TimeWarner DNS Hijacking

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

New Update since i submited this yesterday

Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired [wired.com]. The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ [exstatica.net] as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.

Re:New Update since i submited this yesterday

That sounds like dirty lawyer logic.

Next you'll argue that reverse engineering a virus is a violation of the DMCA.

Ill be the first to say it. Who the fuck cares. The problem is being delt with.

Re:New Update since i submited this yesterday

Ill be the first to say it. Who the fuck cares. The problem is being delt with.

Vigilante justice - the mark of the civilized man. String 'em up first, ask questions later. Your logic has been used to justify uncountable wrongs.

In all fairness, so has the so-called "Rule of Law."

Re:New Update since i submited this yesterday

Realistically anyone attempting to prosecute Cox for exploiting a backdoor in a botnet is going to have a hard time keeping their client out of jail.

I look forward to Cox meeting their lawyers.
Evil_lawyer_dude: You have exploited a vulnerability in my clients software
Cox Communications: Ooops, so we have, would you care to name your client
Evil_lawter_dude: I don't have to
Cox Communications: Well, without evidence of harm done to your client we can't be held liable for anything
Evil_lawyer_dude: My client has been unable to carry on his business using the resources of your customers
Cox Communications: Yes, and we have a list of customers who would be part of a counter suit, no go away or we will taunt you some more.

Re:New Update since i submited this yesterday

The author of the software is irrelevant. It's my PC, if a company hacks into it and changes it then they're breaking the law.

That they're using previously installed malware to do so is completely irrelevant to this.

Can they even demonstrate that I don't know of the existance of that malware? Maybe I installed it myself, maybe I'm monitoring it.

It's illegal, and they should be prosecuted.

Re:New Update since i submited this yesterday

This is in no way a new practice -- Time Warner has been doing this for well over two years. In the past script kiddies who have been caught hosting botnet servers on *.res.rr.com machines had their DNS's redirected to a single server in which all registered IRC users would be directed to #badbotbad, with the topic as .remove. It did, and still does, little to stop the botnet problem since the methods TW uses to sniff out the botnet servers are very specific to IRC protocol. That, and the server would only remove a standard kiddie rxbot with unchanged commands. --Manix

In other news

In other news Redhat has begun using arp poisoning and TLD hijacking to remove the Malicious and insecure Microsoft Windows installs. After all windows installs are purged there is expected to never ever be a future threat and heavy handed tactics will never be used again. Sometimes the cure is worse than the ailment.

This is a DNS hijacking.

OK DNS Server resolve me to .cu and no body gets hurt.

The criminal code calls it "Theft of Services"

In Pennsylvania, it sounds like it might fall under Theft of, or Diversion of Services. [aol.com]

Re:The criminal code calls it "Theft of Services"

Hey, not so fast!

PA recently became the 50th state in the union [post-gazette.com] to put their laws online.

No, probably not

Since it sounds like they were doing it with their DNS servers. While it would be illegal for me to break in to your DNS server and modify it, it is not illegal for me to modify my DNS server, even if you use it. If you dislike it, you can use another service, but unless I have a contract with you there's nothing wrong with it (legally). You can argue it is a bad idea, but changing their equipment on their network is well within their rights.

Re:Alternative DNS?

I thought OpenDNS was the greatest thing, until I noticed if you type in a URL that isn't valid it doesn't deliver the standard "non-existent domain" return, but instead gives you an OpenDNS search results page. Bleh. I'll stick with running Bind on my own server, thank you.

Actually, if you signup for a free account, and add your IP(s) in their dashboard webapp, you can configure all sorts of things, including to return NXDOMAIN on resolution failure.

I too agree that breaking NXDOMAIN is a bad thing, but OpenDNS at least does let you change this yourself. It just has the wrong default, so to speak.

I strongly urge you to signup for a free account, and look over their settings available, before you judge.

