back to article Vixie warns: DNS Changer ‘blackouts’ inevitable

Ridding the world of the DNS Changer is proving a long, slow process that won’t be accomplished by July 9, when the court orders granted to the FBI expire and infected users suffer their inevitable blackout. That’s the bleak warning given by BIND father and ISC founder and chair Paul Vixie to the AusCERT security conference on …

COMMENTS

This topic is closed for new posts.
  1. Herby

    Use the chocolate factory's DNS servers. A nice easy to remember IP address of 8.8.8.8 and have at it. No government intervention here!

    I won't comment about Google's intent, hopefully they follow their motto, and I trust them more than a government (take your pick!).

    1. Ilgaz

      Opendns

      I would go with opendns.com , their business plan is clear and they have more options especially for corporate.

    2. Anonymous Coward
      Anonymous Coward

      DNS

      That's not what the issue is here, the issue is that the DNSChanger malware took control of people's computers and pointed their DNS configuration to the rogue DNS servers.

      When the FBI shuttered the botnet they didn't want to shove X Million users into the dark who then phone their ISP with "Internet broken"

      They have been running DNS servers in place of the criminals ones for a while now, they can't keep funding this.

      If users knew how to change their DNS:

      1. They would

      2.They wouldn't be infected.

      1. My Alter Ego
        Stop

        Re: DNS

        I still don't understand why this is being done, actually I do. The ISPs don't want to deal with the cost of answering irate calls from their customers if the DNS servers were taken off line. It's a lot cheaper and easier to get somebody else to maintain these DNS servers and deal with the fallout.

        The DNS servers should have been shut down immediately, and the customers would then immediately know (or find out when they call their ISP) what had happened. Instead we have hundreds of thousands of PCs plodding along as usual filled with malware. Well done Paul.

        Obligatory car analogy. If I go and fill up at a petrol station selling dodgy fuel, do the police get hold of me, give me some decent fuel and explain how I can get my car fixed? Fuck no, I'm on my own as it's not their job.

    3. Anonymous Coward
      Paris Hilton

      DNS PFFFT

      I DONT USE DNS I JUST TYPE IN MAC ADDRESSES

      1. Big Dumb Guys Wife

        Re: DNS PFFFT

        NOW NOW HUNNY TELL THE TRUTH

        YOU JUST TYPE IN A MAC AND MY DRESSES

      2. Anonymous Coward
        Anonymous Coward

        Re: DNS PFFFT

        They're IP addresses, moron...

        1. Anonymous Coward
          Anonymous Coward

          Wooosh!

          Obvious troll is apparently not obvious enough for some people round here.

  2. Anonymous Coward
    Anonymous Coward

    Hey Paul, this is an opportunity

    To tell all of the people who don't understand that the Internet is not a place to all-trusting and carefree. Perhaps the ISPs, who know exactly which customers are infected, should be asked to contact their customers prior to the cutoff date and explain to them how fucked up their computers are, and tell them how to fix it.

    Perhaps better would be for Paul to lease those dns servers for 1 week and direct every request to a page that tells the users what's about to happen and why.

    1. Salad
      Holmes

      Re: Hey Paul, this is an opportunity

      "Perhaps the ISPs, who know exactly which customers are infected, should be asked to contact their customers prior to the cutoff date and explain to them how fucked up their computers are, and tell them how to fix it."

      That's actually what we've been doing. The original article alludes to this... "Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem."

      We set up the necessary monitoring to see which of our subscribers is contacting the known bad DNS servers and sending the IDs to Tech Support to give them a ring... but that doesn't mean they all take action! To the average Joe, their PC works fine, and they'd have to hire someone to run a virus scan (sad, I know). So they're not going to do it. I'm up in Canada but I'm sure in the USA you'd probably get people claiming its part of their right to free speech or some nonsense.

      1. Magnus_Pym

        Re: Hey Paul, this is an opportunity

        When users get calls like "Hi, I'm Dave calling from Microsoft we have discovered a fault with your Windows computer etc". It is not surprising they distrust cold calls from IT support.

