nanog mailing list archives

Re: DNS Hijacking by Cox

From: Joe Greco <jgreco () ns sol net>
Date: Mon, 23 Jul 2007 16:03:02 -0500 (CDT)

On Mon, 23 Jul 2007, Joe Greco wrote:

I can't help but notice you totally avoided responding to what I

wrote;

I would have to take this to mean that you know that it is

fundamentally

unreasonable to expect users to set up their own recursers to work

around

ISP recurser brokenness (which is essentially what this is).


Its more resonable to expect users to know how to remove bots and

fix

their compromised computers?

No amount of IRC redirection is going to remove bots and fix their
compromised computers.

... JG


I disagree. A lot of the compromised computers are still using the old
versions of like Phatbot, agobot, rxbot, all of which have the remove
commands. Placing the .remove in the subject line will effectively
remove the bots as they join the channels. The .remove will effectively
completely remove the bot from their computer, not everything else, but
alteast that bot instance is done. Its one way a lot of IRC networks get
rid of the botnets started on their networks, simply glineing them
causes them to keep trying to reconnect. Granted it won't stop the more
experienced script kiddies, but it will certainly stop the ones who use
the preconfigured scripts because they don't know what the soruce code
means. As many have said this is more about numbers. The number of
infected computers within their network used to DDoS and Spam compared
to the number of legitimate IRC users. Unfortunately the number of
zombies outweighs the good.


Disagree all you want, but once a box is compromised, it is compromised.
You can never really know what's happened on the box, and removing the
obvious sign that the box is compromised is curing the symptom, not the
ill.  That's not actually a fix, though I fully expect that someone here
will argue otherwise.

If this is so effective, wouldn't it have been a better idea to work with
the folks at irc.vel.net to do this on their end?  Global benefit and 
all, AND it would not be stealing someone else's domain name in order to
do this.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Current thread:

Re: DNS Hijacking by Cox, (continued)
- - - Re: DNS Hijacking by Cox Sean Donelan (Jul 23)
    - Re: DNS Hijacking by Cox Andrew Matthews (Jul 23)
    - Re: DNS Hijacking by Cox Steven Haigh (Jul 23)
    - Re: DNS Hijacking by Cox Joe Greco (Jul 23)
    - Re: DNS Hijacking by Cox Chris L. Morrow (Jul 24)
    - Re: DNS Hijacking by Cox Sean Donelan (Jul 23)
    - Re: DNS Hijacking by Cox Valdis . Kletnieks (Jul 23)
    - Re: DNS Hijacking by Cox David W. Hankins (Jul 23)
    - Re: DNS Hijacking by Cox Joe Greco (Jul 23)
    - RE: DNS Hijacking by Cox Raymond L. Corbin (Jul 23)
    - Re: DNS Hijacking by Cox Joe Greco (Jul 23)
    - RE: DNS Hijacking by Cox David Schwartz (Jul 23)
    - Re: DNS Hijacking by Cox Andrew Matthews (Jul 23)
  - Re: DNS Hijacking by Cox Joe Greco (Jul 22)
- Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
  - Re: DNS Hijacking by Cox Patrick W. Gilmore (Jul 22)
    - Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
    - Re: DNS Hijacking by Cox John C. A. Bambenek (Jul 22)
    - RE: DNS Hijacking by Cox Marcus H. Sachs (Jul 22)
    - Re: DNS Hijacking by Cox Steven M. Bellovin (Jul 22)
    - Re: DNS Hijacking by Cox James Hess (Jul 22)

(Thread continues...)