-- Jon

Yes, it is the right way

Politicians are more concerned with pampering the amok-running entertainment industry, providers are more concerned with keeping their pink contract customers, users are more concerned with getting cheap viagra and don't care about the number of botnets their computers are part of and law enforcement is chasing whoever is tagged with the kiddieporn or terrorism flag.

If admins don't take it into their own hands, nobody is going to do anything.

IRC networks must police themselves

Police thyself, or others will do the policing for you.

Re:IRC networks must police themselves

Do do do do, dah dah dah dah, is all I have to say to you.

First they came for malware...

Then they came for IRC, and dammit, I use IRC, and if my ISP blocks it, it's a dealbreaker, even if I have to sue to cancel the contract.

TimeWarner != Cox

While Cox used to use Time Warner's RoadRunner for their cable internet service, Cox's Internet offerings are In-House now.

Is there an easier and more effective way??

If Time Warner was really concerned about it wouldnt it be easier and more effective to use their virtual truck (TW Self help) application to redirect the users browser start page to a list of instructions, tools and a support number to clean up their system? I have seen several instances were they redirect users to a "disabled due to non-payment" type pages...would a "Hey idiot your computer is infected" page be that difficult?

Re:Is there an easier and more effective way??

Knowing them, yes, and probably not a good idea.

A while back, I got a "your computer is infected" notice from them. I checked all my computers, the Windows ones with tools that weren't even available to the public at the time, and zero, zip, nada. Everything was clean, sniffs showed nothing out of place.

Finally talked with someone with a clue, and they classified my SpamAssassin install as a DOS on their name servers because they were caching the negative responses from the various blacklists.

What???

You mean you actually talked to someone in tech support who not only knew what a packet was but also looked up what was happening on their end at a technical level? How many drones did you have to speak to telling you to A)reboot or B)reinstall your machine? Did you use chicken blood or ox blood to perform this magic?

Re:What???

Actually, if you can get past the first level of drones (and sometimes the second level, depending on the company), you'll talk to people who know not only what a packet is, but also can do actual troubleshooting on the modem connection and make some sense of it. I've experienced this with Comcast, Adelphia, and Time-Warner (it was completely absent, so far as I could tell, from MediaOne when they were around); in one case, I got a very thorough explanation of the problem as it related to head-end equipment and what needed to be done to fix it from the tech as she was entering it into the work order.

The problem, of course, is that almost all users that call in don't need more than scripted hand-holding, and those of us that know what we're talking about call in and hit that wall, through which it can be very difficult to find an open window through which to crawl to find a knowledgeable person.

Re:What???

Remember, the job of a TSR and CSR is among the jobs with the highest turn-over rate.

The people that apply (and get) these jobs fall in two main categories. The first being entry level. The second being highly skilled IT professionals who got laid off and need something to pay the bills until the find a better job. As such, you will get a nice mix of idiots and very brilliant staff manning the phone queue.

About time

Frankly, I think it's about time somebody started ACTING on the problems we face online. Botnets are a huge global issue, and we simply must do all that we can to stop them. Although I suppose this probably could be considered illegal (remotely installing software on somebody's PC without their authorisation breaks pretty much every anti-hacking law in the land), how else can we tackle these issues? Zombie PCs aren't going away any time soon, so more needs to be done. The only problem is as the OP originally stated - botnet control is moving away from IRC networks anyway, so this may also be a case of too little too late. What other methods can be used to help curb the botnet problem?

Re:About time

I think this action is right-on. The parts of the equation missing are trust and accountability.

We don't trust vigilantes, not because we don't agree with them, but because we don't trust them to always act in the greater good. Their future actions and motivations are unknowns. Since their identities may even be secret, there's no way to hold them accountable.

Why are we ok with the police taking the same actions as a vigilante would take? Because of trust earned through accountability. To retask a familiar saying: "Put all your eggs in one basket and then watch that basket". That basket is the police, and we've put all our eggs in it. That means the public at large can watch the police, who are well-known and generally easy to spot. It means that internal controls can be set up, and rules of engagement can be put in place. We trust the police as much as we do because we know that, ultimately, they're under the control of the general public, who can exert pressure on them when they act badly. This is why we tend to put more trust in organizations, rather than individuals. Organizations are easier to censure.

