 · Score: 4, Insightful

Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?
1. Re:Why not warn them? by jeffmeden · 2012-05-17 08:02 · Score: 3, Informative
  
  Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.
2. Re:Why not warn them? by bws111 · 2012-05-17 08:23 · Score: 1
  
  I think that is an awful idea. The last thing you want to do is train people that it is OK, under any circumstances, to do what an unexpected or unsolicited web page says. That is, after all, exactly how scareware winds up getting installed.
  The best thing to do is let them fail, and gear up the help desks to be ready with the onslaught of calls.
3. Re:Why not warn them? by Verunks · 2012-05-17 08:25 · Score: 1
  
  opendns is doing that but I think it's limited to websites hosted on cloudflare that enabled this warning so probably not many
4. Re:Why not warn them? by n5vb · 2012-05-17 08:31 · Score: 4, Insightful
  
  Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.
  They couldn't if their DNS doesn't return anything but the warning page.
  You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..
5. Re:Why not warn them? by ArhcAngel · 2012-05-17 08:49 · Score: 1
  
  THIS!
  
  "Please...sir, if you stop yelling at me long enough I can explain to you why yelling at the computer guy will not get your internet fixed..."
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
6. Re:Why not warn them? by fluffy99 · 2012-05-17 18:00 · Score: 1
  
  Because http isn't the only thing that uses DNS? We got pissed when a certain DNS authority redirected bad lookups to their own search engine for the same reason. The ISPs could take note of which customers are hitting the temporary servers and let them know. Some ISPs are quietly redirecting the lookups to their own server.
7. Re:Why not warn them? by l_bratch · 2012-05-17 18:14 · Score: 1
  
  Sure, it's bad if the ISP does it on their own DNS servers, but these are some criminal's servers that have been seized. Are those things really equivalent?
  Of course HTTP isn't the only DNS user, but you can't pretend that this won't inform the overwhelming majority of users. They obviously use HTTP a lot.
  Every single ISP doing traffic inspection or redirection seems like a lot more work than just doing this at the source.
  I'm not advocating false DNS results from ISP's servers or treating other protocols as lesser than HTTP, I'm just suggesting a way to fix this for the majority of affected users.
8. Re:Why not warn them? by Anonymous Coward · 2012-05-17 18:15 · Score: 1
  
  It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..
  Almost always because it's not a message that is meaningful to them. When programmers and administrators start writing messages that actually target the audience, rather than some mythical being, then you might have a point. Many programmers and administrators love to blame everybody but themselves for their failings.
  In this case the FBI should put up something like "Your connection to the internet has failed - call 180012345678" in 72 point type. Simple. Talking about "DNS" is the height of stupidity (of the programmer, not the audience) because the audience doesn't even remotely know what a domain system system is, let alone what DNS hijacking is..
  And no, it is not reasonable for the customer to spend hours learning what these special purpose terms are. Get over it.
Captain Obvious by stretch0611 · 2012-05-17 08:03 · Score: 1, Interesting

The FBI has control of the DNS servers. Why can't they just resolve every address to point to a webserver instructing people how to fix their DNS settings?

--
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
1. Re:Captain Obvious by jeffmeden · 2012-05-17 08:10 · Score: 2
  
  Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.
  What is more interesting is that they dont make any stabs at guessing how many of the victims are on what providers (just referring to them as "DSL".) Why not name names? You have the IPs of the vics. If AT&T saw 150,000 customers about to go dark, and so did Verizon and so did CenturyLink, i suspect the problem would be confronted more directly than a single powerpoint at some conference in *Australia*...
2. Re:Captain Obvious by Anonymous Coward · 2012-05-17 08:24 · Score: 1
  
  Why not name names? You have the IPs of the vics.
  "AAAAAARRRRRG Okay, you know what, nerds? Fuck you. That's it, we give up on keeping you assholes happy. First you spend the greater part of fifteen or so years bitching about how IP addresses don't identify people when it's a convenient argument for piracy, NOW you're bitching at US for not using IP addresses to identify people! So we've had it. Fuck you and your goddamned confusing subculture. You're a minority within a whiny, unpleaseable minority, you systematically find whatever loophole and technicality you can to refuse to give us any money or respect to begin with, and we're cutting off all your internet traffic except to our premium cable TV streaming websites." -- The government and major ISPs
3. Re:Captain Obvious by Jeng · 2012-05-17 08:25 · Score: 1
  
