DNS Hijacking by Cox

• Previous message (by thread): DNS Hijacking by Cox
• Next message (by thread): DNS Hijacking by Cox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Hess wrote:
>
> On 7/22/07, Steven M. Bellovin <smb at cs.columbia.edu> wrote:
>
> I would suggest not underestimating the ingenuity and persistence of
> the bad guys
> to escalate the neverending war, when a new weapon is invented to use
> against them.  If there's a way around it, history has shown, the new
> weapon quickly becomes  worthless, you get to use it maybe for a month 
> or two.
>
With my Undernet admin hat on, we have regular issues with botnets and 
the like for years and probably will for the foreseeable future.

In my personal experience we see a new "crop" of script kiddies about 
every 6 months to a year.  Generally they start with whatever publically 
available tools they can get their hands on and thus obvious tactics 
work well against them at this stage.  However they soon learn to 
customize their bots to evade detection, some more successfully than 
others.  Many of those then are persistent well after the original bot 
runner has gone back to school and given up on the bots.

We have services detecting botnets in realtime and they just scroll past 
generally faster than you want to think about it (at least one a second).

While I fully support people deciding to clean up their corner of the 
Internet, I'm not sure that this is the most effective way for cox to be 
doing it[1].  If you're interested in finding people that Undernet 
detects as being open proxies or such like, put an IDS rule looking for 
":[^ ]* 465 [^ ]* :AUTO ".

The interesting question is what to do about it.  We can ban them, but 
they just either move them to another network, or disguise them to make 
them harder to find and ban.[2]  Also the constant reconnects themselves 
can almost overwhelm a server.  I almost want to submit patches to the 
botnet codebases to implement exponential back off, or infact /any/ kind 
of reasonable delay between connection attempts.

We try reporting them to abuse@ contacts, generally good abuse@ contacts 
don't have many (any?) drones to report, and bad abuse@ contacts don't 
appear to care that they're causing others issues.

So what would people on this list suggest we do?

----
[1]: On the other hand ff you are someone at cox that's knows what's 
going on with this dronetrap thing, send me an email, I'm interested in 
discussing how you can improve your dronetrap.  I have Ideas.
[2]: This is not to say we don't ban them, we do -- it's the only 
reasonable thing we've found to do.

As I also believe in trying to post interesting/useful facts to this 
list a quick grep shows the current worst offenders (grouped by /24) being:
89.40.17.0/24,  89.40.18.0/24, 89.40.16.0/24, 208.98.39.0/24, 
65.188.46.0/24, 195.144.253.0/24, 196.211.173.0/24, 66.178.177.0/24, 
205.144.218.0/24. 65.188.43.0/24

• Previous message (by thread): DNS Hijacking by Cox
• Next message (by thread): DNS Hijacking by Cox
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]