Understanding that, it's easy to see what the course of action needs to be. As much as we here at /. tend to have a love/hate relationship with authorities, I think one needs to be set up specifically to deal with these problems. They need to be given what power is necessary to deal with the problems like spam, trojans, botnets, whatever, but at the same time, they need to be directly accountable to the public in a similar manner to police forces. Legitimize the vigilante action by coupling it with accountability.

I don't really know the specifics of setting up something like this, but I think using the police as a model would be the way to go. Rules and procedures, all the requisite bureaucracy, but also the ability to launch tactical "busts", "cyber" or otherwise. They'd need all the same approvals, warrants, etc. They'd have branches in all concerned countries, and would work through the legal systems in their home countries. In some countries, they might be a part of the police force, since much of the administrivia would be similar. Ultimately, I'd think CERT or something like it would be a good headquarters or parent organization for such a group.

The point is that we've already worked this out in the "Real World". Applying it to The Internet shouldn't be a patent-worthy exercise. While I wish we didn't need government involvement, much of the authority required is the type of authority that only government can legitimately grant, such as the ability to seize equipment.

I aplogize that this isn't as eloquently described as I'd have liked, but I think the general idea is there. You may now procede to flame me for advocating the Policing of the Intertubes but ultimately, I think that's where we're headed.

Fair game

Anything goes on the Eris Free Network.

Another vote for OpenDNS!

So we can expect the next generation of malware to alter systems to use OpenDNS?

Might make some systems a little more useful!

About Time Someone Tried Something

Let's face it, the company with the most responsibility in the Botnet mess, Microsoft, has been sitting on their hands when it comes to dealing with the issue. Well, until they figured out they could make a buck at it.

Botnets are used by organized crime for spam, stock scams and a host of other illegal activities. It's time someone did something...if only for the political effect.

The Right Way?

>Is this the right way to handle the botnet problem?

No. The right way involves castration with rusty linoleum knives, Turkish prisons, and rabid wolverines. If that doesn't work, we should quit being nice and get nasty with these folks. Seriously, this problem will not go away until people start doing some hard time, preferably with a cell mate who does not need Erct|le Member Help!

Maybe this explains...

...the sudden increase in irc proxy scanners hitting my server over the past week.

Though I'm not sure what kind of explanation justifies doing that.

This will NOT raise awareness or work in any way.

Wired found someone who approves of breaking the internet:

Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me. And if it raises awareness around the seriousness of the bot problem I'm all for it.

Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.

Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

Re:This will NOT raise awareness or work in any wa

Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

I wish I hadn't run out of mod points; this is gold.

That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?

I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.

People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.

Re:No "awareness" needed

I think a well-funded spec-ops team would do even more. Make these guys disappear. I mean, hell, if we're gonna live in a police state, we might as well enjoy a few of the fringe benefits.

Their DNS Server...

If I wish to black hole something on my DNS, it is my prerogative to do so. If someone else is using my server for free and complains about the shitty service, then I'll gladly refund his money...

It's not like the police are doing anything..

Uhhhh.. see, I'm kinda of the opinion that vigilante action is only bad if there are proper channels. There are none.

Personal freedom

only extends to where someone else's nose begins. If someone is harming your chattels, then you have the right to take appropriate action to limit the damage. I'd love to see a botnet operator sue Time Warner - "Judge it is not fair, they hit back first! Waaaaaahhhh..."

In the long run, not a great idea

I have mod points, but I'd like to collectively reply to a few of the comments I see here. for those of you that are commending this act of vigilantism, stop and think - is this the most effective way to tackle the problem? The way I see it is that being a vigilante is akin to being involved in a constant game of whack-a-mole. The only problem is that when you start taking down bots (or even whole botnets), the people running them begin to realise that their current generation of malware isn't effective enough, and create something that is harder to detect. As the summary notes, we've already seen [slashdot.org] them trying to improve their resources. There was another post I saw on here that put it more eloquently, essentially saying: vigilantism only helps the bad guys work out where they need to improve.

