DNS Hijacking by Cox

Joe_Greco · July 23, 2007, 4:27am

>I'm still unsure that this is either a good idea or a bad idea...
>changing the DNS can only help until the bots start connecting directly
to >IP addresses. Then where do we go? NAT those connections to
elsewhere? It's >one of those lovely arms races where things just get
more and more >invasive.

I don't foresee the programming of IP addresses instead of IP addresses.

That mainly indicates a lack of vision, including the inability to see
what is currently going on.

Because if/when they are found and their exploited server is shut down,
their dedicated server turned off for AUP violations etc they will loose
access to all of the bots set to that IP address. This happens a lot and
when it does they simply change the DNS.

Right. It's certainly convenient. However, it is pretty convenient to
have a list of addresses to try (the code isn't even that hard), and so
it isn't like wiping out a single IP address is going to solve the
problem. In fact, it is pretty convenient to make a "downloadable
list," so that it can be updated. We'll even conveniently pretend that
this technology doesn't already exist.

>And these people have been flamed senseless. I like to think of it as
>a case of the work the blocklists do is excellent and saves many a
>network from being overrun by spam - however there is always
>collateral damage from things like this. The good far outweighs the
>bad however.

I agree. They are at least trying to clean up their network. If they are
having a lot of problems with zombie bots that DDoS / Spam then this is
a good way to stop it, for now. The small group of users can either use
other nameservers or something like psybnc to connect if they want to
get on IRC.

So where do you draw the line?

Do we start nameserving known phish domains? Suspected phish domains?
Your competitor's web site?

The instant you start feeling that it is okay to stop providing clear
channel Internet access and start providing only a subset is the instant
that you need to do some really careful examination of what you're up to
and why.

Pure blocking is less evil than interception and redirection. However,
blocking a known legitimate IRC site is pretty nasty. Redirecting it
somewhere else? Wow, that's pure evil, and I'd hope Cox gets it from
both sides.

We can break a lot of things in the name of "saving the Internet." That
does not make it wise to do so.

... JG

Sean_Donelan · July 23, 2007, 2:43pm

Since the last time the subject of ISPs taking action and doing something about Bots, a lot of people came up with many ideas involving the ISP answering DNS queries with the addresses of ISP cleaning servers.

Just about every commercial WiFi hotspot and hotel login system uses a fake DNS server to redirect users to its login pages. Many universities use a fake DNS server to redirect student computers to cleaning sites.

What should be the official IETF recognized method for network operators to asynchronously communicate with users/hosts connect to the network for
various reasons getting those machines cleaned up?

As far as I know, PPPOE is the only network access protocol that includes the feature of redirecting a host to a network operator's system; but Microsoft has decided not to implement it.

Leigh_Porter · July 23, 2007, 3:04pm

Hiya,

Plenty of boxes can do redirection in the middle such as Redback,
Ellacoya etc.
We redirect customers who are infected to a web page when the first
connect. Then every few hours they get re-directed again, just enough so
it's a bit annoying.

If they ignore this for a few weeks, they get redirected more frequently

Suresh_Ramasubramani · July 23, 2007, 3:57pm

Most large carriers that are also MAAWG members seem to be pushing
walled gardens for this purpose.

Sean_Donelan · July 23, 2007, 4:26pm

Walled gardens also block access to external IRC servers.

On a network protocol level, walled gardens also contain things like fake DNS servers (what about DNSsec), fake http servers, fake (or forced) NAT re-writing IP addresses, access control lists and lots of stuff trying to respond to the user's traffic with alerts from the ISP.

Although there seems to be a contingent of folks who believe ISPs should
never block or redirect any Internet traffic for any reason, the reality is stepping into the middle of the user's traffic sometimes the only practical way for ISPs to reach some Internet users with infected computers.

But, like other attempts to respond to network abuse (e.g. various block lists), sometimes there are false positives and mistakes. When
it happens, you tweak the filters and undue the wrong block. Demanding zero chance of error before ISPs doing anything just means ISPs won't do anything.

Suresh_Ramasubramani · July 23, 2007, 5:13pm

Running email abuse desks for about a decade now makes me tend to
agree with you .. and completely unfiltered pipes to the internet for
customer broadband are a pipe dream, most places.

michael.dillon · July 23, 2007, 6:40pm

Running email abuse desks for about a decade now makes me
tend to agree with you .. and completely unfiltered pipes to
the internet for customer broadband are a pipe dream, most places.

If ISPs were able to standardize consumer Internet access services using
a gateway box, then the necessary filtering could be done on the gateway
which runs a secure OS. Of course its not too late to do this.
Essentially all the consumer edge infrastructure needs to be upgraded to
transition to IPv6. Rather than providing raw unfiltered Internet access
over IPv6, ISPs could use a standard gateway box.

When I say "standardize", I mean that ISPs could collectively work out
the specs for such an IPv6 Internet gateway in the IETF along with
vendors and other interested parties. Once a standard spec is agreed
upon, vendors will make such boxes at the price-point that you need.

I would also expect that I can buy such a box and manage it myself if I
choose, rather than having the ISP manage it for me as with most users.

I would also expect the box to have no NAT, use real IPv6 addresses, and
provide various firewall features to protect my home network better than
an IPv4 NAT box without preventing me from using new peer-to-peer
protocols like SIP.

--Michael Dillon

Chris_L_Morrow · July 23, 2007, 7:48pm

> Running email abuse desks for about a decade now makes me
> tend to agree with you .. and completely unfiltered pipes to
> the internet for customer broadband are a pipe dream, most places.

If ISPs were able to standardize consumer Internet access services using
a gateway box, then the necessary filtering could be done on the gateway
which runs a secure OS. Of course its not too late to do this.
Essentially all the consumer edge infrastructure needs to be upgraded to
transition to IPv6. Rather than providing raw unfiltered Internet access
over IPv6, ISPs could use a standard gateway box.

would you like that in black plastic? with a nice dial on top to spin?

When I say "standardize", I mean that ISPs could collectively work out
the specs for such an IPv6 Internet gateway in the IETF along with
vendors and other interested parties. Once a standard spec is agreed
upon, vendors will make such boxes at the price-point that you need.

I think that was discussed in v6ops actually just 5 mins ago.

I would also expect that I can buy such a box and manage it myself if I
choose, rather than having the ISP manage it for me as with most users.

but it connects to my network, and if you touch it you could damage my
network... we could maybe get some legislation to fix this...

I would also expect the box to have no NAT, use real IPv6 addresses, and
provide various firewall features to protect my home network better than
an IPv4 NAT box without preventing me from using new peer-to-peer
protocols like SIP.

See the v6ops draft on CPE security... maybe that's a step in the right
direction? I'm sure the author would like some commentary.