      2. Wize

        Re: Hey Paul, this is an opportunity

        Rather than cutting them dead, there are a few things you can get everyone to fix their PCs

        1. Contact the ISPs with a list of user IPs. Let them know they will be flooded with calls at the switch off, by their customers, unless they are proactive and contact them first. A simple letter from the ISP with "Read this or be cut off" in big letters on the front should get action by the end users.

        2. On the switch off date, don't just turn it off. Point everything at one meaty server hosting a page telling them they are infected with a list of basic steps to get themselves fixed.

        I have delt with people who refuse to believe their PC is infected with a virus and have to almost tie them to a chair so you can scan their PC.

        1. Anonymous Coward
          Anonymous Coward

          Re: "On the switch off date, don't just turn it off."

          Not a bright idea. Vixie's only not going to jail for unauthorised tampering/access because he has a court order explicitly permitting him to operate a replacement for the crooks' malicious server. If he keeps it running so much as a second past the time permitted by the court order, he'll be in contempt of court and liable to criminal hacking charges.

      3. Anonymous Coward
        Anonymous Coward

        Re: Hey Paul, this is an opportunity

        So tell them they're in breech of T&C and if the don't fix it they'll be booted out.

        Did Typhoid Mary die in vain?

    2. Ilgaz

      Zombies are all documented and allowed

      If they cared about spam reports people like me offering for free (via SpamCop.net) and spare couple of minutes to cut off 0.01 % of customers telling them to get rid of viruses or point them to some service...

      It will never happen of course. They would fire the admin in couple of minutes if one dared.

  3. Adam White

    Doom, gloom, etc

    300,000 PCs is what percentage of the global Internet again?

  4. john jones 1
    FAIL

    Australia STILL does not have DNSSEC !

    what do you expect...

    Australia i.e. .au still has not signed its root zone...

    wake up !

    1. LaeMing
      Unhappy

      Oh, come on!

      It's Australia! The gimboids in charge are only just getting their heads around the 'moving pictures' thing.

    2. TeeCee Gold badge
      Coat

      Re: Australia STILL does not have DNSSEC !

      Maybe they just can't tell what it is yet?

    3. Anonymous Coward
      Anonymous Coward

      Re: Australia STILL does not have DNSSEC !

      Perhaps if the IETF provided a DNSSEC update with a picture of a sheep on it, that would make it more appealing?

      Mines the coat with the "the old jokes are the best" on it....

    4. PyLETS
      Boffin

      Re: Australia STILL does not have DNSSEC !

      Having a signed TLD is obviously a starting point. Next you need domain registrars which support DNSSEC at little or no extra cost, if many server admins are going to go through the pain of learning about it, adopting it and then maintaining it. And that's before any clients can use it.

      The fact server operators have to adopt DNSSEC before clients can use it, and most server operators probably won't until clients can use it creates a catch 22. Sometimes these are overcome, when the old infrastructure gets overstretched and starts to fail. The fact you can't get IPV4 address allocations in Asia/APNIC other than very small ones for very large networks and this is causing service deterioration is now driving IPV6 uptake 15 years after the standards were stabilised. Europe/RIPE will go into similar IPV4 address depletion mode in a few months at current allocation rates.

      So I suspect insecure DNS will have to get a fair bit worse than it currently is before many people adopt DNSSEC, though some early adopters might need DNSSEC before then for particular applications, e.g. banks distributing embedded payment client software with its own DNSSEC client implementation.

  5. P. Lee

    Moar options!

    By default, on ISP sign-up you get a little panel to control your internet with recommended settings.

    Like, block SMTP (in various manners), block DNS queries to non-ISP (all yours, those of other common ISPs, any) DNS hosts.

    You don't need to force change, you just need to start with some defaults to help the clueless.

    You can also put policy notes on the same web-page as your helpdesk telephone number, such as "You connectivity may have failed since 2am this morning. Click here to see why." and then explain the blocking rule and point to the control panel to change it back.

    1. Salad
      Windows

      Re: Moar options!

