Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Networking The Internet Technology

Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9 193

Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."
This discussion has been archived. No new comments can be posted.

Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9

Comments Filter:
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Thursday May 17, 2012 @03:01PM (#40032505)
    Comment removed based on user account deletion
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!

      • Re:8.8.8.8 (Score:5, Informative)

        by philip.paradis ( 2580427 ) on Thursday May 17, 2012 @03:17PM (#40032753)

        Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.

        • by bws111 ( 1216812 )

          How many DNS providers (usually your ISP) have business models that depend on knowing as much about people as they possibly can?

          • Re:8.8.8.8 (Score:5, Insightful)

            by Lifyre ( 960576 ) on Thursday May 17, 2012 @03:45PM (#40033211)

            These days? I would bet more than 50% by traffic probably A LOT more by traffic...

            Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?

            Even if they don't use it directly many of them are selling it to someone who does.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          feel free to operate your own resolvers

          I do. It's easy. [unbound.net]

        • by mcavic ( 2007672 )

          feel free to operate your own resolvers

          Your ISP can still sniff your traffic.

          • Re:8.8.8.8 (Score:4, Informative)

            by PReDiToR ( 687141 ) on Thursday May 17, 2012 @04:22PM (#40033885) Homepage Journal
            If this bothers you, or anyone else, try to use https and secure connections wherever possible.
            This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.

            HTTPS-Everywhere [eff.org] helps.
          • Re:8.8.8.8 (Score:4, Insightful)

            by philip.paradis ( 2580427 ) on Thursday May 17, 2012 @04:36PM (#40034117)

            Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.

            • by mcavic ( 2007672 )
              I'm not worried, just pointing out that there's no absolute security. VPN connections are very handy for several reasons if you have the means.
            • You realize you've just described the basic architecture of TOR, right?
        • meh ... sudo apt-get install bind9
          • Yep, that also takes setting the DHCP server to relay the correct DNS server (the machine you just installed bind).

      • Re:8.8.8.8 (Score:5, Insightful)

        by foradoxium ( 2446368 ) on Thursday May 17, 2012 @03:21PM (#40032813)

        I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..

        http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288 [hawaii.gov]

        all it takes is this legislation to gain footing in a few states, then the rest start caving.

        Google watching you really should be the least of your online privacy worries..

    • If DNS changer redirects gov.au then I could be looking at the look-alike DNS changer checker telling me all is fine? They should have listed this as an IP address.
      My computer says it is 165.191.2.65 Is that what yours says?

    • Yeah but do the mums and dads know about it? We already know that the /. crowd will find a way to fix the problem.

  • Why not warn them? (Score:5, Insightful)

    by l_bratch ( 865693 ) <luke@bratch.co.uk> on Thursday May 17, 2012 @03:01PM (#40032513) Homepage

    Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?

    • by jeffmeden ( 135043 ) on Thursday May 17, 2012 @03:02PM (#40032539) Homepage Journal

      Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.

    • Why warn them at all? If they can't be bothered to keep their equipment in good working condition, which means free of malware, the rest of the internet doesn't need them polluting the waters.

      We don't let people drive cars on public roads that risk the safety of the other drivers. Why should we put up with an infected virus-spewing computer?

      • I see your argument, but they could do it purely to reduce the burden for all these clueless user's tech support people. Whether you like it or not, they are going to want their "internet" fixed...

        • by n5vb ( 587569 ) on Thursday May 17, 2012 @03:35PM (#40033015)

          There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.

          (And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)

      • (A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.

        (B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do yo

        • by n5vb ( 587569 ) on Thursday May 17, 2012 @03:38PM (#40033081)

          I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...

          • C'mon, you know it's inevitable.

            How can he possibly resist the maddening urge to eradicate [his computer] at the mere push of a single button? The beautiful, shiny button? The jolly, candy-like button? Will he hold out, folks? Can he hold out?

        • by plover ( 150551 ) *

          You're making a lot of stuff up to fill in gaps in what I didn't bother typing.

          I'm simply saying that if they can't be arsed to fix their crappy virus laden computers today, why should I care if taking down a malware-stand-in DNS server leaves them hanging without a working name server tomorrow? It's. Not. My. Problem.

          What my bad car analogy was referring to is that cops don't perform car inspections today, but they will pull you over and tag you if your bumper is dragging behind you on the freeway, or if

      • by OrangeTide ( 124937 ) on Thursday May 17, 2012 @03:23PM (#40032841) Homepage Journal

        "We don't let people drive cars on public roads that risk the safety of the other drivers."

        Is that really true? I'm having difficulty believing that.

        I think a better car analogy is:

        "We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"

        • "We don't let people drive cars on public roads that risk the safety of the other drivers."

          Is that really true? I'm having difficulty believing that.

          Why is it hard to believe? In the US, at least, it's completely true; you can be ticketed for driving an unsafe car. Most states also have a regular safety inspection requirement. Here in Virginia, a car must get a safety inspection yearly and a car that does not have a valid inspection sticker (which displays the expiration date in big bold numbers) is not

      • by Jeng ( 926980 )

        If it was at all hard to warn them I would see your point, but warning them is so trivial that there is no reason not to do it.