So how about instead of trying to fight a brushfire with an extinguisher, we get to the root of the problem and start educating users. Yes, that takes effort. I can't begin to count the hours I've spent trying to explain to folk why using an alternative browser (or OS or whatever) is a good idea, and what they should look for in a reputable site, and so on and so on ad nauseum. It's a slow process, but the more people that are aware of the risks - and more importantly, the reasons for the risks - the less there potential 'marks' there are for all the script kiddeez, rooters and organised criminals out there.

And for us on /. - less requests to fix the family computer when we visit at Christmas.

There are worse ways...

I'm a student at Clemson University. After some problems with IRC-based badware 4-5 years ago, the University decided to block the default IRC port for students to try to help.

Thing is, they never removed the block. And at a University, well, when someone does this, you're pretty much boned.

(Yes, I know there are multiple ports on many IRC servers -- but not all of them.)

I've been keeping a timeline

I think my network was the first full network hit, although FDF did have a singular server issue about a year ago and there were some smaller instances as much as two years ago. I've been keeping a collection of reports and information on a blog page found here: http://anthony.blogs.ablenet.org/time_warner_aol_r oadrunner_and_verizon_kill_irc [ablenet.org] It started with TW/AOL and then Verizon and lastly Cox. At first I thought were were on a blacklist somewhere, but when that didn't check out, I was totally baffled!

Not perfect, but

This isn't the perfect or ideal way to do things. But its about damned time the ISPs did something.

There is simply **NO** excuse for a bot to be running on any ISP for more than the time it takes to detect it pumping out massive volumes of email. My solution, as I've stated several times, would be to disconnect the offending computer, and then fire them off a snailmail letter stating that they will not be permitted back until their computer is disinfected. But since that would cost them customers, no one will do that.

ISP's are allowed corrective action

This is really no different from when I used ISA server to redirect ad sites to a benign company graphic that eliminated pop-up ads, cookies and quickened page loading times. Cox and other ISP's operate a private network up to the point they peer, and they are allowed to control the traffic on their network by using DNS seeding on their own servers to redirect client traffic from within their own network to another server on their own network. I'm sure some verbiage is buried in their terms of use policy, but if you object to their cleaning bots off of your systems, then police yourself or get a different ISP.

This has been going on for TWO years

http://secureme.blogspot.com/2005_06_01_archive.ht ml/ [blogspot.com]

Scroll down to the very bottom of that page. Notice the date.

about fucking time

This might give us some brief reprieve, timewarner needed to do this to prevent their network getting banned in places, i already banned it from my mailservers. the botnetters will just use ip addresses next...

I'm of two minds

I can easily understand the urge to disable as many bots as possible, particularly those that are making their network look bad.

At the same time, they're blocking legitimate accesses to legitimate services without even notifying their users.

I don't really mind that they're manipulating the machines given that they only affect owned machines.

This does seem to be a vigilante action, but it's not as if "legitimate" law enforcement seems to have any interest at all in catching cyber-criminals even when they and victim are in the same jurisdiction unless, of course, the victim is a large corporation. Whenever legitimate law enforcement is absent, vigilantes tend to fill the vacuum.

Tortious Interference

Is hijacking DNS legal?

"Tortious interference," is part of english common law roughly defined as the causing of harm by disrupting something that belongs to someone else. The original example was a guy who repeatedly drove ducks away from his neighbors' pond by firing a gun in the air on his own property.

So no, its not legal. But if you want to pursue it in court, you have only one of the weaker common-law torts to rely on.

TWC DNS Sucks Anyway

TWC gives fairly cheap/fast cablemodems to some people here in NYC. Like $50:mo for 1Mbps/600Kbps up/down. Not bad, for the US.

But their DNS really sucks. Every connection to the Net requires a slow DNS lookup. And several times a week, sometimes several times a day, DNS goes down, or really slow (>60s per lookup). These botnets aren't the culprit. It's a lame IT staff.

