nanog mailing list archives

Re: DNS Changer items

From: Andrew Fried <andrew.fried () gmail com>
Date: Fri, 06 Jul 2012 16:15:43 -0400

Cameron,

That idea had been brought up.  Also discussed was short durations of
random blackouts of dns resolution to impress upon the infected users
that they needed to take action.  Unfortunately, taking either of those
actions would have exceeded the authorization of the court order.

We're coming up with a pretty detailed list of "lesson's learned" from
this operation and being able to implement ideas like yours will
hopefully be considered in advance "next time".

Andy

Andrew Fried
andrew.fried () gmail com


On 7/6/12 3:58 PM, Tomas L. Byrnes wrote:

I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.

-----Original Message-----
From: Andrew Fried [mailto:andrew.fried () gmail com]
Sent: Friday, July 06, 2012 11:16 AM
To: Cameron Byrne
Cc: nanog () nanog org
Subject: Re: DNS Changer items

The DNS redirection began on November 8, 2011.  The servers were
instrumented to capture a very small portion of the dns data (source

ip and

port only) so that reports of infected users could be sent to the ISPs

via

reporting organizations like Shadowserver.

Some ISPs did create walled gardens.  Some merely redirected affected
customers to their own internal DNS servers.  Some ISPs did aggressive
notifications to their users.  And some ISPs did nothing.

Sites were set up to allow users to check their systems (dns-ok.us,

etc).  The

DCWG set up an information site to provide information on how to

detect

the DNSchanger infection and how to fix it.  AV companies provided

tools to

help clean up systems, and the tools were published on the DCWG.org
website.

The FBI went to great lengths to get press coverage to get the word

out.


This operation has been ongoing for 7 months, 27 days and 14 hours.

How much more of a graceful ramp down could there have been?

Andy

Andrew Fried
andrew.fried () gmail com


On 7/6/12 1:52 PM, Cameron Byrne wrote:

So insteading of turning the servers off, would it not have been
helpful to have the servers return a "captive portal" type of

reponse

saying "hey, since you use this server, you are broken, go here to

get fixed"


Seems that would have been a more graceful ramp down.

CB

Current thread:

Re: DNS Changer items, (continued)
- - - Re: DNS Changer items Cameron Byrne (Jul 06)
    - Re: DNS Changer items Merike Kaeo (Jul 06)
    - RE: DNS Changer items Eric J Esslinger (Jul 06)
    - RE: DNS Changer items Tomas L. Byrnes (Jul 06)
    - Re: DNS Changer items Nick Semenkovich (Jul 06)
    - Re: DNS Changer items valdis . kletnieks (Jul 06)
    - Re: DNS Changer items Roy (Jul 06)
    - RE: DNS Changer items Tomas L. Byrnes (Jul 06)
    - Re: DNS Changer items Andrew Fried (Jul 06)
    - RE: DNS Changer items Tomas L. Byrnes (Jul 06)
    - Re: DNS Changer items Andrew Fried (Jul 06)
    - Re: DNS Changer items Roy (Jul 06)
    - Re: DNS Changer items Andrew Fried (Jul 06)
    - Re: DNS Changer items Jay Ashworth (Jul 07)
    - Re: DNS Changer items Owen DeLong (Jul 13)
    - Re: DNS Changer items Roy (Jul 06)