Is there any valid reason not to black hole those /32s on the back bone?
you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't you?
Cheers
Jay is right, it is just the /32s at the moment... Dropping the /22s
could cause other sites to be blocked.
inetnum: 5.45.72.0 - 5.45.75.255
netname: INFERNO-NL-DE
descr: ********************************************************
descr: * We provide virtual and dedicated servers on this Subnet.
descr: *
descr: * Those services are self managed by our customers
descr: * therefore, we are not using this IP space ourselves
descr: * and it could be assigned to various end customers.
descr: *
descr: * In case of issues related with SPAM, Fraud,
descr: * Phishing, DDoS, portscans or others,
descr: * feel free to contact us with relevant info
descr: * and we will shut down this server: abuse@3nt.com
descr: ********************************************************
country: NL
admin-c: TNTS-RIPE
tech-c: TNTS-RIPE
status: ASSIGNED PA
mnt-by: MNT-3NT
mnt-routes: serverius-mnt
source: RIPE # Filtered
Andrew Latham wrote:
Why want to swing such a big hammer. Even blocking those 2 IP's will
isolate your users, and fill your support queue's.
Set up a DNS server locally to reply to those IP's Your customers stay up
and running and blissfully unaware.
Log the IP's hitting your DNS servers on those IP and have your support
reach out to them in a controlled way, or reply to any request via DNS
with an internal host that has a web page explaining what is broken and how
they can fix it avoiding at least some of the calls to your helpdesk.
-jim
Davide, you are correct, some people are assuming that the provider is
doing nothing. That has yet to be determined.
Two words: "DNS Changer". What did we learn from that?
Jim's right, of course. In my defense, it *was* 9 am, and I hadn't had
any caffeine yet. ;-}
Cheers,
-- jra
When the malicious DNS services get shutdown you will still have your
support queue's filled, anyway.
Doing it now will let you identify those affected. Blockage doesn't have
to be all-or-nothing. It can be incremental, selective or all-or-nothing
on some time windows.
Better now than later.
Until the average user's cpe is only permitted to use the resolvers one has provided as the provider (or otherwise decided are OK), this is going to be a game of whackamole. So long as there's an 'I have a clue' opt out, it appears to be the way forward to resolve this issue. Shutting down one set of 'bad resolvers' will simply cause a new set to be spawned, and a reinfection run round the still-unpatched cpe's of the world.
Thanks
+1. Local network resolvers/trusted providers (Google 8.8., OpenDNS),
"Clue Opt Out" switch available if needed.
No. That is still just treating symptoms, and not the disease.
This also creates an unacceptable annoyance for the most slightly technical
user who needs to troubleshoot any DNS problems with their domains.
When the ISP's nameservers are blocked, the script kiddies will set up a
tunnel, or configure the DNS client to use a different UDP port number for
DNS resolution, or adjust the router firmware to run tcpdump and
upload session data to/from interesting web destinations, to a hostname
on port 80.
My thoughts exactly. Some walled gardens set up in those instances.
And don't blindly follow someone's advice without looking at impacts to your
networks.
CPE devices are just a huge cesspool. Any device that already doesn't let you
change username 'admin' is off to a bad start. We have to get these supposedly
'plug it in and never touch it' devices to be better at firmware upgrades.
- merike
I don¹t know that they have a lot of motivation to support ³legacy² access
points. The home brew guys tend to magically ³find² ways to install
software on these POS CPE AP/Router combos, which I don¹t think is a
coincidence. The linksys types of the world want to sell more routers, not
make routers that suddenly have an amazing 8 year shelf life. Most people
get tired of that POS box that gives them internet not working, and buy a
new LESS POS with whatever 802.xxx of the week/month/year/shopping season.
The margins probably really suck if you support a piece of plastic longer
than __ months, so I doubt you¹ll see anyone supporting their cheap box
any time soon. I bet if you offered them a way to do it for free, they¹d
look at it 
CPE devices are just a huge cesspool. Any device that already doesn't let you change username 'admin' is off to a bad start. We have to get these supposedly 'plug it in and never touch it' devices to be better at firmware upgrades.
* wbailey@satelliteintelligencegroup.com (Warren Bailey) [Tue 04 Mar 2014, 21:00 CET]:
I don't know that they have a lot of motivation to support "legacy" access points. The home brew guys tend to magically "find" ways to install software on these POS CPE AP/Router combos, which I don't think is a coincidence. The linksys types of the world want to sell more routers, not make routers that suddenly have an amazing 8 year shelf life. Most people get tired of that POS box that gives them internet not working, and buy a new LESS POS with whatever 802.xxx of the week/month/year/shopping season. The margins probably really suck if you support a piece of plastic longer than __ months, so I doubt you�ll see anyone supporting their cheap box any time soon. I bet if you offered them a way to do it for free, they'd look at it
Cisco tried doing this while they still owned Linksys and got huge blowback from the community, who felt that they'd lost control over their own devices and the data passing through them.
You Don't Own What You Buy, Part 15,332: Cisco Forces Questionable New Firmware On Routers | Techdirt Freeing your router from Cisco’s anti-porn, pro-copyright cloud service | Ars OpenForum (whole thread) http://blogs.cisco.com/home/update-answering-our-customers-questions-about-cisco-connect-cloud-2/
(I fixed your quotes, by the way. You may want to engage with your postmaster to unfuck your mail client's character set.)
-- Niels.
Hi.
That's a method for just temporarily managing the situation, not fixing it.
If a techie opts-out, it doesn't mean other non tech-savvy users behind
the same CPE won't go to a bad website and infect the vulnerable CPE.
Once in this situation, it is *very* difficult The clueful user to find out.
Most operators don't have an opt-out for SOHO services or it's a pain in
the $BODYPART because of the dynamic nature of the SOHO services and the
proper static identification of each user among the mass of not
tech-savvy users. I've been through that as a user.
The root of the problem is an unpatched CPE, that's right. The ISP is
responsible for fixing that in pretty much all its own SOHO networks.
It all boils down to finding the affected users and patching the CPEs.
That has the additional benefit of involving the upstream CPE vendor.
Best regards.