RE: DNS Changer items

["Tomas L. Byrnes" <tomb () byrneit net>]

For anyone who wants to find any hosts behind their firewall that are
still infected, you can post a firewall log into our public site, and
we'll call out all attempts to contact the sinkhole servers (with the
internal IPs), assuming you log outbound DNS or all connections.

http://www.threatstop.com/dnschanger


We've been doing this for subscribers (including free community ones)
since we got the sinkhole IPs from Andrew @ SIE/MAAWG.



> -----Original Message-----
> From: Eric J Esslinger [mailto:eesslinger () fpu-tn com]
> Sent: Friday, July 06, 2012 11:10 AM
> To: 'nanog () nanog org'
> Subject: RE: DNS Changer items
>
> We verified one a while back, who had already had the problem fixed
when
> the FBI sent us the physical mail.  Concidering number of internet
customers
> in the US vs our internet customers with known number of US subsribers
> affected at it's height, I figure if the percentages are good we've
taken care
> of several times the number of likely cases on our network with that
one
> customer.
> *wink*
> I'm told by various sources to expect similar stories on the nightly
national
> news programs tonight, with a similar 'call your isp' ending. I've
also heard the
> site IS reachable via ipv6 and they are dealing with the load issues
as we
> speak (and some people are getting through, albiet slowly).
>
> I'm pretty comfortable about my network; I've been catching dns lookup
> destinations from my users for months (not contents, just destination
ip's)
> and the list of outside addresses covers most of the well know public
dns
> servers (open dns, google, etc...) with the exception of a handful
that seem
> to be running their own full blown recursive caching servers, which go
> everywhere looking for authoritative lookups. (One I knew about, he
> complains because I won't allow his basic cable account act as an open
server
> for his DNS when he's out of town. If he wants a static IP I can
arrange
> opening the port, till then... He is always welcome to VPN into his
home
> network as well.)
>
> Been having callers look up their IP, then checking the query logs to
see if
> they hit our dns servers. So far I'm at 100%
>
> I thought of whipping up a script for my recursive DNS servers to
setup a
> webpage to let them see if they were accessing those servers, but I
just
> don't have time right now (fiscal year just started and everyone wants
their
> projects done 'now'.)
>
> Addendum: Site appears up and fast now. So that's something anyway.
>
> __________________________
> Eric Esslinger
> Information Services Manager - Fayetteville Public Utilities
http://www.fpu-
> tn.com/
> (931)433-1522 ext 165
>
>
>
> > -----Original Message-----
> > From: Merike Kaeo [mailto:kaeo () merike com]
> > Sent: Friday, July 06, 2012 1:06 PM
> > To: Cameron Byrne
> > Cc: nanog () nanog org
> > Subject: Re: DNS Changer items
> >
> >
> > The ISPs who have been proactive in mitigating and redirecting have
> > been/are doing this.  (global reach here)
> >
> > The court ordered DNS servers have been up since Nov 9th and lots of
> > outreach done....the intent was a graceful ramp down.
> >  Sadly, the state of folks helping with overall malware cleanup is
> > still lots of finger pointing.
> >
> > FUD with press and over sensationalism not helping.
> >
> > - merike
> >
> >
> > On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote:
> >
> > > So insteading of turning the servers off, would it not have been
> > > helpful to have the servers return a "captive portal" type
> > of reponse
> > > saying "hey, since you use this server, you are broken, go
> > here to get
> > > fixed"
> > >
> > > Seems that would have been a more graceful ramp down.
> > >
> > > CB
>
> This message may contain confidential and/or proprietary information
and is
> intended for the person/entity to whom it was originally addressed.
Any use
> by others is strictly prohibited.