  I think he was advocating letting the ISP's know, not the customers directly.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
4. Re:Captain Obvious by bws111 · 2012-05-17 08:26 · Score: 1
  
  Because then you are teaching people that under some circumstances it is OK to follow instructions from an unexpected/unsolicited source. Imaging the flood of scareware that would arrive after that: THIS IS THE FBI! CHANGE YOUR DNS SETTINGS IMMEDIATELY!
5. Re:Captain Obvious by Anonymous Coward · 2012-05-17 08:35 · Score: 1
  
  He's talking about send people to a page that tells them they are infected, not remotely fix their crap. After a period of time to make sure they got the message, who cares if they go dark since they didn't fix their pc despite the message. Many people probably don't even know they are infected.
6. Re:Captain Obvious by 1u3hr · 2012-05-17 15:10 · Score: 2
  
  Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.
  I suspect the "difficulty" is more legal than technical. The Estonians don't care if they brick an occasional device, and they don't try to get the users' legal consent. And people and governments in other countries might not be happy to trust the FBI to reprogram their router/modem.
7. Re:Captain Obvious by nomis_uk · 2012-05-18 00:01 · Score: 1
  
  The point is an IP address can identify the account owner of the connection - it doesn't identify which member of the family was using the net connection, or which strange walking past their house jumped on their unsecured wifi, or the exact customer using. So IP address great for identifying the person who manages the net connection - not great for identifying who was actually using the connection for a specific request.
ISP should warn them by crow · 2012-05-17 08:07 · Score: 2

Assuming that these were modems provided by their ISP, then the ISP has responsibility here. They can easily watch for packets going to the fake DNS servers, and then warn the customers by email, letter, and even phone. They should have done this back when the issue first arose, with steps to correct the problem included in a letter with the monthly bill.
1. Re:ISP should warn them by dmacleod808 · 2012-05-17 08:12 · Score: 5, Funny
  
  I dunno, whenever I recieve a letter from my ISP, I immediately destroy my hard drives and torch my house.
  
  --
  There Can Be Only One...
2. Re:ISP should warn them by Zocalo · 2012-05-17 08:20 · Score: 3, Interesting
  That horse has long since bolted. The ISPs were notified, and it's also possible for them to check their IP space for infected hosts at the DNS Changer Working Group's website. The sad fact is that the ISPs in question have done the math and come to the conclusion that they can either:
  
  Notify their infected customers, at a cost of $x per customer, probably only to have most of their users either ignore the warning or contact the ISP's support line, potentially at additional cost to the ISP (unless they have a premium rate support service).
  Ignore the problem until the FBI's DNS servers are switched off, at which point, hopefully, many of the users will figure out the solution at no cost to the ISP reducing the burden on the ISP's support desk and costs. Hey, everyone has to keeps costs down, right?
  Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.
  --
  UNIX? They're not even circumcised! Savages!
3. Re:ISP should warn them by toygeek · 2012-05-17 11:35 · Score: 2
  
  Disclaimer: I work for a 3rd party contractor to Comcast. I don't work directly for them and I don't condone everything they do so lets leave that out of the discussion.
  Comcast does exactly this. When they see traffic going to the known hijacked IP's, the customer gets emails, popups, and generally annoyed to hell until they do something about it. Its not always hijacked DNS. Sometimes its one infected device that is not owned by the customer, and its a neighbor who is stealing their wifi. Solution:Secure their wifi. Sometimes they cleaned the infections already, but their router is still hijacked.
  AFAIK AT&T does the same thing, or something similar.
  As much flack as ISP's get these days, there are some things they actually do right. And, there are some things that they fail so very, very horribly in. In this one, I think they've got it right.
  
  --
  Nobodies Prefect
  Tidbits for Techs Technology Blog
The easy fix by Megane · 2012-05-17 08:10 · Score: 2

Presumably they know what IP was being checked for DNS. All an ISP has to do is spoof that IP internally with a manual route to their own DNS server. That should save a few truck rolls.