$50:mo is a lot, on top of an additional $50:mo TV charge, plus what they get for "triple play" including phone service. And of course pay-per-view. In a city of 8M people, the large majority of whom subscribe, with really low per-dwelling costs because we're all living in such a small area with complete infrastructure. Oh, and they're a monopoly in a captive market at the center of the global media market.

TWC should pay another $10M more a year to keep their DNS running like a greased snake. Including cleaning up the botnets that attack them, without making such a big deal about a minority of their problem.

Hijacking, and San Diego Cox Communications

First, as a person who owns and operates many networks, I would be rather annoyed that someone has hijacked one of my domains, for any purpose.

To me, a domain name is the equivalent to a land deed, it's a peace of virtual real-estate. It's a representation and label identifying a group of IP addresses which may or may not be associated to a physical device or service. If I have a problem with some other network, I attempt to contact the powers-that-be of the offending network; in good faith, that they would be cooperative.

Now, I assume many offensive networks out there might not cooperate, or might think that what their network is doing is either legal, moral, or of no harm. Well... I do admit, I block all of APNIC to my mail servers, though, I do not service "customers" either. If I did, I would assume my customer demographic might include a need or desire for correspondence with those in APNIC, and permit the traffic. While I might, on case by case scenerios, filter a range of IPs known for SPAM or whatever, things I certainly wouldn't do is hi-jack a domain, and most disturbingly, attempt to execute code on a clients machine without direct consent for each instance, each time. Basically, what you're doing then is intentionally deceiving a computer system, breaking standards, breaking and entering said computer system, and influencing change which permanently alters HOW that computer operates. And, knowing the practices and the broad generalized sweeping tactics of Cox Communications (for example), I must say I do NOT trust what they MIGHT consider as "malicious" code to delete off my computer "at their whim".

If this becomes "legal", then what's to stop Cox Communications (for example), from considering my MP3s as "malicious or of questionable origin" and on behalf of RIAA, delete my mp3s? How are they going to know?

Now, on to San Diego Cox Communications. While I agree that if you are on someones network, you do what they say. However, as already implied above, if my intention is to provide "Internet Service", then I DO inherently forfeit some of that overall power. And Cox Cable, blocking incoming and outgoing ports is really not within their moral obligation to do so. Nothing illegal about them doing it, no doubt some here might agree with them. But, if I'm going to sell someone "Internet Service", as I have in the past, they get "Internet Service" in full. I don't want a parent above me, and most certainly, I should be allowed unaltered Internet Service from Cox Communications on request against the default safegaurds in-place for the sake of the laymen.

But, Cox Communications does NOT permit one to exercise all of the technologies available. They notoriously block ports, and muck with the traffic. Why? Who knows, and I don't mean to be elitist, but their explanations of some Windows worm really doesn't apply to my Linux box. Besides, if I was running Windows, I still wouldn't appreciate all the port blocking and crap. I'll handle that myself.

As a result, I refuse to use Cox Cable or Time Warners Road Runner services. (Aside from the fact I'm banned from San Diego Cox Cable's network for running VPN clouds on their network, among other things like DoS'ing everyone on my subnet to boost my download speeds...), I warmly welcome other high-speed services that do NOT play parenthood. Sadly, one practically has to purchase a "Business" line instead of a "Home" connection. So, that's in fact what I have so if I want to launch my own webserver/mailserver, SQL Server or whatever, it's simply a matter of just configuring and launching the daemon.

In short, I feel hi-jacking is wrong. And I feel that people should not use Cox Cable as they are the "AOL" of today anyways. Such actions are so typical of Cox Cable... it's truelly ridiculous.

Hey!

I'm all for fighting the botnet problem, but is DNS hijacking the way to fight them? Customers of any ISP should be able to feel confident that, when they enter in slashdot.org, they get the IP for Slashdot, and not for a BADBOTBAD channel!

Instead, why don't they invest in a technology that will keep an eye out for spam like activity (e.g. Port 23 monitoring), and advise customers when they feel they have been compromised?