        Even with the warning though it ain't going to change anything. It will probably just freak them out.

        • But if the warning comes with a nice download link to fix the problem, that they can just click and make it all go away...

          No, wait. Prior art. [wikipedia.org] The bad guys have already beat us to it.

          I guess the only responsible thing we can do is freak them out and then disconnect 'em and put 'em out of our misery.

      • by lgw ( 121541 )

        You must seriously not have anyone who turns to you for tech support who has the ability to make you miserable if she, err, they want to.

        Not to mention, this isn't about infected computers, but infected DSL modems, and how sure are you about yours, again? Or about whatever sits between the no-doubt-godlike-perfection of your PC and the DNS server? I seriosly don't want to have to care about policing parts like that.

      • by Lumpy ( 12016 )

        "We don't let people drive cars on public roads that risk the safety of the other drivers."

        you must not drive much. Here in Michigan out roads are full of complete morons that cant drive without being a risk to others.

    • by bws111 ( 1216812 )

      I think that is an awful idea. The last thing you want to do is train people that it is OK, under any circumstances, to do what an unexpected or unsolicited web page says. That is, after all, exactly how scareware winds up getting installed.

      The best thing to do is let them fail, and gear up the help desks to be ready with the onslaught of calls.

    • opendns [opendns.com] is doing that but I think it's limited to websites hosted on cloudflare that enabled this warning so probably not many
    • Because http isn't the only thing that uses DNS? We got pissed when a certain DNS authority redirected bad lookups to their own search engine for the same reason. The ISPs could take note of which customers are hitting the temporary servers and let them know. Some ISPs are quietly redirecting the lookups to their own server.

      • Sure, it's bad if the ISP does it on their own DNS servers, but these are some criminal's servers that have been seized. Are those things really equivalent?

        Of course HTTP isn't the only DNS user, but you can't pretend that this won't inform the overwhelming majority of users. They obviously use HTTP a lot.

        Every single ISP doing traffic inspection or redirection seems like a lot more work than just doing this at the source.

        I'm not advocating false DNS results from ISP's servers or treating other protocols

  • Captain Obvious (Score:2, Interesting)

    by stretch0611 ( 603238 )

    The FBI has control of the DNS servers. Why can't they just resolve every address to point to a webserver instructing people how to fix their DNS settings?

    • Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.

      What is more interesting is that they dont make any stabs at

      • by 1u3hr ( 530656 )

        Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.

        I suspect the "difficulty" is more legal than technical. The Estonians don't care if they brick an occasional device, and they don't try to get the users' legal consent. And people and governments in other countries might not be happy to trust the FBI to reprogram their router/modem.

    • by bws111 ( 1216812 )

      Because then you are teaching people that under some circumstances it is OK to follow instructions from an unexpected/unsolicited source. Imaging the flood of scareware that would arrive after that: THIS IS THE FBI! CHANGE YOUR DNS SETTINGS IMMEDIATELY!

  • by crow ( 16139 ) on Thursday May 17, 2012 @03:07PM (#40032629) Homepage Journal

    Assuming that these were modems provided by their ISP, then the ISP has responsibility here. They can easily watch for packets going to the fake DNS servers, and then warn the customers by email, letter, and even phone. They should have done this back when the issue first arose, with steps to correct the problem included in a letter with the monthly bill.

    • by dmacleod808 ( 729707 ) on Thursday May 17, 2012 @03:12PM (#40032703)
      I dunno, whenever I recieve a letter from my ISP, I immediately destroy my hard drives and torch my house.
    • by Zocalo ( 252965 ) on Thursday May 17, 2012 @03:20PM (#40032791) Homepage
      That horse has long since bolted. The ISPs were notified, and it's also possible for them to check their IP space for infected hosts at the DNS Changer Working Group's website [dcwg.org]. The sad fact is that the ISPs in question have done the math and come to the conclusion that they can either:
      1. Notify their infected customers, at a cost of $x per customer, probably only to have most of their users either ignore the warning or contact the ISP's support line, potentially at additional cost to the ISP (unless they have a premium rate support service).
      2. Ignore the problem until the FBI's DNS servers are switched off, at which point, hopefully, many of the users will figure out the solution at no cost to the ISP reducing the burden on the ISP's support desk and costs. Hey, everyone has to keeps costs down, right?

      Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.

    • by toygeek ( 473120 )

      Disclaimer: I work for a 3rd party contractor to Comcast. I don't work directly for them and I don't condone everything they do so lets leave that out of the discussion.

      Comcast does exactly this. When they see traffic going to the known hijacked IP's, the customer gets emails, popups, and generally annoyed to hell until they do something about it. Its not always hijacked DNS. Sometimes its one infected device that is not owned by the customer, and its a neighbor who is stealing their wifi. Solution:Secure t

  • Presumably they know what IP was being checked for DNS. All an ISP has to do is spoof that IP internally with a manual route to their own DNS server. That should save a few truck rolls.
  • I'm sure some companies will want to buy those servers so they can put ads on those error pages that pop when you enter a nonexistent domain.
  • Scripted changes (Score:4, Insightful)

    by dissy ( 172727 ) on Thursday May 17, 2012 @03:25PM (#40032891)

    I'm not sure I understand the problem...

    Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
    Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

    One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

    If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
    The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

    Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?

    And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?

    All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.

    Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
    Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.

    Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
    Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
    There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.

    This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.

    • by uncqual ( 836337 )

      If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.

      I don't know much about DNSChanger, but in general I don't think this is necessarily true. If one was going to infect DSL modems with something like DNSChanger, it would be sensible to also attempt to have DNSChanger cut off the ability to make further changes (at least by anyone but the authors/distributors of DNSChanger - perhaps requiring a password known only to these partie

    • Re:Scripted changes (Score:4, Informative)

      by DeadboltX ( 751907 ) on Thursday May 17, 2012 @03:56PM (#40033425)
      From FBI PDF http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf [fbi.gov]

      What Does DNSChanger Do to My Computer?
      DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
    • by toygeek ( 473120 )

      I'm not sure I understand the problem...

      Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?

      No. Most routers do not allow the admin page to be accessed via the wan side, only the lan side.

      Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?

      Or Mac malware. But in general, yes. Most residential routers have pretty weak default passwords are a cinch to get into.

      One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.

      If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.

      You're right, that was a dumb assumption. Even over the back-end control channels of whatever sort that ARE used, nothing having to do with the overall configuration can be changed. Most ISP's use such communication to check modem status etc, but not to change DNS info or passwords. That would

    • The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.

      Is this how things work in the US? Somehow I don't think this would fly where I live, it would most likely be illegal. (If you're renting a flat in the US, does that mean that the landlord can stroll through your apartment at whim? Also illegal here.). Why the hell would they need it anyway? We have a DSL line, the modem came preconfigured and no one ever had to touch the WAN settings for years. Why the hell would the ISP need to do that? If they need me to change something, they can ask me There's no need

  • TR-069 (Score:5, Interesting)

    by stewwy ( 687854 ) on Thursday May 17, 2012 @03:50PM (#40033313)
    Some modems implement this , TR-069 (remote config) protocol. At least some of the clueless should have this active, I'm surprised it's not used more widely by ISP's Of course anyone with half a brain will have it disabled,( do you want your ISP to control your router? ) and if you have it disabled at least you know your modem/router HAS a config page but still, it's for exactly this reason it's there.
  • by Skleed ( 660612 ) <ceaustin@gmail.com> on Thursday May 17, 2012 @03:56PM (#40033411)
    In 2009, there were 32 million DSL modems in the United States. http://www.internetworldstats.com/am/us.htm [internetworldstats.com]

    Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.

    BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.

    Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.
  • duh (Score:4, Interesting)

    by IGnatius T Foobar ( 4328 ) on Thursday May 17, 2012 @04:03PM (#40033563) Homepage Journal
    So the malware guys found a bunch of unpatched DSL modems with a vulnerability that allowed the resolver to be reconfigured remotely, and pointed it towards the "bad" DNS servers.

    So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?
    • by toygeek ( 473120 )

      Most routers and modems do not have remote control available over the WAN. Any consumer grade router will have the WAN access turned off by default, you have to be on the local LAN to get to the admin interface. But once you infect a Mac or PC with DNS Changer malware, its trivial to run a script to change the DNS on the router. That's why its smart to change the password on your router. But most people don't even secure their wifi unless that's the default config.

  • Surely the modem is a layer1/layer2 device, and not anything higher? Why does the modem itself need DNS settings?

    • I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.

      If they're being used as such, for internal DHCP, that might be a problem, I guess...

      • As far as I know pure DSL modems don't even exist anymore. Every one of them is a NAT router/modem, they only differ at the default config and how hard it is to activate the NAT functionality.

      • by aiht ( 1017790 )

        I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.

        If they're being used as such, for internal DHCP, that might be a problem, I guess...

        What's with all the "combined router/modem" bashing in this thread? Is it really that big a problem for you, to not be /forced/ to use a separate router and/or switch? Most router/modems I have seen can also be set to a direct or bridge mode to disable the router and go back to being a dumb modem.
        Even more so, what's with all the people who seem to be surprised at the concept? I can't remember the last time I even saw a consumer-level DSL modem that was not also a router - maybe ten years? This is not new

        • Call it residual bad taste. Between the fact that I didn't know that the default config had changed, and that I was dealing with Tier 1 tech support, I was fighting with it for the better part of 5 hours since I was plugging it in to my existing router.

          And you usually can't get the good firmwares for the combo units.

  • That eye-glasses shadow in his picture sure makes him look evil. But my wife says that she's seen him look like that without his glasses. I remember at LISA '96 I asked him a question (ok, it was kinda stupid) and he responded, "RTMF. Next!" But then again at a later LISA he, even though he was sick as a dog, took the time in the hallway to give my wife a detailed answer to a question about round-robin with CNAME records

    I totally respect the man.

  • Cool - ARIN and other RIRs should just reposses those IPs, and if these DNS modems want to regain their DNS, they should be made to do it via IPv6, not IPv4.

Genius is ten percent inspiration and fifty percent capital gains.

Working...