DNS Changer items

• Previous message (by thread): DNS Changer items
• Next message (by thread): DNS Changer items
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cameron,

That idea had been brought up.  Also discussed was short durations of
random blackouts of dns resolution to impress upon the infected users
that they needed to take action.  Unfortunately, taking either of those
actions would have exceeded the authorization of the court order.

We're coming up with a pretty detailed list of "lesson's learned" from
this operation and being able to implement ideas like yours will
hopefully be considered in advance "next time".

Andy

Andrew Fried
andrew.fried at gmail.com


On 7/6/12 3:58 PM, Tomas L. Byrnes wrote:
> I think having the ISC DNS changer sinkhole servers return the DCWG
> check page IP for all queries would be a good final act.
> 
>> -----Original Message-----
>> From: Andrew Fried [mailto:andrew.fried at gmail.com]
>> Sent: Friday, July 06, 2012 11:16 AM
>> To: Cameron Byrne
>> Cc: nanog at nanog.org
>> Subject: Re: DNS Changer items
>>
>> The DNS redirection began on November 8, 2011.  The servers were
>> instrumented to capture a very small portion of the dns data (source
> ip and
>> port only) so that reports of infected users could be sent to the ISPs
> via
>> reporting organizations like Shadowserver.
>>
>> Some ISPs did create walled gardens.  Some merely redirected affected
>> customers to their own internal DNS servers.  Some ISPs did aggressive
>> notifications to their users.  And some ISPs did nothing.
>>
>> Sites were set up to allow users to check their systems (dns-ok.us,
> etc).  The
>> DCWG set up an information site to provide information on how to
> detect
>> the DNSchanger infection and how to fix it.  AV companies provided
> tools to
>> help clean up systems, and the tools were published on the DCWG.org
>> website.
>>
>> The FBI went to great lengths to get press coverage to get the word
> out.
>>
>> This operation has been ongoing for 7 months, 27 days and 14 hours.
>>
>> How much more of a graceful ramp down could there have been?
>>
>> Andy
>>
>> Andrew Fried
>> andrew.fried at gmail.com
>>
>>
>> On 7/6/12 1:52 PM, Cameron Byrne wrote:
>>> So insteading of turning the servers off, would it not have been
>>> helpful to have the servers return a "captive portal" type of
> reponse
>>> saying "hey, since you use this server, you are broken, go here to
> get fixed"
>>>
>>> Seems that would have been a more graceful ramp down.
>>>
>>> CB
>>>
>>
> 

• Previous message (by thread): DNS Changer items
• Next message (by thread): DNS Changer items
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]