North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Hijacking by Cox

  • From: Perry Lorier
  • Date: Mon Jul 23 09:38:03 2007

James Hess wrote:

On 7/22/07, Steven M. Bellovin <[email protected]> wrote:

I would suggest not underestimating the ingenuity and persistence of
the bad guys
to escalate the neverending war, when a new weapon is invented to use
against them. If there's a way around it, history has shown, the new
weapon quickly becomes worthless, you get to use it maybe for a month or two.

With my Undernet admin hat on, we have regular issues with botnets and the like for years and probably will for the foreseeable future.

In my personal experience we see a new "crop" of script kiddies about every 6 months to a year. Generally they start with whatever publically available tools they can get their hands on and thus obvious tactics work well against them at this stage. However they soon learn to customize their bots to evade detection, some more successfully than others. Many of those then are persistent well after the original bot runner has gone back to school and given up on the bots.

We have services detecting botnets in realtime and they just scroll past generally faster than you want to think about it (at least one a second).

While I fully support people deciding to clean up their corner of the Internet, I'm not sure that this is the most effective way for cox to be doing it[1]. If you're interested in finding people that Undernet detects as being open proxies or such like, put an IDS rule looking for ":[^ ]* 465 [^ ]* :AUTO ".

The interesting question is what to do about it. We can ban them, but they just either move them to another network, or disguise them to make them harder to find and ban.[2] Also the constant reconnects themselves can almost overwhelm a server. I almost want to submit patches to the botnet codebases to implement exponential back off, or infact /any/ kind of reasonable delay between connection attempts.

We try reporting them to [email protected] contacts, generally good [email protected] contacts don't have many (any?) drones to report, and bad [email protected] contacts don't appear to care that they're causing others issues.

So what would people on this list suggest we do?

----
[1]: On the other hand ff you are someone at cox that's knows what's going on with this dronetrap thing, send me an email, I'm interested in discussing how you can improve your dronetrap. I have Ideas.
[2]: This is not to say we don't ban them, we do -- it's the only reasonable thing we've found to do.

As I also believe in trying to post interesting/useful facts to this list a quick grep shows the current worst offenders (grouped by /24) being:
89.40.17.0/24, 89.40.18.0/24, 89.40.16.0/24, 208.98.39.0/24, 65.188.46.0/24, 195.144.253.0/24, 196.211.173.0/24, 66.178.177.0/24, 205.144.218.0/24. 65.188.43.0/24