nanog mailing list archives
RE: DNS Changer items
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Fri, 6 Jul 2012 14:23:34 -0700
For anyone who wants to find any hosts behind their firewall that are still infected, you can post a firewall log into our public site, and we'll call out all attempts to contact the sinkhole servers (with the internal IPs), assuming you log outbound DNS or all connections. http://www.threatstop.com/dnschanger We've been doing this for subscribers (including free community ones) since we got the sinkhole IPs from Andrew @ SIE/MAAWG.
-----Original Message----- From: Eric J Esslinger [mailto:eesslinger () fpu-tn com] Sent: Friday, July 06, 2012 11:10 AM To: 'nanog () nanog org' Subject: RE: DNS Changer items We verified one a while back, who had already had the problem fixed
when
the FBI sent us the physical mail. Concidering number of internet
customers
in the US vs our internet customers with known number of US subsribers affected at it's height, I figure if the percentages are good we've
taken care
of several times the number of likely cases on our network with that
one
customer. *wink* I'm told by various sources to expect similar stories on the nightly
national
news programs tonight, with a similar 'call your isp' ending. I've
also heard the
site IS reachable via ipv6 and they are dealing with the load issues
as we
speak (and some people are getting through, albiet slowly). I'm pretty comfortable about my network; I've been catching dns lookup destinations from my users for months (not contents, just destination
ip's)
and the list of outside addresses covers most of the well know public
dns
servers (open dns, google, etc...) with the exception of a handful
that seem
to be running their own full blown recursive caching servers, which go everywhere looking for authoritative lookups. (One I knew about, he complains because I won't allow his basic cable account act as an open
server
for his DNS when he's out of town. If he wants a static IP I can
arrange
opening the port, till then... He is always welcome to VPN into his
home
network as well.) Been having callers look up their IP, then checking the query logs to
see if
they hit our dns servers. So far I'm at 100% I thought of whipping up a script for my recursive DNS servers to
setup a
webpage to let them see if they were accessing those servers, but I
just
don't have time right now (fiscal year just started and everyone wants
their
projects done 'now'.) Addendum: Site appears up and fast now. So that's something anyway. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities
http://www.fpu-
tn.com/ (931)433-1522 ext 165-----Original Message----- From: Merike Kaeo [mailto:kaeo () merike com] Sent: Friday, July 06, 2012 1:06 PM To: Cameron Byrne Cc: nanog () nanog org Subject: Re: DNS Changer items The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here) The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing. FUD with press and over sensationalism not helping. - merike On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote:So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" typeof reponsesaying "hey, since you use this server, you are broken, gohere to getfixed" Seems that would have been a more graceful ramp down. CBThis message may contain confidential and/or proprietary information
and is
intended for the person/entity to whom it was originally addressed.
Any use
by others is strictly prohibited.
Current thread:
- DNS Changer items Eric J Esslinger (Jul 06)
- Re: DNS Changer items Jared Mauch (Jul 06)
- Re: DNS Changer items Robert Bonomi (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- Re: DNS Changer items valdis . kletnieks (Jul 06)
- Re: DNS Changer items Seth Mattinen (Jul 06)
- Re: DNS Changer items Cameron Byrne (Jul 06)
- Re: DNS Changer items Merike Kaeo (Jul 06)
- RE: DNS Changer items Eric J Esslinger (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Nick Semenkovich (Jul 06)
- Re: DNS Changer items valdis . kletnieks (Jul 06)
- Re: DNS Changer items Jared Mauch (Jul 06)
- Re: DNS Changer items valdis . kletnieks (Jul 06)
- Re: DNS Changer items Roy (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- Re: DNS Changer items Roy (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- Re: DNS Changer items Jay Ashworth (Jul 07)