Vixie warns: DNS Changer ‘blackouts’ inevitable

Leo Bicknell bicknell at ufp.org
Thu May 31 15:51:41 UTC 2012


In a message written on Thu, May 31, 2012 at 08:14:40AM -0500, cncr04s/Randy wrote:
> Exactly how much can it cost to serve up those requests... I mean for
> 9$ a month I have a cpu that handles 2000 *Recursive* Queries a
> second. 900 bux could net me *200,000* a second if not more.
> The government overspends on a lot of things.. they need some one whos
> got the experience to use a bunch of cheap servers for the resolvers
> and a box that hosts the IPs used and then distributes the query
> packets.

The interesting bit with DNSChanger isn't serving up the requests,
but the engineering to do it in place.  Remember, all of the clients
are pointed to specific IP addresses by the malware.

The FBI comes in and takes all the servers because they are going
to be used in the court case, and then has to pay someone to figure
out how to stand a service back up at the exact same IP's serving
those infected clients in a way they won't notice.  This includes
include working with the providers of the IP Routing, IP Address
blocks, colocation space and so on to keep providing the service.

In this case it was also pre-planned to be nearly seamless so that
end users would not see any down time, and the servers had to be
fully instrumented to capture all of the infected client IP addresses
and report them to various parties for remediation, including further
evidence to the court for the legal proceedings.  The FBI also had
to convince a judge this was the right thing to do, so I'm sure
someone had to pay some experts to explain all of this to a judge
to make it happen.

I suspect the cost of the hardware to handle the queries is neglegable,
I doubt of all the money spent more than a few thousand dollars
went to the hardware.  It seems like the engineering and coordination
was rather significant here, and I'll bet that's where all the money
was spent.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120531/aebd8544/attachment.sig>


More information about the NANOG mailing list