|
List Info
Thread: DNS Hijacking by Cox
|
|
| DNS Hijacking by Cox |
|
2007-07-22 16:56:13 |
It looks like cox is hijacking dns for irc servers.
bash2-2.05b$ nslookup
> server 68.6.16.30
Default server: 68.6.16.30
Address: 68.6.16.30#53
> irc.vel.net
Server: 68.6.16.30
Address: 68.6.16.30#53
Name: irc.vel.net
Address: 70.168.71.144
> server ns1.vel.net
Default server: ns1.vel.net
Address: 207.182.224.10#53
> irc.vel.net
Server: ns1.vel.net
Address: 207.182.224.10#53
Name: irc.vel.net
Address: 64.161.255.2
it looks like they are using it to clean drones, when you
connect to
their fake irc server you get forced joined into a channel.
#martian_
[INFO] Channel view for "#martian_" opened.
-->| YOU (andrew.m) have joined #martian_
=-= Mode #martian_ +nt by localhost.localdomain
=-= Topic for #martian_ is ".bot.remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is ".remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is ".uninstall"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!bot.remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!uninstall"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
<Marvin_> .bot.remove
<Marvin_> .remove
<Marvin_> .uninstall
<Marvin_> !bot.remove
<Marvin_> !remove
isn't there a law against hijacking dns? What can i do to
persue this?
|
|
| RE: DNS Hijacking by Cox |
 
United States |
2007-07-22 18:04:07 |
Hey
Well I suppose that would get rid of some of the script
kiddies bots off of their network...
http://www.dsl
reports.com/forum/remark,12922412
http://www.gossamer-threads.com/lists/fulldi
sc/full-disclosure/55016
Though...I cannot think of another means to achieve their
goal. However I wonder how they generated what records to
point to their servers. Is it simply anything with irc.* ? I
suppose it would stop the script kiddies if they didn’t use
their own unique DNS and specified a different port in the
config before compiling. Typically zombies are set to listen
to the topic commands in order to either continue a DDoS
attack or like scan for other hosts to infect. This would
prevent the bots from getting a valid command to start
scanning or DDoS, or in this case .remove would remove the
bot from their customers computer (unless the default
command character was changed), so I suppose it gets what
they want, DDoS's to not originate in their network + XDCC
Bots being created from zombies etc etc, credit card, zombie
bots can be set to listen for paypal information and credit
card information etc...but at the same time causing problems
for their customers who legitimately use IRC. If weighed, I
believe their problems with DDoS bots is weighted more
heavily then the few who legitimately use IRC. I suppose
they can always use like psyBNC to connect to IRC.
I agree with their goal but not really the means they are
using reach their goal. If they are going to manipulate DNS
to do this...how far will they go with other problems?
Raymond Corbin
Support Analyst
HostMySite.com
(sorry if it this posted twice...outlook froze on me :( )
-----Original Message-----
From: owner-nanog merit.edu on behalf of Andrew Matthews
Sent: Sun 7/22/2007 5:56 PM
To: nanogmerit.edu
Subject: DNS Hijacking by Cox
It looks like cox is hijacking dns for irc servers.
bash2-2.05b$ nslookup
> server 68.6.16.30
Default server: 68.6.16.30
Address: 68.6.16.30#53
> irc.vel.net
Server: 68.6.16.30
Address: 68.6.16.30#53
Name: irc.vel.net
Address: 70.168.71.144
> server ns1.vel.net
Default server: ns1.vel.net
Address: 207.182.224.10#53
> irc.vel.net
Server: ns1.vel.net
Address: 207.182.224.10#53
Name: irc.vel.net
Address: 64.161.255.2
it looks like they are using it to clean drones, when you
connect to
their fake irc server you get forced joined into a channel.
#martian_
[INFO] Channel view for "#martian_" opened.
-->| YOU (andrew.m) have joined #martian_
=-= Mode #martian_ +nt by localhost.localdomain
=-= Topic for #martian_ is ".bot.remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is ".remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is ".uninstall"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!bot.remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!remove"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
=-= Topic for #martian_ is "!uninstall"
=-= Topic for #martian_ was set by Marvin_ on Sunday, July
22, 2007 2:55:02 PM
<Marvin_> .bot.remove
<Marvin_> .remove
<Marvin_> .uninstall
<Marvin_> !bot.remove
<Marvin_> !remove
isn't there a law against hijacking dns? What can i do to
persue this?
|
|
| Re: DNS Hijacking by Cox |
|
2007-07-22 18:08:51 |
On Sun, 22 Jul 2007, Andrew Matthews wrote:
> isn't there a law against hijacking dns? What can i do
to persue this?
DNS is just another application protocol that runs over IP.
You don't
have to use those DNS servers to resolve names.
|
|
| Re: DNS Hijacking by Cox |
 
United Kingdom |
2007-07-22 18:18:35 |
On Sun, Jul 22, 2007 at 02:56:13PM -0700, Andrew Matthews
wrote:
>
> It looks like cox is hijacking dns for irc servers.
<snip>
> isn't there a law against hijacking dns? What can i do
to persue this?
no, its their network and they play by their rules.. the law
would prevent them from inserting data into 3rd party
servers or from masquerading as someone they are not or
other marketing unfairness (such as serving their site in
place of their competitors).
if you are a cox customer you might want to have a reasoned
discussion with them and find out more details and whether
you can reach a resolution. if they dont play ball tho you
ultimately would have to vote with your $$ and switch..
Steve
|
|
| Re: DNS Hijacking by Cox |
 
