How should ISPs notify customers about Bots (Was Re: DNS Hijacking
Roland Dobbins
rdobbins at cisco.com
Tue Jul 24 16:38:55 UTC 2007
On Jul 24, 2007, at 8:59 AM, Joe Greco wrote:
> But, hey, it can be done, and with an amount of effort that isn't
> substantially different from the
> amount of work Cox would have had to do to accomplish what they did.
Actually, it's requires a bit more planning and effort, especially if
one gets into sinkholing and then reinjecting, which necessitates
breaking out of the /32 routing loop post-analysis/-proxy. It can
and is done, but performing DNS poisoning with an irchoneyd setup is
quite a bit easier. And in terms of the amount of traffic headed
towards the IRC servers in question - the miscreants DDoS one
another's C&C servers all the time, so it pays to be careful what one
sinkholes, backhauls, and re-injects not only in terms of current
traffic, but likely traffic.
In large networks, scale is also a barrier to deployment. Leveraging
DNS can provide a pretty large footprint over the entire topology for
less effort, IMHO.
Also, it appears (I've no firsthand knowledge of this, only the same
public discussions everyone else has seen) that the goal wasn't just
to classify possibly-botted hosts, but to issue self-destruct
commands for several bot variations which support this functionality.
[Note: This is not intended as commentary as to whether or not the
DNS poisoning in question was a Good or Bad Idea, just on the delta
of effort and other operational considerations of DNS poisoning vs.
sinkholing/re-injection.]
Public reports that both Cox and Time-Warner performed this activity
nearly simultaneously; was it a coordinated effort? Was this a one-
time, short-term measure to try and de-bot some hosts? Does anyone
have any insight as to whether this exercise has resulted in less
undesirable activity on the networks in question?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
More information about the NANOG
mailing list