nanog mailing list archives
Re: DNS Hijacking by Cox
From: Perry Lorier <perry () coders net>
Date: Tue, 24 Jul 2007 01:30:09 +1200
James Hess wrote:
With my Undernet admin hat on, we have regular issues with botnets and the like for years and probably will for the foreseeable future.On 7/22/07, Steven M. Bellovin <smb () cs columbia edu> wrote: I would suggest not underestimating the ingenuity and persistence of the bad guys to escalate the neverending war, when a new weapon is invented to use against them. If there's a way around it, history has shown, the newweapon quickly becomes worthless, you get to use it maybe for a month or two.
In my personal experience we see a new "crop" of script kiddies about every 6 months to a year. Generally they start with whatever publically available tools they can get their hands on and thus obvious tactics work well against them at this stage. However they soon learn to customize their bots to evade detection, some more successfully than others. Many of those then are persistent well after the original bot runner has gone back to school and given up on the bots.
We have services detecting botnets in realtime and they just scroll past generally faster than you want to think about it (at least one a second).
While I fully support people deciding to clean up their corner of the Internet, I'm not sure that this is the most effective way for cox to be doing it[1]. If you're interested in finding people that Undernet detects as being open proxies or such like, put an IDS rule looking for ":[^ ]* 465 [^ ]* :AUTO ".
The interesting question is what to do about it. We can ban them, but they just either move them to another network, or disguise them to make them harder to find and ban.[2] Also the constant reconnects themselves can almost overwhelm a server. I almost want to submit patches to the botnet codebases to implement exponential back off, or infact /any/ kind of reasonable delay between connection attempts.
We try reporting them to abuse@ contacts, generally good abuse@ contacts don't have many (any?) drones to report, and bad abuse@ contacts don't appear to care that they're causing others issues.
So what would people on this list suggest we do? ----[1]: On the other hand ff you are someone at cox that's knows what's going on with this dronetrap thing, send me an email, I'm interested in discussing how you can improve your dronetrap. I have Ideas. [2]: This is not to say we don't ban them, we do -- it's the only reasonable thing we've found to do.
As I also believe in trying to post interesting/useful facts to this list a quick grep shows the current worst offenders (grouped by /24) being: 89.40.17.0/24, 89.40.18.0/24, 89.40.16.0/24, 208.98.39.0/24, 65.188.46.0/24, 195.144.253.0/24, 196.211.173.0/24, 66.178.177.0/24, 205.144.218.0/24. 65.188.43.0/24
Current thread:
- RE: DNS Hijacking by Cox, (continued)
- RE: DNS Hijacking by Cox David Schwartz (Jul 23)
- Re: DNS Hijacking by Cox Andrew Matthews (Jul 23)
- Re: DNS Hijacking by Cox Joe Greco (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
- Re: DNS Hijacking by Cox Patrick W. Gilmore (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
- Re: DNS Hijacking by Cox John C. A. Bambenek (Jul 22)
- RE: DNS Hijacking by Cox Marcus H. Sachs (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
- Re: DNS Hijacking by Cox James Hess (Jul 22)
- Re: DNS Hijacking by Cox Perry Lorier (Jul 23)
- Re: DNS Hijacking by Cox Sean Donelan (Jul 23)
- Re: DNS Hijacking by Cox James Hess (Jul 23)
- Re: DNS Hijacking by Cox Perry Lorier (Jul 23)
- Re: DNS Hijacking by Cox Mattias Ahnberg (Jul 24)
- Re: DNS Hijacking by Cox Peter Dambier (Jul 24)
- Re: DNS Hijacking by Cox Mattias Ahnberg (Jul 25)
- Re: DNS Hijacking by Cox Peter Dambier (Jul 25)
- Re: DNS Hijacking by Cox Patrick W. Gilmore (Jul 22)
- Re: DNS Hijacking by Cox Chris L. Morrow (Jul 24)
- Re: DNS Hijacking by Cox Brandon Galbraith (Jul 24)
- Re: DNS Hijacking by Cox Chris Adams (Jul 23)