nanog mailing list archives
Re: DNS Changer items
From: Andrew Fried <andrew.fried () gmail com>
Date: Fri, 06 Jul 2012 16:15:43 -0400
Cameron, That idea had been brought up. Also discussed was short durations of random blackouts of dns resolution to impress upon the infected users that they needed to take action. Unfortunately, taking either of those actions would have exceeded the authorization of the court order. We're coming up with a pretty detailed list of "lesson's learned" from this operation and being able to implement ideas like yours will hopefully be considered in advance "next time". Andy Andrew Fried andrew.fried () gmail com On 7/6/12 3:58 PM, Tomas L. Byrnes wrote:
I think having the ISC DNS changer sinkhole servers return the DCWG check page IP for all queries would be a good final act.-----Original Message----- From: Andrew Fried [mailto:andrew.fried () gmail com] Sent: Friday, July 06, 2012 11:16 AM To: Cameron Byrne Cc: nanog () nanog org Subject: Re: DNS Changer items The DNS redirection began on November 8, 2011. The servers were instrumented to capture a very small portion of the dns data (sourceip andport only) so that reports of infected users could be sent to the ISPsviareporting organizations like Shadowserver. Some ISPs did create walled gardens. Some merely redirected affected customers to their own internal DNS servers. Some ISPs did aggressive notifications to their users. And some ISPs did nothing. Sites were set up to allow users to check their systems (dns-ok.us,etc). TheDCWG set up an information site to provide information on how todetectthe DNSchanger infection and how to fix it. AV companies providedtools tohelp clean up systems, and the tools were published on the DCWG.org website. The FBI went to great lengths to get press coverage to get the wordout.This operation has been ongoing for 7 months, 27 days and 14 hours. How much more of a graceful ramp down could there have been? Andy Andrew Fried andrew.fried () gmail com On 7/6/12 1:52 PM, Cameron Byrne wrote:So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type ofreponsesaying "hey, since you use this server, you are broken, go here toget fixed"Seems that would have been a more graceful ramp down. CB
Current thread:
- Re: DNS Changer items, (continued)
- Re: DNS Changer items Cameron Byrne (Jul 06)
- Re: DNS Changer items Merike Kaeo (Jul 06)
- RE: DNS Changer items Eric J Esslinger (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Nick Semenkovich (Jul 06)
- Re: DNS Changer items valdis . kletnieks (Jul 06)
- Re: DNS Changer items Roy (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- RE: DNS Changer items Tomas L. Byrnes (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- Re: DNS Changer items Roy (Jul 06)
- Re: DNS Changer items Andrew Fried (Jul 06)
- Re: DNS Changer items Jay Ashworth (Jul 07)
- Re: DNS Changer items Owen DeLong (Jul 13)
- Re: DNS Changer items Roy (Jul 06)