TimeWarner DNS Hijacking 339
Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
New Update since i submited this yesterday (Score:5, Informative)
TimeWarner != Cox (Score:3, Informative)
Re:What??? (Score:4, Informative)
The problem, of course, is that almost all users that call in don't need more than scripted hand-holding, and those of us that know what we're talking about call in and hit that wall, through which it can be very difficult to find an open window through which to crawl to find a knowledgeable person.
Comment removed (Score:4, Informative)
This has been going on for TWO years (Score:2, Informative)
Scroll down to the very bottom of that page. Notice the date.
Re:crackz.ws dns (Score:3, Informative)
If you don't like the Cox DNS results, feel free to put another DNS server in your router or computer. Switch from dynamic DNS to static DNS and use some of the public DNS servers.
Here is a good place to start..
http://www.opennic.unrated.net/public_servers.htm
Re:No, probably not (Score:3, Informative)
It turns out that when you're a telecommunications provider, there are a whole bunch of laws to the effect of "you can't divert or compromise the telecommunications you're selling."
Re:New Update since i submited this yesterday (Score:2, Informative)
The "#badbotbad" topic was rotated frequently amongst the most common bots/variants. The specific channels had their topics set according to the most common bot using that channel at the time.
Finally, a nickserv was established to preregister certain nicks and masks to deter "real" bot herder/owners from signing on to take back control. A script then slammed in to the server with the registered nick(s) sending the appropriate kill commands.
Sometimes it worked, and sometimes it didn't.
Transcript of IRC (Score:4, Informative)
irc.mzima.net. 300 IN A 70.168.70.4
Connecting to 70.168.70.4 (70.168.70.4) port 6667.
[JOIN] You are now talking on #martian_
[MODE] localhost.localdomain sets mode +n #martian_
[MODE] localhost.localdomain sets mode +t #martian_
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
!bot.remove
!remove
!uninstall
Thats it.
The Golden Rule (Score:3, Informative)
A good question. Let me check for you.... Hang on... looking up Time Warner's Bank Balance. Uh huh... HOLY COW!
In answer to your question, yes, DNS hijacking is most definitely legal.
Re:New Update since i submited this yesterday (Score:2, Informative)
First of all, redirecting traffic or manipulating dns replies for sites/domains/servers you do not own is a legal no-go for ISPs and ICPs of any kind. It opens up the possibility of man-in-the-middle attacks and also very much is against the idea of the Internet itself.
Second, timewarner did not only redirect connections to EFnet, they also didn't bother to contact neither their users nor EFnet about this. EFnet had to deal with all those complaints - which they could not handle as it wasn't their fault.
Third, timewarner chose a concept that is bound to fail. One cannot just redirect IRC traffic for a random IRC server. While there's botnets that use standard ports ofc, most botnets either use private irc servers (installed on cracked machines) and/or non-standard ports. And as the OG said, they are moving to other ways of communication. As for EFnet, TW should have told the staff that they suspected a botnet and give details. This would have been way more efficient and not just annoy all affected (and possibly not even infected) users.
Fourth, as I've seen details about timewarner's actions, they're trying to run different uninstall commands on the possibly infected machines. They'd either need to exactly know which command it'd take or test all of them while risking that the infected machine will detect this overtake procedure and go into a "safe mode" or disconnect again.
If I went to summarize this up: The idea isn't that bad, but it's bound to fail as botnets and IRC do not work the way they think.
PS: I'm not an EFnet representee, but I'm part of an organization that works on disabling botnets together with other people from various irc networks. I do not understand why timewarner did not even bother try to contact us - even though I had contact to their abuse desk long time ago.
Re:Since when is Cox = Time Warner? (Score:3, Informative)
Re:New Update since i submited this yesterday (Score:3, Informative)
Then you violated your TOS and were on their network illegally.
It's your PC, but it's THEIR network. They have the right to defend their network and the obligation to protect other people using it. I'd even bet their TOS authorizes this kind of behavior.
This is the ISPs fault (Score:3, Informative)