DNS Changer items

Tomas L. Byrnes tomb at byrneit.net
Fri Jul 6 19:58:44 UTC 2012

I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.

> -----Original Message-----
> From: Andrew Fried [mailto:andrew.fried at gmail.com]
> Sent: Friday, July 06, 2012 11:16 AM
> To: Cameron Byrne
> Cc: nanog at nanog.org
> Subject: Re: DNS Changer items
> The DNS redirection began on November 8, 2011.  The servers were
> instrumented to capture a very small portion of the dns data (source
ip and
> port only) so that reports of infected users could be sent to the ISPs
> reporting organizations like Shadowserver.
> Some ISPs did create walled gardens.  Some merely redirected affected
> customers to their own internal DNS servers.  Some ISPs did aggressive
> notifications to their users.  And some ISPs did nothing.
> Sites were set up to allow users to check their systems (dns-ok.us,
etc).  The
> DCWG set up an information site to provide information on how to
> the DNSchanger infection and how to fix it.  AV companies provided
tools to
> help clean up systems, and the tools were published on the DCWG.org
> website.
> The FBI went to great lengths to get press coverage to get the word
> This operation has been ongoing for 7 months, 27 days and 14 hours.
> How much more of a graceful ramp down could there have been?
> Andy
> Andrew Fried
> andrew.fried at gmail.com
> On 7/6/12 1:52 PM, Cameron Byrne wrote:
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type of
> > saying "hey, since you use this server, you are broken, go here to
get fixed"
> >
> > Seems that would have been a more graceful ramp down.
> >
> > CB
> >

More information about the NANOG mailing list