Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."

8.8.8.8

[windcask]

What DNS issues?

Re:8.8.8.8

Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!

Re:8.8.8.8

[philip.paradis]

Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.

Re:8.8.8.8

[foradoxium]

I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..

http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288

all it takes is this legislation to gain footing in a few states, then the rest start caving.

Google watching you really should be the least of your online privacy worries..

Re:8.8.8.8

[bws111]

How many DNS providers (usually your ISP) have business models that depend on knowing as much about people as they possibly can?

Re:8.8.8.8

feel free to operate your own resolvers

I do. It's easy.

Re:8.8.8.8

[Lifyre]

These days? I would bet more than 50% by traffic probably A LOT more by traffic...

Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?

Even if they don't use it directly many of them are selling it to someone who does.

Re:8.8.8.8

[mcavic]

feel free to operate your own resolvers

Your ISP can still sniff your traffic.

Re:8.8.8.8

[Baloroth]

No they don't. See their FAQ.

Re:8.8.8.8

[PReDiToR]

If this bothers you, or anyone else, try to use https and secure connections wherever possible.
This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.

HTTPS-Everywhere helps.

Re:8.8.8.8

[philip.paradis]

Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.

Re:8.8.8.8

[thebigmacd]

Google DNS uses anycast, which should actually give you a DNS server right close to you.

Re:8.8.8.8

[JWSmythe]

Are you sure it's Google, and not your local provider? Botched routing tables can do that. What is your other DNS server? Is it a temporary issue? Is it only with a1.phobos.apple.com? Anycast should get a response back from the fastest server to respond.

    I'll guess that you're in Australia, since I noticed the .au router you crossed. It doesn't look like Google has a datacenter there yet. I wouldn't be surprised if they have a presence in locations that are not official "Google Datacenters" though.

http://www.google.com/about/datacenters/locations/index.html

    The list could very likely be incomplete also. I know they had a presence in 111 8th Ave, New York, NY, and bought the whole building a couple years ago. That's not on the list at all. With the carriers that had a presence there, I'd seriously doubt they'd gut it and make it just office space.

    It's working perfectly for me, and everyone that I've had switch over to it because their residential provider DNS is too slow.

# nslookup a1.phobos.apple.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
a1.phobos.apple.com canonical name = a1.phobos.apple.com.edgesuite.net.
a1.phobos.apple.com.edgesuite.net canonical name = a1.da1.akamai.net.
Name: a1.da1.akamai.net
Address: 208.44.23.112
Name: a1.da1.akamai.net
Address: 208.44.23.98

# traceroute 208.44.23.112
traceroute to 208.44.23.112 (208.44.23.112), 30 hops max, 60 byte packets
[SNIP]
  4 0.xe-7-3-0.BR3.ATL4.ALTER.NET (152.63.5.129) 17.254 ms 17.248 ms 17.286 ms
  5 204.255.168.222 (204.255.168.222) 16.425 ms 16.438 ms 16.407 ms
  6 atx-edge-03.inet.qwest.net (205.171.21.50) 17.285 ms 17.430 ms 17.311 ms
  7 208-44-23-112.dia.static.qwest.net (208.44.23.112) 20.176 ms 20.341 ms 20.287 ms

# traceroute 208.44.23.98
traceroute to 208.44.23.98 (208.44.23.98), 30 hops max, 60 byte packets
[SNIP]
  4 0.xe-7-3-0.BR3.ATL4.ALTER.NET (152.63.5.129) 17.287 ms 17.359 ms 17.344 ms
  5 204.255.168.222 (204.255.168.222) 16.476 ms 16.440 ms 16.429 ms
  6 atx-edge-03.inet.qwest.net (205.171.21.50) 51.325 ms 48.945 ms 17.179 ms
  7 208-44-23-98.dia.static.qwest.net (208.44.23.98) 17.560 ms 17.553 ms 17.620 ms

# traceroute a1.phobos.apple.com
traceroute to a1.phobos.apple.com (23.67.53.75), 30 hops max, 60 byte packets
[SNIP]
  4 0.xe-3-0-2.XL3.MIA4.ALTER.NET (152.63.4.9) 10.664 ms 10.733 ms 10.718 ms
  5 0.xe-11-0-0.XL1.MIA19.ALTER.NET (152.63.85.74) 11.683 ms 11.671 ms 11.654 ms
  6 0.xe-10-1-0.GW1.MIA19.ALTER.NET (152.63.81.10) 9.971 ms 10.009 ms 10.081 ms
  7 akamai.customer.alter.net (63.65.188.50) 11.995 ms 11.985 ms 12.045 ms
  8 a23-67-53-75.deploy.akamaitechnologies.com (23.67.53.75) 10.153 ms 10.355 ms 10.355 ms

Google DNS resolved to Atlanta, which I believe is the closest Google datacenter, roughly 450 miles away and about 17.5ms.