Killing Fly with a Bazooka

Well as some have pointed out you can use other DNS servers. However, many people don't have the time/knowledge/or need to mess with this and they really shouldn't have to. Messing with DNS for these purposes is a questionable activity. However, especially in the case of EFNet servers, I find this especially strange. EFNet does have some botnets that end up with them, but they are very few and far between.. and small in nature. These things are taken down pretty rapidly on EFNet and that's part of the reason they're not used frequently. DALnet -- a whole other story. There's tons of active botnets there now. EFNet is definitely much smaller in scale n terms of the number, the size, and the lifespan. This is pretty sad. Redirecting a hacked server being used by an IRCD is one thing. Doing it selective IRCDs on a huge *legit* network.. that's a whole other story.

Transcript of IRC

[ simple1 @ saturn ] ~ $ dig @ns1.dc.cox.net irc.mzima.net
irc.mzima.net. 300 IN A 70.168.70.4

Connecting to 70.168.70.4 (70.168.70.4) port 6667.

[JOIN] You are now talking on #martian_
[MODE] localhost.localdomain sets mode +n #martian_
[MODE] localhost.localdomain sets mode +t #martian_
[TOPIC] Topic for #martian_ is .bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is .uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !bot.remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !remove
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007
[TOPIC] Topic for #martian_ is !uninstall
[TOPIC] Topic for #martian_ set by Marvin_ at Tue Jul 24 09:48:56 2007 .bot.remove .remove .uninstall
  !bot.remove
  !remove
  !uninstall

Thats it.

This is bad....*how*?

TWC: "Sir, you have an IRC bot on your machine that's making DDoS attacks."

Majority Computer User: "'IRC'? I'm seeing who??? Who am I seeing and when? Why am I seeing them? What're you talking about?!? Am I being charged for this?!? OMG, did Billy download music or movies or something?!? Oh Jesus Christ I'm going to kill that brat! Oh God, did you report me?!? I'm going to jail, aren't I?!?"

TWC: (sweatdrop)

So. Explain to me how castrating bots without disturbing or distressing the vast and overwhelming majority of computer users is a bad thing?

The Golden Rule

OP asks "Is this the right way to handle the botnet problem? Is hijacking DNS legal?""

A good question. Let me check for you.... Hang on... looking up Time Warner's Bank Balance. Uh huh... HOLY COW!

In answer to your question, yes, DNS hijacking is most definitely legal.

These are not the Drones

...you've been looking for.

Pros VS. Cons (no pun intended)

I can see both sides of this. On one hand you have the individuals who could consider this an invasion of privacy as the cable companies are making changes to the way your system operates. However I can also see where the cable companies come from. They are paying for bandwidth to send out junk from these botnet's that are running on your grandmothers machine and clearly grandma has no clue that the computer is doing anything wrong. I think a different approach could have been taken such as creating a list of potentially infected clients, contacting them via e-mail and informing them of what was going to happen days ahead and allowing them to remove themselves from this filtering. It would have been a pain for the cable company but could have been done.

Personally I am happy to see someone doing something to help ease the traffic of these botnets. I run a small mail server for our company with about 30 users and we receive over 2000 pieces of "spam" each day. We only usually receive 100+- real e-mails. Thus 95% of our e-mail is "spam" and I would guess that a vast majority of that is created by botnet's. I think that more people should take the time to look for these networks and try to slow there traffic. I would hope that every network administrator is taking some time out of his busy day to capture traffic from his network and see where potential security risk are within his domain.

This is the ISPs fault

I find it ironic that Time Warner is going at this from the wrong end of the problem. If they filtered port 25 traffic from broadband DUL space, the spammers wouldn't be interested in invading their customers' machines. It's almost always about spam. The fact that most of these ISPs do little to stop their customers' machines from being zombied, or anything to reduce the viability of them being exploited, shows how much they really care about the customers. All broadband ISPs should now be filtering SMTP traffic on their networks. Anyone that wants to run their own mail server can set up alternate ports and use special IP space designated for SMTP traffic. This would make the botnets obsolete.

