North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Hijacking by Cox

  • From: Joe Greco
  • Date: Mon Jul 23 00:30:38 2007

> >I'm still unsure that this is either a good idea or a bad idea...  
> >changing the DNS can only help until the bots start connecting directly
> to >IP addresses. Then where do we go? NAT those connections to
> elsewhere? It's >one of those lovely arms races where things just get
> more and more >invasive.
> I don't foresee the programming of IP addresses instead of IP addresses.

That mainly indicates a lack of vision, including the inability to see 
what is currently going on.

> Because if/when they are found and their exploited server is shut down,
> their dedicated server turned off for AUP violations etc they will loose
> access to all of the bots set to that IP address. This happens a lot and
> when it does they simply change the DNS.

Right.  It's certainly convenient.  However, it is pretty convenient to
have a list of addresses to try (the code isn't even that hard), and so
it isn't like wiping out a single IP address is going to solve the 
problem.  In fact, it is pretty convenient to make a "downloadable 
list," so that it can be updated.  We'll even conveniently pretend that
this technology doesn't already exist.

> >And these people have been flamed senseless. I like to think of it as  
> >a case of the work the blocklists do is excellent and saves many a  
> >network from being overrun by spam - however there is always  
> >collateral damage from things like this. The good far outweighs the  
> >bad however.
> I agree. They are at least trying to clean up their network. If they are
> having a lot of problems with zombie bots that DDoS / Spam then this is
> a good way to stop it, for now. The small group of users can either use
> other nameservers or something like psybnc to connect if they want to
> get on IRC.

So where do you draw the line?

Do we start nameserving known phish domains?  Suspected phish domains?
Your competitor's web site?

The instant you start feeling that it is okay to stop providing clear
channel Internet access and start providing only a subset is the instant
that you need to do some really careful examination of what you're up to
and why.

Pure blocking is less evil than interception and redirection.  However,
blocking a known legitimate IRC site is pretty nasty.  Redirecting it
somewhere else?  Wow, that's pure evil, and I'd hope Cox gets it from
both sides.

We can break a lot of things in the name of "saving the Internet."  That
does not make it wise to do so.

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.