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Let companies bid for them and put ads on error... by stevenh2 · 2012-05-17 08:10 · Score: 2

I'm sure some companies will want to buy those servers so they can put ads on those error pages that pop when you enter a nonexistent domain.
Why bother warning them? by plover · 2012-05-17 08:11 · Score: 1

Why warn them at all? If they can't be bothered to keep their equipment in good working condition, which means free of malware, the rest of the internet doesn't need them polluting the waters.
We don't let people drive cars on public roads that risk the safety of the other drivers. Why should we put up with an infected virus-spewing computer?

--
John
1. Re:Why bother warning them? by l_bratch · 2012-05-17 08:18 · Score: 1
  
  I see your argument, but they could do it purely to reduce the burden for all these clueless user's tech support people. Whether you like it or not, they are going to want their "internet" fixed...
2. Re:Why bother warning them? by idontgno · 2012-05-17 08:22 · Score: 2
  
  (A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.
  (B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do you keep those criteria from devolving into some kind of corporatist rights grab a la pernicious DRM?
  And (C), if you're not advocating public net-worthiness inspections of computers, your analogy breaks down, since the virus-infected computers in question have already had their road-safety incident. So, your phrase, more accurately stated, is "We don't let people drive cars on public roads that have already risked the safety of other drivers", in which case the response is "of course not, they're already wrecked."
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
3. Re:Why bother warning them? by Jeng · 2012-05-17 08:23 · Score: 1
  
  If it was at all hard to warn them I would see your point, but warning them is so trivial that there is no reason not to do it.
  Even with the warning though it ain't going to change anything. It will probably just freak them out.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
4. Re:Why bother warning them? by lgw · 2012-05-17 08:24 · Score: 1
  
  You must seriously not have anyone who turns to you for tech support who has the ability to make you miserable if she, err, they want to.
  Not to mention, this isn't about infected computers, but infected DSL modems, and how sure are you about yours, again? Or about whatever sits between the no-doubt-godlike-perfection of your PC and the DNS server? I seriosly don't want to have to care about policing parts like that.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
5. Re:Why bother warning them? by n5vb · 2012-05-17 08:35 · Score: 4, Informative
  
  There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.
  (And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)
6. Re:Why bother warning them? by n5vb · 2012-05-17 08:38 · Score: 4, Funny
  
  I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...
7. Re:Why bother warning them? by Lumpy · 2012-05-17 08:59 · Score: 1
  
  "We don't let people drive cars on public roads that risk the safety of the other drivers."
  you must not drive much. Here in Michigan out roads are full of complete morons that cant drive without being a risk to others.
  
  --
  Do not look at laser with remaining good eye.
8. Re:Why bother warning them? by idontgno · 2012-05-17 10:06 · Score: 1
  
  C'mon, you know it's inevitable.
  
  How can he possibly resist the maddening urge to eradicate [his computer] at the mere push of a single button? The beautiful, shiny button? The jolly, candy-like button? Will he hold out, folks? Can he hold out?
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
9. Re:Why bother warning them? by idontgno · 2012-05-17 10:12 · Score: 1
  
  But if the warning comes with a nice download link to fix the problem, that they can just click and make it all go away...
  No, wait. Prior art. The bad guys have already beat us to it.
  I guess the only responsible thing we can do is freak them out and then disconnect 'em and put 'em out of our misery.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
10. Re:Why bother warning them? by eyenot · 2012-05-17 10:39 · Score: 1
  
  I highly agree. It gives the whole sandbox thing a shiny glow.
  
  --
  "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
11. Re:Why bother warning them? by marcosdumay · 2012-05-17 14:04 · Score: 1
  
  As a paralel of the famous punching in the face quote:
  You right to spew things out stops just before that spew reaches a computer that doesn't want it.
  Is that a hard concept to understand? Because when it doesn't involve computers, nearly everybody understands it de pronto. People at /. shouldn't have this kind of problem.
  
  If, for some reason, something responds badly to what you're spewing out, then it's not your problem. They should have configured their firewall better.
  Depends, was it a honest usage of some service the other computer was anouncing? If so, yes, the other computer should be better configured. Was is some malicious data? If so, the fault is at the part that is sending it.
  