      Totally agree - just for clarity I find there are two camps that are not already doing that:

      Old school "you get the Internet, and the whole Internet!" types

      Corporate too lazy to give a shit types (such as Earthlink, I think they still allow direct SMTP outbound from public IPs)

      Really, blocking direct SMTP from the average customer is a no-brainer and best practice. On the business end it's a plus, too, to send mail you should sign up for a static IP address. Which actually makes technical sense in the world of reverse DNS and reputation-based systems. This is an easy sell to the Internet freedom die-hards as it saves a lot of trouble. You'd think it'd also be an easy sell to lazy corporates as a revenue generator... /shrug

      Optional DNS blocking sounds like a neat idea, will have to try that. Unfortunately most people can barely turn their machines on (maybe it needs a new starter?), and FWIW a lot of people seem to like services like Goggle and OpenDNS.

      1. itzman

        Re: Moar options!

        "blocking direct SMTP from the average customer is a no-brainer and best practice."

        So how, unless they are using a webmail, are the sods supposed to send email AT ALL.

        Really!

        1. J. Cook Silver badge
          Boffin

          Re: Moar options!

          @itzman: the ISP I use (the local cable company) blocks direct smtp. Their procedure for sending mail is an open relay they maintain with an set of ip forwarding rules to allow hosts on their network to relay through it, but no one else. (hence, any mail I send from home has an extra set of lines in the headers, but that's fine and acceptable- the mail is still quite tracable for purposes of abuse and diagnostics.)

          That's how. HTH, HAND.

  6. kain preacher

    @P. Lee

    When I was at ATT most of my customers wanted it just to work. No set up just run the internet wizard and off they go. The wizard even setup their email account in outlook. The people that will do what you suggest P. Lee are not the ones that will get infected.No you have a group of people that have this mental block when it comes to computers. If you don't set this up for them behind the scenes they will never do it.

  7. Anonymous Coward 15

    Redirect them to a message that says they're infected

    and don't allow them to do anything else until it's cleared.

    1. Anonymous Coward
      Anonymous Coward

      Re: Redirect them to a message that says they're infected

      Apart from letting the surf the web to find out how to fix the problem (inc google), connect to AV sites, downoad updates (multiple OS, multiple AV vendors), etc you mean.

      Your suggestion sounds reasonable until you realise that you need DNS to work in order to fix the problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Redirect them to a message that says they're infected

        So, there's what, roughly 50 days until this court order expires?

        Day 1, for 1 minute out of every 50, the DNS server returns the IP of a webserver hosting the aforementioned warning in response to any request at all, and works normally the rest of the time.

        Day 2, 2 minutes out of every 50

        Day 3, 3 minutes out of every 50

        ...

        During that period, every now and then they'll see your message popping up, ever more frequently as time goes on. Sooner or later, if they're at all capable, they'll get curious enough about what this odd thing is that keeps coming up to try reading it. It should be written, designed and laid-out clearly, with a big 'Why am I seeing this' section. Note that once they start clicking around within the site, they'll stay there and be able to read it all even if the redirect drops out while they're browsing.

        And perhaps for the last week or so, to catch the last stragglers who clearly can't cope with a computer at all, you just switch it on full time and adjust the warning to simply say "Your internet is broken. Call an engineer or take your PC to a repair shop and tell them you have a virus and ask them to 'fix your DNS settings'. They'll know what that means."

        1. Androgynous Cupboard Silver badge

          Re: Redirect them to a message that says they're infected

          Yep. Personally I'm fed up with those that make an effort to "be a good internet citizen" eating a deluge of spam and worse from those that don't. I know we can't license internet users, but if someone's machine is infected and infecting others, forcing them to take an interest in disinfecting it is the first step.

          Tough love, people - sorry, but it's time for granny has to suck it up and run some goddamn AV software.

  8. Rande Knight
    Devil

    Hostile?

    What did they do? Call them up and say 'Hello, I'm from technical support, I'd like to remote acess your..." *SLAM*.

    Certainly that's what I've done when scammers I can barely understand from India try to con me into letting them have control of my computer.

