A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me).
B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending.
The more you know...
A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me).
Works via IPv6. (I suspect all the media attention you referenced may be causing some load issues over "Classic IP - Version 4").
- Jared
puck:~$ curl -v dns-ok.us
* About to connect() to dns-ok.us port 80 (#0)
* Trying 2606:700::2644:c160... connected
* Connected to dns-ok.us (2606:700::2644:c160) port 80 (#0)
GET / HTTP/1.1
User-Agent: curl/7.21.0 (x86_64-redhat-linux-gnu) libcurl/7.21.0 NSS/3.12.10.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.4
Host: dns-ok.us
Accept: */*
< HTTP/1.1 200 OK
< Date: Fri, 06 Jul 2012 16:38:50 GMT
< Server: Apache/2.2.22 (Unix) PHP/5.4.4
< Last-Modified: Wed, 30 May 2012 20:51:40 GMT
< ETag: "7f5c1-67e-4c1471e35bf2a"
< Accept-Ranges: bytes
< Content-Length: 1662
< Connection: close
< Content-Type: text/html
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
The dns-ok.us site is getting crushed from all the sudden media
interest. We're trying to tweak it to handle the 50,000 or so
simultaneous connections.
Andy
Andrew Fried
andrew.fried@gmail.com
Jared Mauch wrote:
> A) The DNS changer working group site http://www.dns-ok.us seems to be
> down for the clean people anyway. (Down for everyone agrees with me).Works via IPv6. (I suspect all the media attention you referenced may be
causing some load issues over "Classic IP - Version 4").
Loaded via IPv4, albeit slowly. at least for me.
One wonders why it's so hard to get the media interested when it
would be *helpful*. DNS Changer gets traction like 3 days before the
drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's
to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive.
~Seth
So insteading of turning the servers off, would it not have been helpful to
have the servers return a "captive portal" type of reponse saying "hey,
since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
Where you been? Its been in and out of the news for months. Examples: ABC covered it on April 11th, CBS on Feb 21st
The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here)
The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a
graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing.
FUD with press and over sensationalism not helping.
- merike
Not all DNS lookups are for HTTP.
We verified one a while back, who had already had the problem fixed when the FBI sent us the physical mail. Concidering number of internet customers in the US vs our internet customers with known number of US subsribers affected at it's height, I figure if the percentages are good we've taken care of several times the number of likely cases on our network with that one customer.
*wink*
I'm told by various sources to expect similar stories on the nightly national news programs tonight, with a similar 'call your isp' ending. I've also heard the site IS reachable via ipv6 and they are dealing with the load issues as we speak (and some people are getting through, albiet slowly).
I'm pretty comfortable about my network; I've been catching dns lookup destinations from my users for months (not contents, just destination ip's) and the list of outside addresses covers most of the well know public dns servers (open dns, google, etc...) with the exception of a handful that seem to be running their own full blown recursive caching servers, which go everywhere looking for authoritative lookups. (One I knew about, he complains because I won't allow his basic cable account act as an open server for his DNS when he's out of town. If he wants a static IP I can arrange opening the port, till then... He is always welcome to VPN into his home network as well.)
Been having callers look up their IP, then checking the query logs to see if they hit our dns servers. So far I'm at 100%
I thought of whipping up a script for my recursive DNS servers to setup a webpage to let them see if they were accessing those servers, but I just don't have time right now (fiscal year just started and everyone wants their projects done 'now'.)
Addendum: Site appears up and fast now. So that's something anyway.
The DNS redirection began on November 8, 2011. The servers were
instrumented to capture a very small portion of the dns data (source ip
and port only) so that reports of infected users could be sent to the
ISPs via reporting organizations like Shadowserver.
Some ISPs did create walled gardens. Some merely redirected affected
customers to their own internal DNS servers. Some ISPs did aggressive
notifications to their users. And some ISPs did nothing.
Sites were set up to allow users to check their systems (dns-ok.us,
etc). The DCWG set up an information site to provide information on how
to detect the DNSchanger infection and how to fix it. AV companies
provided tools to help clean up systems, and the tools were published on
the DCWG.org website.
The FBI went to great lengths to get press coverage to get the word out.
This operation has been ongoing for 7 months, 27 days and 14 hours.
How much more of a graceful ramp down could there have been?
Andy
Andrew Fried
andrew.fried@gmail.com
If you turn the servers off, then everything fails. The user sits there bewildered and calls his/her ISP to report the Internet is down.
If HTTP was pointed to a server that had a page that said what the problem is and what to do, it would be a lot better. Any tech support these users call can diagnose the problem in a few seconds.
I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.
From: Andrew Fried [mailto:andrew.fried@gmail.com]
Sent: Friday, July 06, 2012 11:16 AM
To: Cameron Byrne
Cc: nanog@nanog.org
Subject: Re: DNS Changer itemsThe DNS redirection began on November 8, 2011. The servers were
instrumented to capture a very small portion of the dns data (source
ip and
port only) so that reports of infected users could be sent to the ISPs
via
reporting organizations like Shadowserver.
