DNS Attacks

Joel jaeggli joelja at bogus.com
Mon Feb 20 21:00:56 UTC 2012

On 2/20/12 09:57 , Christopher Morrow wrote:
> On Mon, Feb 20, 2012 at 10:38 AM, Tei <oscar.vives at gmail.com> wrote:
>> I am a mere user, so I all this stuff sounds to me like giberish.
>> The right solution is to capture the request to these DNS servers, and
>> send to a custom server with a static message  "warning.html". Nothing
>> fancy.   With a phone number to "get out of jail", so people can call
>> to "op-out" of this thing, so can browse the internet to search for a
>> solution.
> in this case, the fbi/dns-changer case, the information is pretty
> straightforward for theisp folk... 'client machine makes dns queries
> not to the isp dns server (or one of several free dns services), but
> to a known bad set of netblocks'
> the easy fix is to just stand up (forever, ha!) dns servers on the ip
> blocks inside the ISP's network, done and done... 

given the size and distribution of the ip blocks in question I doubt
very much that they will go unused forever...

from a previous message in this thread.

  Quoting the FBI: through through through through through through

which map quite nice to various rir prefix assigments. it's almost like
someone cribbed the whois inetnum field when they loaded their scattergun...

inetnum: -

while I have no doubt that some of those prefixes my be run by rather
than simply host to bad actors, if they're returned to rirs, they will
be assigned again, so a static filter policy will return to bite us
again like it always does.

> they can then start
> notifying the customers via mail/email/carrier-pidgeon that they are
> infected, along with instructions about how to get un-infected.
> -chris

More information about the NANOG mailing list