Netherlands |
2007-07-22 18:28:53 |
* steve.wilcoxpacketrade.com (Stephen Wilcox) [Mon 23
Jul 2007, 01:21 CEST]:
>On Sun, Jul 22, 2007 at 02:56:13PM -0700, Andrew
Matthews wrote:
>> It looks like cox is hijacking dns for irc
servers.
><snip>
>> isn't there a law against hijacking dns? What can i
do to persue this?
>no, its their network and they play by their rules.. the
law would
>prevent them from inserting data into 3rd party servers
or from
>masquerading as someone they are not or other marketing
unfairness (such
>as serving their site in place of their competitors).
You mean, like, sending you to their own machine instead of
the actual
irc.vel.net (a legit EFnet server) when you ask for it?
>if you are a cox customer you might want to have a
reasoned discussion
>with them and find out more details and whether you can
reach a
>resolution. if they dont play ball tho you ultimately
would have to vote
>with your $$ and switch..
This is a ridiculous argument as in many places there is
only one game
in town for affordable high speed internet for end users.
-- Niels.
--
"The Mac doesn't have a one-button mouse, it has a
five-button mouse, with
four of the buttons on the keyboard."
-- Peter da Silva <petertaronga.com>
|
|
| Re: DNS Hijacking by Cox |
|
2007-07-22 18:28:55 |
|
On 7/22/07, Sean Donelan < seandonelan.com">seandonelan.com> wrote:
On Sun, 22 Jul 2007, Andrew Matthews wrote:
>; isn't there a law against hijacking dns? What can i do to persue this?
DNS is just another application protocol that runs over IP. You don't
have to use those DNS servers to resolve names.
Agreed. If you're savvy enough to have a problem because of this,
you're savvy enough to a) Use another set of DNS servers or b) Use your
own local resolver.
-brandon
|
| Re: DNS Hijacking by Cox |
United States |
2007-07-22 19:18:15 |
Brandon Galbraith wrote:
> On 7/22/07, *Sean Donelan* wrote:
> DNS is just another application protocol that runs
over IP. You don't
> have to use those DNS servers to resolve names.
>
Possibly, you do (based on experience).
> Agreed. If you're savvy enough to have a problem
because of this, you're
> savvy enough to a) Use another set of DNS servers or b)
Use your own
> local resolver.
>
For awhile, Comcast blocked/redirected all DNS queries,
sending them to
their own servers. Then, their servers didn't work
properly....
Comcast still blocks port 25. And last week, a locally
well-known person
was blocked from sending outgoing port 25 email to their
servers from her
home Comcast service.
It took some days to find out that Comcast had (without any
notice) turned
off her outgoing email (Monday), due to spam complaints!
Needless to say,
her MacBook isn't sending spam -- but many thousands of
folks have her
email address in their (presumably infected M$) address
books.
The official response: We don't support Thunderbird. You
could use web
email instead.
When you pull stunts like that, you shouldn't complain about
legislation.
|
|
| Re: DNS Hijacking by Cox |
Netherlands |
2007-07-22 19:23:12 |
Hi!
>> Agreed. If you're savvy enough to have a problem
because of this, you're
>> savvy enough to a) Use another set of DNS servers
or b) Use your own local
>> resolver.
> Oh. And when they implement Plan B (inspecting each DNS
packet for
> IRC.* and substituting their own answer as a reply),
then what?
Whats next, will they also start proxy'ing your favorite
bank on DNS so
they can track cc info?
OTOH, lets do the same with spamvertized sites ... ;)
Bye,
Raymond.
|
|
| Re: DNS Hijacking by Cox |
|
2007-07-22 20:19:44 |
On Sun, 22 Jul 2007, William Allen Simpson wrote:
> Comcast still blocks port 25. And last week, a locally
well-known person
> was blocked from sending outgoing port 25 email to
their servers from her
> home Comcast service.
MSA port 587 is only 9 years old. I guess it takes some
people longer
than others to update their practices. Based on what I know
how
comcast's abuse systems implement their port 25
restrictions, I think it
is extremely unlikely it was based on other people having
her e-mail
address in their Outlook programs.
Some people complain ISPs refuse to take action about abuse
and
compromised computers on their networks. On the other hand,
people
complain when ISPs take action about abuse and compromised
computers on
their networks. ISPs are pretty much damned if they do, and
damned if
they don't.
Several ISPs have been redirecting malware using IRC to
"cleaning"
servers for a couple of years trying to respond to the
massive number
of bots. On occasion they pick up C&C server which also
contains some
"legitimate" uses. Trying to come up with a good
cleaning message for
each protocol can be a challenge.
Yes, false positives and false negatives are always an
issue. People
running sevaral famous block lists for spam and other abuse
also
made mistakes on occasion.
|
|
| Re: DNS Hijacking by Cox |
|
2007-07-22 20:29:45 |
On Sun, 22 Jul 2007 14:56:13 -0700
"Andrew Matthews" <exstaticagmail.com> wrote:
>
> It looks like cox is hijacking dns for irc servers.
>
>
>
And people wonder why I support DNSsec....
--Steve Bellovin, http://www.cs.columbi
a.edu/~smb
|
|
|
|