Some ISPs did create walled gardens. Some merely redirected affected
customers to their own internal DNS servers. Some ISPs did aggressive
notifications to their users. And some ISPs did nothing.Sites were set up to allow users to check their systems (dns-ok.us,
etc). The
DCWG set up an information site to provide information on how to
detect
the DNSchanger infection and how to fix it. AV companies provided
tools to
help clean up systems, and the tools were published on the DCWG.org
website.The FBI went to great lengths to get press coverage to get the word
out.
This operation has been ongoing for 7 months, 27 days and 14 hours.
How much more of a graceful ramp down could there have been?
Andy
Andrew Fried
andrew.fried@gmail.com> So insteading of turning the servers off, would it not have been
> helpful to have the servers return a "captive portal" type of
reponse
> saying "hey, since you use this server, you are broken, go here to
get fixed"
From: valdis.kletnieks@vt.edu [mailto:valdis.kletnieks@vt.edu]
Sent: Friday, July 06, 2012 11:07 AM
To: Cameron Byrne
Cc: nanog@nanog.org
Subject: Re: DNS Changer items> So insteading of turning the servers off, would it not have been
> helpful to have the servers return a "captive portal" type of
reponse
Not all DNS lookups are for HTTP.
[Tomas L. Byrnes]
It's still better to do this than simply turn off all resolution.
Cameron,
That idea had been brought up. Also discussed was short durations of
random blackouts of dns resolution to impress upon the infected users
that they needed to take action. Unfortunately, taking either of those
actions would have exceeded the authorization of the court order.
We're coming up with a pretty detailed list of "lesson's learned" from
this operation and being able to implement ideas like yours will
hopefully be considered in advance "next time".
Andy
Andrew Fried
andrew.fried@gmail.com
Doesn't the court order expire as of Monday? What happens to those IP ranges then?
For anyone who wants to find any hosts behind their firewall that are
still infected, you can post a firewall log into our public site, and
we'll call out all attempts to contact the sinkhole servers (with the
internal IPs), assuming you log outbound DNS or all connections.
We've been doing this for subscribers (including free community ones)
since we got the sinkhole IPs from Andrew @ SIE/MAAWG.
From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com]
Sent: Friday, July 06, 2012 11:10 AM
To: 'nanog@nanog.org'
Subject: RE: DNS Changer itemsWe verified one a while back, who had already had the problem fixed
when
the FBI sent us the physical mail. Concidering number of internet
customers
in the US vs our internet customers with known number of US subsribers
affected at it's height, I figure if the percentages are good we've
taken care
of several times the number of likely cases on our network with that
one
customer.
*wink*
I'm told by various sources to expect similar stories on the nightly
national
news programs tonight, with a similar 'call your isp' ending. I've
also heard the
site IS reachable via ipv6 and they are dealing with the load issues
as we
speak (and some people are getting through, albiet slowly).
I'm pretty comfortable about my network; I've been catching dns lookup
destinations from my users for months (not contents, just destination
ip's)
and the list of outside addresses covers most of the well know public
dns
servers (open dns, google, etc...) with the exception of a handful
that seem
to be running their own full blown recursive caching servers, which go
everywhere looking for authoritative lookups. (One I knew about, he
complains because I won't allow his basic cable account act as an open
server
for his DNS when he's out of town. If he wants a static IP I can
arrange
opening the port, till then... He is always welcome to VPN into his
home
network as well.)
Been having callers look up their IP, then checking the query logs to
see if
they hit our dns servers. So far I'm at 100%
I thought of whipping up a script for my recursive DNS servers to
setup a
webpage to let them see if they were accessing those servers, but I
just
don't have time right now (fiscal year just started and everyone wants
their
projects done 'now'.)
Addendum: Site appears up and fast now. So that's something anyway.
__________________________
Eric Esslinger
Information Services Manager - Fayetteville Public Utilities
http://www.fpu-
tn.com/
(931)433-1522 ext 165> From: Merike Kaeo [mailto:kaeo@merike.com]
> Sent: Friday, July 06, 2012 1:06 PM
> To: Cameron Byrne
> Cc: nanog@nanog.org
> Subject: Re: DNS Changer items
>
>
> The ISPs who have been proactive in mitigating and redirecting have
> been/are doing this. (global reach here)
>
> The court ordered DNS servers have been up since Nov 9th and lots of
> outreach done....the intent was a graceful ramp down.
> Sadly, the state of folks helping with overall malware cleanup is
> still lots of finger pointing.
>
> FUD with press and over sensationalism not helping.
>
> - merike
>
>
>
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type
> of reponse
> > saying "hey, since you use this server, you are broken, go
> here to get
> > fixed"
> >
> > Seems that would have been a more graceful ramp down.
> >
> > CB
>
>
>This message may contain confidential and/or proprietary information
and is
intended for the person/entity to whom it was originally addressed.
Any use
We've been doing this for subscribers (including free community ones)
since we got the sinkhole IPs from Andrew @ SIE/MAAWG.
At least now, the the ranges are publicly outlined in
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255
These also return the "RED" dnschanger page:
$ dig +short @64.28.180.1 dns-ok.us
38.68.193.97
- Nick
The subnets will probably be held until the conclusion of the criminal
trials. After that, the addresses may be held back from assignment for
a while (e.g. a year), but eventually they'll get reassigned.
Andrew Fried
andrew.fried@gmail.com