Backing the Bots or the ISPs?

Whilst I can understand that the blight of bots we are seeing other there, can we ever justify implementation that effectively lies to users? In my mind this produces a lack of trust between ISPs and its users, although the trust that is there is minimal anyway.

I am glad to see something highlighting the issues that face ISPs but this isn't the way to solve botnets.

Cox is NOT Time Warner

Did the summary writer read the article? Did the editor? Cox is NOT Time Warner.

it's a street fight...

in that they are conducting their vigilante justice in public spaces. The problem is that there doesn't exist a governing body with enough clout, knowledge of the subject and power to enforce any fair use of what amounts to a public resource. Hijacking a hijacker's own car doesn't clear the streets of the problem - if anything it enforces the notion that it's a viable way to get attention and/or address a grievance.

DNS hijacking

The only legitimate users who would cry their eyes out on this one are people with the ability to use an upstream dns server anyway. This is a nonissue.

Cool. With this new technology

.. I expect to see Spam drop by 80% almost immediately.

I'll even hold my breath until it happens!

Re:AFT Defense/Offense Corporatist attack their en

---AFT (About Fyucking Time) Defense/Offense Corporatist attack a real enemy of US. They (Corporations/associations/laws... RIAA, MPAA, DMCA ...) have been using the law to spy on and attack citizens......

Wow. That is one hell of a rant. Too bad it's just full of sticking points towards every group you hate. That adds nothing.

---If you want to win you must always be on the offense. Offense or Defense will always win a battle, but only offense can win the war.

Your key supposition is this.

What is winning to Time-Warner? They wish to make money.

Can attacking lead to elimination of threat? Yes, it can.

Can attacking lead to more money lost due to unforeseen complications? Yes, it can.

What is the percentage that is lost? It is a great percentage. Why? Because IP addresses are not checked to verify whether source/destination are correct.

If the majority of companies went to 1'st strike like what you wish, then I, as one person could imitate that of a rival company and engage each other in a cyberwar. If you dont understand this, I am simply blending in the prisoners dilemma and tragedy of the commons.

Thats probably why you were -1'ed.

Re:crackz.ws dns

it redirects to a "Scam Blocked" page...

If you don't like the Cox DNS results, feel free to put another DNS server in your router or computer. Switch from dynamic DNS to static DNS and use some of the public DNS servers.

Here is a good place to start..
http://www.opennic.unrated.net/public_servers.html [unrated.net]

Treacherous Computing

Yes, the solution you propose is possible, and indeed, in progress.

You've probably seen something similar when you have to install an ActiveX control in IE (for a bank, or Windows Update). It asks i) if you'd like to install it and ii) If you'd like to trust the publisher in the future.

The binary is cryptographically signed which assures the computer that it is a product of the authorised holder of a particular crypto key. MS already uses this scheme for device drivers on 64-bit versions of Vista - at present, it can be disabled by a technically oriented user, but there's no guarantee that ability will persist.

The downside is twofold - firstly, for this measure to have any teeth, you have to remove the ability of the user to ignore it. Secondly, it provokes ideas like Microsofts "Trusted Computing" initiative (aka "Palladium"), which hands over full control of your computer to a short list of people who know the secret keys embedded in your motherboard. The main motivator for requiring signed drivers in Vista is to prevent the loading of things like virtual devices which can be used to capture perfect digital copies of DRM protected media. A secondary consideration is quality assurance.

http://www.gnu.org/philosophy/can-you-trust.html [gnu.org]

At some point it is inevitable that MS operating systems will produce an API that permits calling programs to determine the presence of unsigned drivers or software, and refuse to perform certain functions (like playback of DRMed media). Heck, this shouldn't be hard to implement right now with a little effort. With TP, because the only trusted root certificates will be stored in inaccessible firmware, there will be no way for the user to sign drivers himself and mark them as trusted. Therefore MS (and anyone they care about pleasing) will be in control of what your computer can or cannot do.