Locally (my own DNS server on the same machine I tested from), resolved to Miami, which isn't the closest Akamai site, but may be the closest Apple mirror. That's roughly 280 miles and 10.3ms.

Using your own resolver is always an excellent choice, and will provide the best results for your location. For those who don't even know how to log into their router, much less run their own DNS server, Google's public DNS is fine.

Re:8.8.8.8

[Spikeles]

You're right, I'm in Australia. Google does have a presence here and I get a ping of about 64ms to 8.8.8.8.
8 google-public-dns-a.google.com (8.8.8.8) 82.579 ms 64.420 ms 65.664 ms
I've tried the 8.8.8.8 resolver a couple of times, and in all cases iTunes will give slow downloads, simply due to not optimal resolution of the CDN host. Switch it to another DNS resolver, and everything is fine again. Querying the DNS of our ISP (Internode):

#nslookup a1.phobos.apple.com 192.231.203.132
Server: 192.231.203.132
Address: 192.231.203.132#53

Non-authoritative answer:
a1.phobos.apple.com canonical name = a1.phobos.apple.com.edgesuite.net. a1.phobos.apple.com.edgesuite.net canonical name = a1.da1.akamai.net.
Name: a1.da1.akamai.net
Address: 203.206.129.11
Name: a1.da1.akamai.net
Address: 203.206.129.16

#traceroute 203.206.129.16
[snip]
8 203-206-129-16.deploy.akamaitechnologies.net (203.206.129.16) 81.438 ms 67.101 ms 67.139 ms


This kind of issue isn't exactly Unknown.

In addition, in Australia we have quotas for most of our internet plans. If you were on an ISP such as iiNet, then you could end up using up your quota since iiNet provides "unmetered" downloads from iTunes, on the condition that it comes from their mirror. iiNet mirrors Apple servers, and uses their DNS to redirect to those own mirrors. If you were to use 8.8.8.8 for someone on iiNet, you'd end up with them being charged extra since it probably wouldn't resolve to their mirror.

Why not warn them?

[l_bratch]

Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?

Re:Why not warn them?

[jeffmeden]

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

Re:Why not warn them?

[n5vb]

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

They couldn't if their DNS doesn't return anything but the warning page.

You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..

ISP should warn them

[crow]

Assuming that these were modems provided by their ISP, then the ISP has responsibility here. They can easily watch for packets going to the fake DNS servers, and then warn the customers by email, letter, and even phone. They should have done this back when the issue first arose, with steps to correct the problem included in a letter with the monthly bill.

Re:ISP should warn them

[dmacleod808]

I dunno, whenever I recieve a letter from my ISP, I immediately destroy my hard drives and torch my house.

Re:ISP should warn them

[Zocalo]

That horse has long since bolted. The ISPs were notified, and it's also possible for them to check their IP space for infected hosts at the DNS Changer Working Group's website. The sad fact is that the ISPs in question have done the math and come to the conclusion that they can either:

1. Notify their infected customers, at a cost of $x per customer, probably only to have most of their users either ignore the warning or contact the ISP's support line, potentially at additional cost to the ISP (unless they have a premium rate support service).
2. Ignore the problem until the FBI's DNS servers are switched off, at which point, hopefully, many of the users will figure out the solution at no cost to the ISP reducing the burden on the ISP's support desk and costs. Hey, everyone has to keeps costs down, right?

Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.

Re:ISP should warn them

[toygeek]

Disclaimer: I work for a 3rd party contractor to Comcast. I don't work directly for them and I don't condone everything they do so lets leave that out of the discussion.