  --
  Rethinking email
12. Re:Why bother warning them? by plover · 2012-05-17 14:25 · Score: 1
  
  You're making a lot of stuff up to fill in gaps in what I didn't bother typing.
  I'm simply saying that if they can't be arsed to fix their crappy virus laden computers today, why should I care if taking down a malware-stand-in DNS server leaves them hanging without a working name server tomorrow? It's. Not. My. Problem.
  What my bad car analogy was referring to is that cops don't perform car inspections today, but they will pull you over and tag you if your bumper is dragging behind you on the freeway, or if you're throwing caltrops out the windows, or otherwise threatening the safety of others on the road. This is obviously an imperfect analogy, one that you carried way too far in your reach for points to criticize. Perhaps a slightly better analogy might be that the internet is like rural roads that have signs saying "minimum maintenance road - travel at your own risk". If you bought cheap gas that was watered down and your car stalls in the woods, if I'm passing by it's not my job to drag your car back to town. Call for your own damn tow truck.
  I'm certainly not saying we need to inspect computers. No internet cops need to be created to tag these people. All I'm saying is that I'm not going to shed a tear if they're disconnected through their own lack of action or knowledge.
  Of course, it may become my brother-in-law's problem, which I'm sure my wife would still make into my problem somehow,
  
  --
  John
Re:HAHA !! DSL SUXORS !! by Jeng · 2012-05-17 08:15 · Score: 1

I have had nothing but good service from TWC here in Austin, I understand that in some other markets though that they do indeed suck.
My experience with DSL though has been nothing but shitty. YMMV.

--
Don't know something? Look it up. Still don't know? Then ask.
you've won a brand new car [analogy] by OrangeTide · 2012-05-17 08:23 · Score: 3, Funny

"We don't let people drive cars on public roads that risk the safety of the other drivers."
Is that really true? I'm having difficulty believing that.
I think a better car analogy is:
"We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"

--
“Common sense is not so common.” — Voltaire
1. Re:you've won a brand new car [analogy] by Chris+Mattern · 2012-05-17 12:29 · Score: 1
  
  "We don't let people drive cars on public roads that risk the safety of the other drivers."
  Is that really true? I'm having difficulty believing that.
  Why is it hard to believe? In the US, at least, it's completely true; you can be ticketed for driving an unsafe car. Most states also have a regular safety inspection requirement. Here in Virginia, a car must get a safety inspection yearly and a car that does not have a valid inspection sticker (which displays the expiration date in big bold numbers) is not legal to drive on public roads.
Scripted changes by dissy · 2012-05-17 08:25 · Score: 3, Insightful

I'm not sure I understand the problem...
Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?
One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.
If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?
And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?
All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.
Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.
Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.
This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.
1. Re:Scripted changes by uncqual · 2012-05-17 08:38 · Score: 1
  
  If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
  I don't know much about DNSChanger, but in general I don't think this is necessarily true. If one was going to infect DSL modems with something like DNSChanger, it would be sensible to also attempt to have DNSChanger cut off the ability to make further changes (at least by anyone but the authors/distributors of DNSChanger - perhaps requiring a password known only to these parties).
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
2. Re:Scripted changes by DeadboltX · 2012-05-17 08:56 · Score: 3, Informative
  
  From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
  
  What Does DNSChanger Do to My Computer?
  DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
3. Re:Scripted changes by toygeek · 2012-05-17 11:42 · Score: 1
  
  I'm not sure I understand the problem...
  Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
  No. Most routers do not allow the admin page to be accessed via the wan side, only the lan side.
  
  Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?
  Or Mac malware. But in general, yes. Most residential routers have pretty weak default passwords are a cinch to get into.
  
  One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.
  If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
  You're right, that was a dumb assumption. Even over the back-end control channels of whatever sort that ARE used, nothing having to do with the overall configuration can be changed. Most ISP's use such communication to check modem status etc, but not to change DNS info or passwords. That would be security suicide and they aren't quite that dumb.
  
  The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
  Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?
  And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?
  All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.
  Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
  See my reply above regarding most of what you said. And see my post above yet about how most providers do send out email, snail mail, popups etc over hijacked DNS.
  
  Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.
  Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
  Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
  There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.
  This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.
  Um, you're wrong. Getting users to actually a) read email thats important b) pick up the phone and c) even initiate automatic tasks is like getting your 90 year old grandma to change her own oil.
  
  --
  Nobodies Prefect
  Tidbits for Techs Technology Blog
4. Re:Scripted changes by K.+S.+Kyosuke · 2012-05-18 03:40 · Score: 1
  
  The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
  Is this how things work in the US? Somehow I don't think this would fly where I live, it would most likely be illegal. (If you're renting a flat in the US, does that mean that the landlord can stroll through your apartment at whim? Also illegal here.). Why the hell would they need it anyway? We have a DSL line, the modem came preconfigured and no one ever had to touch the WAN settings for years. Why the hell would the ISP need to do that? If they need me to change something, they can ask me There's no need for anyone to access the router conf from outside for any reason at all.
  
