nanog mailing list archives
RE: DNS Hijacking by Cox
From: "Raymond L. Corbin" <rcorbin () hostmysite com>
Date: Sun, 22 Jul 2007 22:19:17 -0400
I'm still unsure that this is either a good idea or a bad idea... changing the DNS can only help until the bots start connecting directly
to >IP addresses. Then where do we go? NAT those connections to elsewhere? It's >one of those lovely arms races where things just get more and more >invasive. I don't foresee the programming of IP addresses instead of IP addresses. Because if/when they are found and their exploited server is shut down, their dedicated server turned off for AUP violations etc they will loose access to all of the bots set to that IP address. This happens a lot and when it does they simply change the DNS.
And these people have been flamed senseless. I like to think of it as a case of the work the blocklists do is excellent and saves many a network from being overrun by spam - however there is always collateral damage from things like this. The good far outweighs the bad however.
I agree. They are at least trying to clean up their network. If they are having a lot of problems with zombie bots that DDoS / Spam then this is a good way to stop it, for now. The small group of users can either use other nameservers or something like psybnc to connect if they want to get on IRC. Raymond Corbin Support Analyst HostMySite.com -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Steven Haigh Sent: Sunday, July 22, 2007 9:56 PM To: nanog () merit edu Subject: Re: DNS Hijacking by Cox Quoting Sean Donelan <sean () donelan com>:
On Sun, 22 Jul 2007, William Allen Simpson wrote:Comcast still blocks port 25. And last week, a locally well-known
person
was blocked from sending outgoing port 25 email to their servers from
her
home Comcast service.MSA port 587 is only 9 years old. I guess it takes some people longer than others to update their practices. Based on what I know how comcast's abuse systems implement their port 25 restrictions, I think it is extremely unlikely it was based on other people having her
address in their Outlook programs.
Indeed. There's just not enough info to make anything but wild guesses about this.
Some people complain ISPs refuse to take action about abuse and compromised computers on their networks. On the other hand, people complain when ISPs take action about abuse and compromised computers
on
their networks. ISPs are pretty much damned if they do, and damned if they don't.
Gotta love the techie world :)
Several ISPs have been redirecting malware using IRC to "cleaning" servers for a couple of years trying to respond to the massive number of bots. On occasion they pick up C&C server which also contains some "legitimate" uses. Trying to come up with a good cleaning message for each protocol can be a challenge.
I'm still unsure that this is either a good idea or a bad idea... changing the DNS can only help until the bots start connecting directly to IP addresses. Then where do we go? NAT those connections to elsewhere? It's one of those lovely arms races where things just get more and more invasive. In the short term, it's a good thing - the amount of spam I get from their network has halved - which is great - however in the long term, the writers of this crudware will find another way to do business (web? ftp?).
Yes, false positives and false negatives are always an issue. People running sevaral famous block lists for spam and other abuse also made mistakes on occasion.
And these people have been flamed senseless. I like to think of it as a case of the work the blocklists do is excellent and saves many a network from being overrun by spam - however there is always collateral damage from things like this. The good far outweighs the bad however. -- Steven Haigh Email: netwiz () crc id au Web: http://www.crc.id.au Phone: (03) 9017 0597 - 0404 087 474
Current thread:
- DNS Hijacking by Cox Andrew Matthews (Jul 22)
- RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 22)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 22)
- Re: DNS Hijacking by Cox Brandon Galbraith (Jul 22)
- Re: DNS Hijacking by Cox Nachman Yaakov Ziskind (Jul 22)
- Re: DNS Hijacking by Cox Raymond Dijkxhoorn (Jul 22)
- Re: DNS Hijacking by Cox William Allen Simpson (Jul 22)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 22)
- Re: DNS Hijacking by Cox Steven Haigh (Jul 22)
- RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 22)
- Multiple different ISPs respond to Bots (was RE: DNS Hijacking by Cox) Sean Donelan (Jul 22)
- Re: Multiple different ISPs respond to Bots (was RE: DNS Hijacking by Cox) Matthew Sullivan (Jul 22)
- Re: DNS Hijacking by Cox Brandon Galbraith (Jul 22)
- Re: DNS Hijacking by Cox Joe Greco (Jul 22)
- How should ISPs notify customers about Bots (Was Re: DNS Hijacking by Cox) Sean Donelan (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking by Cox) Leigh Porter (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking Joe Greco (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking Sean Donelan (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking Joe Greco (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking Sean Donelan (Jul 23)
- Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking Valdis . Kletnieks (Jul 23)