    What I would have done is block users by the final number in their IP address, one each day, so only ~1/250 would be calling their ISP each day, spreading the pain.

  9. Alex Brett

    Do it gradually?

    Surely the solution here for any competent ISP is to gradually block subsets of customers from accessing these DNS servers in stages, and handle the support calls over time rather than waiting for them all to get blocked in one go and have a deluge of phone calls to deal with...

  10. preppy

    What am I missing?

    On my (broadband) connection, all the machines on the LAN are configured to point to the router as the DNS source. After that the broadband provider sorts out the real DNS server.

    1. Sounds like I only have a problem if the broadband provider has DNS malware.

    2, Also sounds like a lot of people have their machines connected directly to their cable modem with no router/firewall to protect them. How hard can this be?

    1. itzman
      Holmes

      Re: What am I missing?

      what you are missing is that the malware would not point them at your router, but at somewhere else.

    2. Anonymous Coward
      Anonymous Coward

      Re: What am I missing?

      So the malware repoints your machines to a new DNS server - how would you know without looking ?

    3. Lee Dowling Silver badge

      Re: What am I missing?

      Allow me to demonstrate transparent proxying for you.

      - You think you're talking DNS to 8.8.8.8 (Google's DNS server, as an example).

      - Something between your application and the outside world (router, firewall software, anything that can sniff and modify packets en-route, basically, including software on the machine itself) sees that packet, looks inside, changes it to point at whatever server they want to and then sends it on its way.

      - The DNS server it sends the query to sends a reply with whatever the hell they like (including redirecting your google searches to dodgy domains, etc.). Google listen out in vain silence for your (never-going-to-arrive) packets.

      - When the reply comes back to your computer, you have ZERO idea which DNS server resolved that without checking thoroughly (which nobody does, not even web browsers accessing secure sites - DNS is assumed to be "authoritative", and only DNSSEC can fix this) but, hell, you TYPED IN www.mybank.com so it must be safe, right? (And, yes, SSL does have some fixes against this but NOTHING in the way you think - SSL is very reliant on DNS being authoritative)

      There is nothing in the world that is going to be able to detect that until DNSSEC comes along. You know how I know? I run transparent proxies in work so even though everyone "thinks" they are going to www.facebook.com via their DNS lookup (and all their laptops have different settings for DNS), they are actually ALL going via OpenDNS and the school DNS filters lookup of the address. I can even turn all their images upside down or make paypal.com look like it's bbc.co.uk if I want.

      DNS Changer literally adds itself to your Windows list of DNS servers and HACKS INTO common router models to change the settings on there too. Is your trusted DNS server that your network gives out via DHCP pointing to your broadband router at any point? 99% of home installations have a setup like that - anyone with a cable modem or ADSL router will use the modem/router as a DNS server and default gateway. This thing actually logs into your router via backdoors and changes your ROUTER settings to change the upstream servers it uses.

      When was the last time you logged into the router interface and checked the DNS it uses, seeing as " all the machines on the LAN are configured to point to the router as the DNS source"? DNS is inherently insecure, interceptible and modifiable. Don't trust it. And certainly don't trust your local network to provide it without being VERY sure that it's all clean.

      Saying that, they should just switch the damn thing off and let people moan. A few hundred thousand machines less on the Internet who are crawling with obvious malware is a GOOD thing. Their own Internet access is a secondary concern to not spreading that junk to all of us.

      1. Anonymous Coward
        Anonymous Coward

        Re: What am I missing?

        AFAIK it's not really serious hacking - just using a dictionary attack of common passwords. I'll admit it'll probably catch anyone who hasn't changed the default password on many routers though

  11. Panix
    Mushroom

    300K computers doesn't seem like many

    Unless those 300K customers are on one ISP, which it doesn't sound that way, is it really gonna be that bad for ISPs?

    And I just say cut folks off. We've had people who won't pay their bill for one of our services but we magically get a call and an offer for payment when we turn their service off. This is after sending many late notices in the mail and several phone calls.

This topic is closed for new posts.