Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."

8.8.8.8

[windcask]

What DNS issues?

Re:8.8.8.8

[philip.paradis]

Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.

Re:8.8.8.8

[foradoxium]

I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..

http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288

all it takes is this legislation to gain footing in a few states, then the rest start caving.

Google watching you really should be the least of your online privacy worries..

Re:8.8.8.8

[Lifyre]

These days? I would bet more than 50% by traffic probably A LOT more by traffic...

Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?

Even if they don't use it directly many of them are selling it to someone who does.

Re:8.8.8.8

[Baloroth]

No they don't. See their FAQ.

Re:8.8.8.8

[PReDiToR]

If this bothers you, or anyone else, try to use https and secure connections wherever possible.
This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.

HTTPS-Everywhere helps.

Re:8.8.8.8

[philip.paradis]

Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.

Why not warn them?

[l_bratch]

Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?

Re:Why not warn them?

[jeffmeden]

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

Re:Why not warn them?

[n5vb]

Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

They couldn't if their DNS doesn't return anything but the warning page.

You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..

Re:ISP should warn them

[dmacleod808]

I dunno, whenever I recieve a letter from my ISP, I immediately destroy my hard drives and torch my house.

Re:ISP should warn them

[Zocalo]

That horse has long since bolted. The ISPs were notified, and it's also possible for them to check their IP space for infected hosts at the DNS Changer Working Group's website. The sad fact is that the ISPs in question have done the math and come to the conclusion that they can either:

1. Notify their infected customers, at a cost of $x per customer, probably only to have most of their users either ignore the warning or contact the ISP's support line, potentially at additional cost to the ISP (unless they have a premium rate support service).
2. Ignore the problem until the FBI's DNS servers are switched off, at which point, hopefully, many of the users will figure out the solution at no cost to the ISP reducing the burden on the ISP's support desk and costs. Hey, everyone has to keeps costs down, right?

Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.

you've won a brand new car [analogy]

[OrangeTide]

"We don't let people drive cars on public roads that risk the safety of the other drivers."

Is that really true? I'm having difficulty believing that.

I think a better car analogy is:

"We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"

Scripted changes

[dissy]

I'm not sure I understand the problem...

Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?

And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?

All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.

Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.

Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.

This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.

Re:Scripted changes

[DeadboltX]

From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Re:Why bother warning them?

[n5vb]

There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.

(And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)

harumph!

DNS? pshaw!
If you just listened to APK and put everything in your HOSTS file, you wouldn't have to worry about any of this folderoll!

Re:harumph!

DO NOT SUMMON HIM!

Re:Why bother warning them?

[n5vb]

I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...

TR-069

[stewwy]

Some modems implement this , TR-069 (remote config) protocol. At least some of the clueless should have this active, I'm surprised it's not used more widely by ISP's Of course anyone with half a brain will have it disabled,( do you want your ISP to control your router? ) and if you have it disabled at least you know your modem/router HAS a config page but still, it's for exactly this reason it's there.

This is a trivial number

[Skleed]

In 2009, there were 32 million DSL modems in the United States. http://www.internetworldstats.com/am/us.htm

Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.

BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.

Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.

duh

[IGnatius+T+Foobar]

So the malware guys found a bunch of unpatched DSL modems with a vulnerability that allowed the resolver to be reconfigured remotely, and pointed it towards the "bad" DNS servers.

So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?