North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hey, SiteFinder is back, again...

  • From: Bill Stewart
  • Date: Mon Nov 05 12:46:57 2007
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=pFYCXCORpSRsTUx6wSCmolayz5MXNFcG5ta/QrYFgyU=; b=gGqkHViNuqoOZ2/XK2lWuqiyrbewfwnq9w67zdpLY5qV/i9FJA+/VLD4pRHbFcEZwVhnVRXcWom+F6GNLFZJWZner5R4yUwB+jp8qkN/dOa36/yYwtoZ4wKAA3v/k/ds5JBtAU1MTNWBCdAFas2JCISLt/XAlT19b1cXQYwnwqo=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YeJwa0OBNkqzBtojtQunbBPqlgFBL5pOZgXTOHvFLXFW3+OiL0d0JnVNl6S/p7a5LQCRGwCJS+Csx+VP/TXATv/xIBxEtp3jDIzf5eaw0y05IRd8dJM4ghH1POFCT9t7Cy2Rgq4TiSrqHZM70OFK6LlA8ReNr8Oj88fBzYPk+mI=

When Verisign hijacked the wildcard DNS space for .com/.net, they
encoded the Evil Bit in the response by putting Sitefinder's IP
address as the IP address.  In theory you could interpret that as
damage and route around it, or at least build ACLs to block any
traffic to that IP address except for TCP/80 and TCP/UDP/53.  But if
random ISPs are going to do that at random locations in their IP
address space, and possibly serve their advertising from servers that
also have useful information, it's really difficult to block.

Does anybody know _which_ protocols Verizon's web-hijacker servers are
supporting?  Do they at least reject ports 443, 22, 23, etc.?

In contrast, Microsoft's IE browser responds to DNS no-domain
responses by pointing to a search engine, and I think the last time I
used IE it let you pick your own search engine or turn it off if you
didn't like MS's default.  That's reasonable behaviour for an
application, though it's a bit obsequious for my taste.