DNS Changer items
Tomas L. Byrnes
tomb at byrneit.net
Fri Jul 6 19:58:44 UTC 2012
I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.
> -----Original Message-----
> From: Andrew Fried [mailto:andrew.fried at gmail.com]
> Sent: Friday, July 06, 2012 11:16 AM
> To: Cameron Byrne
> Cc: nanog at nanog.org
> Subject: Re: DNS Changer items
> The DNS redirection began on November 8, 2011. The servers were
> instrumented to capture a very small portion of the dns data (source
> port only) so that reports of infected users could be sent to the ISPs
> reporting organizations like Shadowserver.
> Some ISPs did create walled gardens. Some merely redirected affected
> customers to their own internal DNS servers. Some ISPs did aggressive
> notifications to their users. And some ISPs did nothing.
> Sites were set up to allow users to check their systems (dns-ok.us,
> DCWG set up an information site to provide information on how to
> the DNSchanger infection and how to fix it. AV companies provided
> help clean up systems, and the tools were published on the DCWG.org
> The FBI went to great lengths to get press coverage to get the word
> This operation has been ongoing for 7 months, 27 days and 14 hours.
> How much more of a graceful ramp down could there have been?
> Andrew Fried
> andrew.fried at gmail.com
> On 7/6/12 1:52 PM, Cameron Byrne wrote:
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type of
> > saying "hey, since you use this server, you are broken, go here to
> > Seems that would have been a more graceful ramp down.
> > CB
More information about the NANOG