  --
  Ezekiel 23:20
harumph! by Anonymous Coward · 2012-05-17 08:35 · Score: 5, Funny

DNS? pshaw!
If you just listened to APK and put everything in your HOSTS file, you wouldn't have to worry about any of this folderoll!
1. Re:harumph! by Anonymous Coward · 2012-05-17 08:49 · Score: 4, Funny
  
  DO NOT SUMMON HIM!
2. Re:harumph! by Just+Some+Guy · 2012-05-17 10:27 · Score: 1
  
  I hate you for that.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Re:HAHA !! DSL SUXORS !! by ender- · 2012-05-17 08:36 · Score: 1

I have had nothing but good service from TWC here in Austin, I understand that in some other markets though that they do indeed suck.
My experience with DSL though has been nothing but shitty. YMMV.
DSL Used to be awesome, esp if you could get a 3rd party provider like Speakeasy. Once AT&T was able to avoid giving access to Speakeasy though, it went downhill quickly and has sucked ever since.
TWC sucks massively here in Arlington,Tx. One of the issues is that they route me through Houston, even if i'm connecting to my work systems a few miles away. But then if I try to access a system in Houston, it sends the traffic down to Houston, back to Dallas, then back down to Houston.
And those are my options. Nearly non-functional DSL limited to 6Mbps [but only actually getting 3Mbps most of the time] or horribly inefficient TWC at 30Mbps but that routes me all over the place and drops packets like nobody's business...

--
Nothing to see here
New computers by jgotts · 2012-05-17 08:40 · Score: 1

Many of these DSL customers will buy a new computer in July. And then will probably switch to cable. I think a tiny minority will realize that their DSL modem is cooked and be able to convince their ISP of the same.
Re:Holy shit, timothy edited something!?!! by pjt33 · 2012-05-17 08:50 · Score: 2

He still missed correcting "Internet elder" to "elder of the Internet".
TR-069 by stewwy · 2012-05-17 08:50 · Score: 4, Interesting

Some modems implement this , TR-069 (remote config) protocol. At least some of the clueless should have this active, I'm surprised it's not used more widely by ISP's Of course anyone with half a brain will have it disabled,( do you want your ISP to control your router? ) and if you have it disabled at least you know your modem/router HAS a config page but still, it's for exactly this reason it's there.
This is a trivial number by Skleed · 2012-05-17 08:56 · Score: 5, Insightful

In 2009, there were 32 million DSL modems in the United States. http://www.internetworldstats.com/am/us.htm

Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.

BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.

Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.
duh by IGnatius+T+Foobar · 2012-05-17 09:03 · Score: 3, Interesting

So the malware guys found a bunch of unpatched DSL modems with a vulnerability that allowed the resolver to be reconfigured remotely, and pointed it towards the "bad" DNS servers.

So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?

--
Tired of FB/Google censorship? Visit UNCENSORED!
1. Re:duh by Anonymous Coward · 2012-05-17 11:20 · Score: 1
  
  1. Who will pay for this to happen?
  2. Who takes responsibility if it breaks?
  3. Who has legal liability when a customer claims the change caused their children to grow wings and start worshipping the devil and gets a lawyer?
  If you are a criminal - 1 to 3 don't matter. If you are a company or organisation they do.
  In short - the routers will break, it will be painful for a few months - ISPs will send a bunch of new routers and everyone will stop caring.
2. Re:duh by toygeek · 2012-05-17 11:45 · Score: 1
  
  Most routers and modems do not have remote control available over the WAN. Any consumer grade router will have the WAN access turned off by default, you have to be on the local LAN to get to the admin interface. But once you infect a Mac or PC with DNS Changer malware, its trivial to run a script to change the DNS on the router. That's why its smart to change the password on your router. But most people don't even secure their wifi unless that's the default config.
  
  --
  Nobodies Prefect
  Tidbits for Techs Technology Blog
Re:What the fuck, slashdot by Anonymous Coward · 2012-05-17 09:09 · Score: 1

Because they probably act as a router and caching DNS server, too?
Re:Holy shit, timothy edited something!?!! by Jeng · 2012-05-17 09:24 · Score: 1

And my first thought was Got Proof?

