CPE dns hijacking malware

Mike mike-nanog at tiedyenetworks.com
Tue Nov 12 05:56:47 UTC 2013


It appears that some of my subscribers DSL modems (which are acting as 
nat routers) have had their dns settings hijacked and presumably for 
serving ads or some such nonsense. The dns server addresses are 
statically programmed in and of the onces I have seen, they are not 
currently responsive, leading to slow page loads or 404 errors and hence 
tech support calls to my support desk. I have set up a resolver that 
will answer dns queries and have done some routing magic to re-direct 
queries sent from my customer CPE's to these hijacked dns addresses. 
This is working for the time being and affected clients don't know about 
the problem (yet).

I realise it's highly likely there are more than just the 2 addresses I 
have identified so far in the realm of dns hijackers, and so I am
I am wondering if anyone has a line on dns server addresses that have 
been used or are currently in use for dns redirecting malware. I would 
like to maybe script something so that addresses on such a list would 
automatically get dropped into a routing table pointing at my special 
dns resolver. In the future I would also likely set up some sort of web 
redirect so that any client that queries the special resolver would get 
a web page explaining they have been hijacked and how to handle it. For 
now however I just want to stem the tide and make sure clients continue 
to work and to catch as many of these as I can. Anyone ?


More information about the NANOG mailing list