CPE dns hijacking malware
Mike
mike-nanog at tiedyenetworks.com
Tue Nov 12 05:56:47 UTC 2013
Hi,
It appears that some of my subscribers DSL modems (which are acting as
nat routers) have had their dns settings hijacked and presumably for
serving ads or some such nonsense. The dns server addresses are
statically programmed in and of the onces I have seen, they are not
currently responsive, leading to slow page loads or 404 errors and hence
tech support calls to my support desk. I have set up a resolver that
will answer dns queries and have done some routing magic to re-direct
queries sent from my customer CPE's to these hijacked dns addresses.
This is working for the time being and affected clients don't know about
the problem (yet).
I realise it's highly likely there are more than just the 2 addresses I
have identified so far in the realm of dns hijackers, and so I am
I am wondering if anyone has a line on dns server addresses that have
been used or are currently in use for dns redirecting malware. I would
like to maybe script something so that addresses on such a list would
automatically get dropped into a routing table pointing at my special
dns resolver. In the future I would also likely set up some sort of web
redirect so that any client that queries the special resolver would get
a web page explaining they have been hijacked and how to handle it. For
now however I just want to stem the tide and make sure clients continue
to work and to catch as many of these as I can. Anyone ?
Mike-
More information about the NANOG
mailing list