Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9 193
Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."
Why not warn them? (Score:5, Insightful)
Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?
Re:8.8.8.8 (Score:2, Insightful)
Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!
Re:8.8.8.8 (Score:5, Insightful)
I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..
http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288 [hawaii.gov]
all it takes is this legislation to gain footing in a few states, then the rest start caving.
Google watching you really should be the least of your online privacy worries..
Scripted changes (Score:4, Insightful)
I'm not sure I understand the problem...
Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?
One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.
If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?
And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?
All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.
Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.
Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.
This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.
Re:Why not warn them? (Score:5, Insightful)
Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.
They couldn't if their DNS doesn't return anything but the warning page.
You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..
Re:8.8.8.8 (Score:5, Insightful)
These days? I would bet more than 50% by traffic probably A LOT more by traffic...
Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?
Even if they don't use it directly many of them are selling it to someone who does.
This is a trivial number (Score:5, Insightful)
Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.
BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.
Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.
Re:8.8.8.8 (Score:4, Insightful)
Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.