TimeWarner DNS Hijacking 339
Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.
The criminal code calls it "Theft of Services" (Score:5, Interesting)
Yes, it is the right way (Score:2, Interesting)
If admins don't take it into their own hands, nobody is going to do anything.
IRC networks must police themselves (Score:2, Interesting)
Is there an easier and more effective way?? (Score:5, Interesting)
Re:Is there an easier and more effective way?? (Score:5, Interesting)
A while back, I got a "your computer is infected" notice from them. I checked all my computers, the Windows ones with tools that weren't even available to the public at the time, and zero, zip, nada. Everything was clean, sniffs showed nothing out of place.
Finally talked with someone with a clue, and they classified my SpamAssassin install as a DOS on their name servers because they were caching the negative responses from the various blacklists.
This will NOT raise awareness or work in any way. (Score:5, Interesting)
Wired found someone who approves of breaking the internet:
Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.
Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.
It's not like the police are doing anything.. (Score:5, Interesting)
What??? (Score:5, Interesting)
Re:New Update since i submited this yesterday (Score:4, Interesting)
There are worse ways... (Score:1, Interesting)
Thing is, they never removed the block. And at a University, well, when someone does this, you're pretty much boned.
(Yes, I know there are multiple ports on many IRC servers -- but not all of them.)
Not perfect, but (Score:4, Interesting)
There is simply **NO** excuse for a bot to be running on any ISP for more than the time it takes to detect it pumping out massive volumes of email. My solution, as I've stated several times, would be to disconnect the offending computer, and then fire them off a snailmail letter stating that they will not be permitted back until their computer is disinfected. But since that would cost them customers, no one will do that.
Re:Their DNS Server... (Score:3, Interesting)
I expect my ISP to provide me with correct DNS loopup results. If they don't then they would not be providing me with part of the service I understand I am paying them for. They would hear from me about it pretty quickly and more then likely loose my business over it. There are after all lots of ISPs out there.
Tortious Interference (Score:3, Interesting)
"Tortious interference," is part of english common law roughly defined as the causing of harm by disrupting something that belongs to someone else. The original example was a guy who repeatedly drove ducks away from his neighbors' pond by firing a gun in the air on his own property.
So no, its not legal. But if you want to pursue it in court, you have only one of the weaker common-law torts to rely on.
No, probably not (Score:5, Interesting)
Re:In the long run, not a great idea (Score:3, Interesting)
When I first read your post I thought you were trying to make a dry joke, but I figure from your other posts that you are serious. If you really want a dedicated police force for this sort of thing why not show local politicians that it is feasible, important, and not a waste of money (the last one is the most important). If you can give them an example ("Here is a guy I tracked down in 5 hours. He controls 10,000 bots he can do $50,000 worth of damage an hour. He has probably misappropriated 1000 identities. Etc.") and pitch it to them at an angle that shows it as a way for them to win brownie points with their superiors/voters/whoever they might just do something about it.
Once there is something like that at a local level you have what is known as a 'test case' or 'pilot project'. If it works other people will jump on the bandwagon.
This vigilantism shows us that it is possible to track down who is controlling the networks (or at the very least pin them to an IP address), but like I say, taking down bots here and there is futile and will only encourage them to evolve.
Hijacking, and San Diego Cox Communications (Score:5, Interesting)
First, as a person who owns and operates many networks, I would be rather annoyed that someone has hijacked one of my domains, for any purpose.
To me, a domain name is the equivalent to a land deed, it's a peace of virtual real-estate. It's a representation and label identifying a group of IP addresses which may or may not be associated to a physical device or service. If I have a problem with some other network, I attempt to contact the powers-that-be of the offending network; in good faith, that they would be cooperative.
Now, I assume many offensive networks out there might not cooperate, or might think that what their network is doing is either legal, moral, or of no harm. Well... I do admit, I block all of APNIC to my mail servers, though, I do not service "customers" either. If I did, I would assume my customer demographic might include a need or desire for correspondence with those in APNIC, and permit the traffic. While I might, on case by case scenerios, filter a range of IPs known for SPAM or whatever, things I certainly wouldn't do is hi-jack a domain, and most disturbingly, attempt to execute code on a clients machine without direct consent for each instance, each time. Basically, what you're doing then is intentionally deceiving a computer system, breaking standards, breaking and entering said computer system, and influencing change which permanently alters HOW that computer operates. And, knowing the practices and the broad generalized sweeping tactics of Cox Communications (for example), I must say I do NOT trust what they MIGHT consider as "malicious" code to delete off my computer "at their whim".
