Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica

jim deleskie deleskie at gmail.com
Tue Mar 4 13:28:01 UTC 2014


Why want to swing such a big hammer.  Even blocking those 2 IP's will
isolate your users, and fill your support queue's.

Set up a DNS server locally to reply to those IP's  Your customers stay up
and running and blissfully unaware.

Log the IP's hitting your DNS servers on those IP and have your support
reach out to them in a controlled way, or  reply to any request via DNS
with an internal host that has a web page explaining what is broken and how
they can fix it avoiding  at least some of the calls to your helpdesk.

-jim


On Tue, Mar 4, 2014 at 7:54 AM, Andrew Latham <lathama at gmail.com> wrote:

> On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan at fakmoymozg.ru> wrote:
> > On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra at baylink.com>
> wrote:
> >
> >>
> >>
> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
> >>
> >> Is there any valid reason not to black hole those /32s on the back bone?
> >
> >
> >
> >>> The telltale sign a router has been compromised is DNS settings that
> have
> >>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers
> contacted
> >>> the provider that hosts those two IP addresses but have yet to receive
> a
> >>> response.
> >
> >
> > you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22",
> aren't
> > you?
> >
> >
> > Cheers
> >
>
> Jay is right, it is just the /32s at the moment...  Dropping the /22s
> could cause other sites to be blocked.
>
> inetnum:        5.45.72.0 - 5.45.75.255
> netname:        INFERNO-NL-DE
> descr:          ********************************************************
> descr:          * We provide virtual and dedicated servers on this Subnet.
> descr:          *
> descr:          * Those services are self managed by our customers
> descr:          * therefore, we are not using this IP space ourselves
> descr:          * and it could be assigned to various end customers.
> descr:          *
> descr:          * In case of issues related with SPAM, Fraud,
> descr:          * Phishing, DDoS, portscans or others,
> descr:          * feel free to contact us with relevant info
> descr:          * and we will shut down this server: abuse at 3nt.com
> descr:          ********************************************************
> country:        NL
> admin-c:        TNTS-RIPE
> tech-c:         TNTS-RIPE
> status:         ASSIGNED PA
> mnt-by:         MNT-3NT
> mnt-routes:     serverius-mnt
> source:         RIPE # Filtered
>
>
>
>
> --
> ~ Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~
>
>


More information about the NANOG mailing list