--
Don't know something? Look it up. Still don't know? Then ask.
HOLY CRAP, WHAT A TYPO! by Anonymous Coward · 2012-05-17 09:27 · Score: 2, Funny

peer-to-queer downloads
what an embarrassing Freudian slip.
you're running the buttorrent client I take it?
How DO I know that the checker web page is legit by goombah99 · 2012-05-17 09:54 · Score: 1

If DNS changer redirects gov.au then I could be looking at the look-alike DNS changer checker telling me all is fine? They should have listed this as an IP address.
My computer says it is 165.191.2.65 Is that what yours says?

--
Some drink at the fountain of knowledge. Others just gargle.
Why would a MODEM need DNS? by Gothmolly · 2012-05-17 11:27 · Score: 1

Surely the modem is a layer1/layer2 device, and not anything higher? Why does the modem itself need DNS settings?

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:Why would a MODEM need DNS? by geminidomino · 2012-05-17 11:49 · Score: 1
  
  I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.
  If they're being used as such, for internal DHCP, that might be a problem, I guess...
2. Re:Why would a MODEM need DNS? by marcosdumay · 2012-05-17 14:13 · Score: 1
  
  As far as I know pure DSL modems don't even exist anymore. Every one of them is a NAT router/modem, they only differ at the default config and how hard it is to activate the NAT functionality.
  
  --
  Rethinking email
3. Re:Why would a MODEM need DNS? by aiht · 2012-05-17 14:43 · Score: 2
  
  I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.
  If they're being used as such, for internal DHCP, that might be a problem, I guess...
  What's with all the "combined router/modem" bashing in this thread? Is it really that big a problem for you, to not be /forced/ to use a separate router and/or switch? Most router/modems I have seen can also be set to a direct or bridge mode to disable the router and go back to being a dumb modem.
  Even more so, what's with all the people who seem to be surprised at the concept? I can't remember the last time I even saw a consumer-level DSL modem that was not also a router - maybe ten years? This is not new or unusual tech.
4. Re:Why would a MODEM need DNS? by geminidomino · 2012-05-17 14:57 · Score: 1
  
  Call it residual bad taste. Between the fact that I didn't know that the default config had changed, and that I was dealing with Tier 1 tech support, I was fighting with it for the better part of 5 hours since I was plugging it in to my existing router.
  And you usually can't get the good firmwares for the combo units.
Paul's picture by Nethead · 2012-05-17 14:24 · Score: 1

That eye-glasses shadow in his picture sure makes him look evil. But my wife says that she's seen him look like that without his glasses. I remember at LISA '96 I asked him a question (ok, it was kinda stupid) and he responded, "RTMF. Next!" But then again at a later LISA he, even though he was sick as a dog, took the time in the hallway to give my wife a detailed answer to a question about round-robin with CNAME records
I totally respect the man.

--
-- I have a private email server in my basement.
Get back their IPv4 addresses by unixisc · 2012-05-17 17:51 · Score: 1

Cool - ARIN and other RIRs should just reposses those IPs, and if these DNS modems want to regain their DNS, they should be made to do it via IPv6, not IPv4.
A appreciate your post by Taco+Cowboy · 2012-05-17 18:08 · Score: 1

I do not have mod point, so I can't mod you up again
But anyway, I do appreciate what you are doing here

--
Muchas Gracias, Señor Edward Snowden !
Re:HAHA !! DSL SUXORS !! by X0563511 · 2012-05-18 02:45 · Score: 1

Sounds like someone needs to buck up the escalation chain until someone who knows anything gets on the phone.
That's a definite problem. Network admins hate those kinds of shenanigans, provided they know about them. That last part is the hard part - how to get it to their attention.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
A question or 8... by mcgrew · 2012-05-18 03:27 · Score: 1

TFA says "The affected customer modems make up about a third of the 350,000 to 400,000 internet users believed to still have the DNSChanger malware on either their modems or Windows computers."
I don't get it. Is this malware Windows specific? How does it infect modems? Is a Linux user affected by this? What if you have Linux cabled to your router and a Windows machine using wifi? How can one determine if they have an infected modem?

--
Free Martian Whores!