Comcast does exactly this. When they see traffic going to the known hijacked IP's, the customer gets emails, popups, and generally annoyed to hell until they do something about it. Its not always hijacked DNS. Sometimes its one infected device that is not owned by the customer, and its a neighbor who is stealing their wifi. Solution:Secure their wifi. Sometimes they cleaned the infections already, but their router is still hijacked.

AFAIK AT&T does the same thing, or something similar.

As much flack as ISP's get these days, there are some things they actually do right. And, there are some things that they fail so very, very horribly in. In this one, I think they've got it right.

The easy fix

[Megane]

Presumably they know what IP was being checked for DNS. All an ISP has to do is spoof that IP internally with a manual route to their own DNS server. That should save a few truck rolls.

Let companies bid for them and put ads on error...

[stevenh2]

I'm sure some companies will want to buy those servers so they can put ads on those error pages that pop when you enter a nonexistent domain.

Re:Captain Obvious

[jeffmeden]

Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.

What is more interesting is that they dont make any stabs at guessing how many of the victims are on what providers (just referring to them as "DSL".) Why not name names? You have the IPs of the vics. If AT&T saw 150,000 customers about to go dark, and so did Verizon and so did CenturyLink, i suspect the problem would be confronted more directly than a single powerpoint at some conference in *Australia*...

Re:Why bother warning them?

[idontgno]

(A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.

(B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do you keep those criteria from devolving into some kind of corporatist rights grab a la pernicious DRM?

And (C), if you're not advocating public net-worthiness inspections of computers, your analogy breaks down, since the virus-infected computers in question have already had their road-safety incident. So, your phrase, more accurately stated, is "We don't let people drive cars on public roads that have already risked the safety of other drivers", in which case the response is "of course not, they're already wrecked."

you've won a brand new car [analogy]

[OrangeTide]

"We don't let people drive cars on public roads that risk the safety of the other drivers."

Is that really true? I'm having difficulty believing that.

I think a better car analogy is:

"We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"

Scripted changes

[dissy]

I'm not sure I understand the problem...

Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?

And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?

All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.

Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.

Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.

This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.

Re:Scripted changes

[DeadboltX]

From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Re:Why bother warning them?

[n5vb]

There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.

(And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)

harumph!

DNS? pshaw!
If you just listened to APK and put everything in your HOSTS file, you wouldn't have to worry about any of this folderoll!

Re:harumph!

DO NOT SUMMON HIM!

Re:Why bother warning them?

[n5vb]

I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...

Re:Holy shit, timothy edited something!?!!

[pjt33]

He still missed correcting "Internet elder" to "elder of the Internet".

TR-069

[stewwy]

Some modems implement this , TR-069 (remote config) protocol. At least some of the clueless should have this active, I'm surprised it's not used more widely by ISP's Of course anyone with half a brain will have it disabled,( do you want your ISP to control your router? ) and if you have it disabled at least you know your modem/router HAS a config page but still, it's for exactly this reason it's there.

This is a trivial number

[Skleed]

In 2009, there were 32 million DSL modems in the United States. http://www.internetworldstats.com/am/us.htm

Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.

BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.

Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.

duh

[IGnatius+T+Foobar]

So the malware guys found a bunch of unpatched DSL modems with a vulnerability that allowed the resolver to be reconfigured remotely, and pointed it towards the "bad" DNS servers.

So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?

HOLY CRAP, WHAT A TYPO!

peer-to-queer downloads

what an embarrassing Freudian slip.
you're running the buttorrent client I take it?

Re:Why would a MODEM need DNS?

[aiht]

I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.

If they're being used as such, for internal DHCP, that might be a problem, I guess...

What's with all the "combined router/modem" bashing in this thread? Is it really that big a problem for you, to not be /forced/ to use a separate router and/or switch? Most router/modems I have seen can also be set to a direct or bridge mode to disable the router and go back to being a dumb modem.
Even more so, what's with all the people who seem to be surprised at the concept? I can't remember the last time I even saw a consumer-level DSL modem that was not also a router - maybe ten years? This is not new or unusual tech.

Re:Captain Obvious

[1u3hr]

Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.

I suspect the "difficulty" is more legal than technical. The Estonians don't care if they brick an occasional device, and they don't try to get the users' legal consent. And people and governments in other countries might not be happy to trust the FBI to reprogram their router/modem.