North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: DNS Hijacking by Cox

  • From: David Schwartz
  • Date: Mon Jul 23 19:00:54 2007

> No amount of IRC redirection is going to remove bots and fix their
> compromised computers.
> ... JG

Let's not confuse two different forms of IRC redirection, one which I think
is perfectly okay and one which is definitely not okay.

In the first type, the redirection is an immediate response to a threat that
is not completely understood. Clients that connect to the target of the
redirect are studied. Legitimate clients are separated from compromised ones
as quickly as practically possible.

Legitimate clients are given a message, if possible, that the service they
are trying to use is temporarily unavailable due to a current threat. If
there is some other way they can access the service (for example, direct
entry of the IP), they are informed of that.

Compromised clients are tracked and, where possible, notified. The current
level of the threat is tracked, and when it is sufficiently minimal, the
redirect is removed.

This model is perfectly reasonable as a response to all kinds of threats.
This includes cases where a traffic has to be blocked or redirected due to a
new attack.

The second form is the one that causes a problem. In this case, no attempt
is made to study or understand the threat once a way to block it is found.
Collateral damage is ignored, no effort is made to minimize inconvenience to
legitimate users. No effort is made to notify compromised users. The filter
or redirect is left in place indefinitely, until and unless a large number
of complaints is received. The threat is not even monitored.

The filter/redirect is considered a permanent solution. While it may
officially be regarded as temporary, it is effectively left there and

Now these are two very different approaches to a threat. However, they both
can involve hijacking, filtering, or redirection. I used to work as a
consultant, helping companies negotiate contracts with ISPs. One thing I
always did was make it clear that the first type of response was perfectly
permissible, even if it harmed us, but the second was not, even if it did
not harm us.