If this becomes "legal", then what's to stop Cox Communications (for example), from considering my MP3s as "malicious or of questionable origin" and on behalf of RIAA, delete my mp3s? How are they going to know?
Now, on to San Diego Cox Communications. While I agree that if you are on someones network, you do what they say. However, as already implied above, if my intention is to provide "Internet Service", then I DO inherently forfeit some of that overall power. And Cox Cable, blocking incoming and outgoing ports is really not within their moral obligation to do so. Nothing illegal about them doing it, no doubt some here might agree with them. But, if I'm going to sell someone "Internet Service", as I have in the past, they get "Internet Service" in full. I don't want a parent above me, and most certainly, I should be allowed unaltered Internet Service from Cox Communications on request against the default safegaurds in-place for the sake of the laymen.
But, Cox Communications does NOT permit one to exercise all of the technologies available. They notoriously block ports, and muck with the traffic. Why? Who knows, and I don't mean to be elitist, but their explanations of some Windows worm really doesn't apply to my Linux box. Besides, if I was running Windows, I still wouldn't appreciate all the port blocking and crap. I'll handle that myself.
As a result, I refuse to use Cox Cable or Time Warners Road Runner services. (Aside from the fact I'm banned from San Diego Cox Cable's network for running VPN clouds on their network, among other things like DoS'ing everyone on my subnet to boost my download speeds...), I warmly welcome other high-speed services that do NOT play parenthood. Sadly, one practically has to purchase a "Business" line instead of a "Home" connection. So, that's in fact what I have so if I want to launch my own webserver/mailserver, SQL Server or whatever, it's simply a matter of just configuring and launching the daemon.
In short, I feel hi-jacking is wrong. And I feel that people should not use Cox Cable as they are the "AOL" of today anyways. Such actions are so typical of Cox Cable... it's truelly ridiculous.
Killing Fly with a Bazooka (Score:5, Interesting)
Re:New Update since i submited this yesterday (Score:3, Interesting)
Both options deal with the problem.
I'm surprised that bots aren't boobytrapped against this sort of action, but as the summary states using IRC for bots is yesterday's news.
Re:New Update since i submited this yesterday (Score:1, Interesting)
Yeah, B). After 2 written warnings, tops.
Treacherous Computing (Score:4, Interesting)
You've probably seen something similar when you have to install an ActiveX control in IE (for a bank, or Windows Update). It asks i) if you'd like to install it and ii) If you'd like to trust the publisher in the future.
The binary is cryptographically signed which assures the computer that it is a product of the authorised holder of a particular crypto key. MS already uses this scheme for device drivers on 64-bit versions of Vista - at present, it can be disabled by a technically oriented user, but there's no guarantee that ability will persist.
The downside is twofold - firstly, for this measure to have any teeth, you have to remove the ability of the user to ignore it. Secondly, it provokes ideas like Microsofts "Trusted Computing" initiative (aka "Palladium"), which hands over full control of your computer to a short list of people who know the secret keys embedded in your motherboard. The main motivator for requiring signed drivers in Vista is to prevent the loading of things like virtual devices which can be used to capture perfect digital copies of DRM protected media. A secondary consideration is quality assurance.
http://www.gnu.org/philosophy/can-you-trust.html [gnu.org]
At some point it is inevitable that MS operating systems will produce an API that permits calling programs to determine the presence of unsigned drivers or software, and refuse to perform certain functions (like playback of DRMed media). Heck, this shouldn't be hard to implement right now with a little effort. With TP, because the only trusted root certificates will be stored in inaccessible firmware, there will be no way for the user to sign drivers himself and mark them as trusted. Therefore MS (and anyone they care about pleasing) will be in control of what your computer can or cannot do.
Re:New Update since i submited this yesterday (Score:3, Interesting)
Please explain how shutting down a bot on your computer is damaging it.
Re:Fair game (Score:3, Interesting)
Anet was the one where `anything goes', and yes, it did have a server called eris. The big thing that went on Anet that didn't go on Efnet was that new servers didn't need a password to connect to the existing network (well, the server `eris' was like this anyways -- I don't know if others were too) -- anybody could bring up a server. Which sounds fine, this also means that these people can make themselves IRCops on their new server and can abuse that, and it's also simple to kill anybody off on the existing network just by pretending to be a server via some simple telnet commands. Anarchy. Anet died off pretty quickly.
This page [daniel.haxx.se] is pretty informative.