Paul Vixie: 100,000 DSL Modems May Lose Their DNS On July 9 193
Dante_J writes "Up to 100,000 DSL modems may lose access to DNS come July the 9th, due to scripted web interface changes made to them by DNSChanger. This and other disturbing details were raised by respected Internet elder Paul Vixie during a presentation at the AusCERT 2012 conference."
Comment removed (Score:5, Informative)
Re: (Score:2, Insightful)
Sure, then Google can see every web site, service, anything that you use, even when not using their search. Great idea!
Re:8.8.8.8 (Score:5, Informative)
Any DNS provider you use can do the same thing. If you don't like this, feel free to operate your own resolvers.
Re: (Score:3)
How many DNS providers (usually your ISP) have business models that depend on knowing as much about people as they possibly can?
Re:8.8.8.8 (Score:5, Insightful)
These days? I would bet more than 50% by traffic probably A LOT more by traffic...
Do you think Comcast, Time Warner, Cox, AT&T (SBC), Bright House, Verizon etc... aren't? What percentage of DNS services do they provide?
Even if they don't use it directly many of them are selling it to someone who does.
Re: (Score:2, Interesting)
feel free to operate your own resolvers
I do. It's easy. [unbound.net]
Re: (Score:2)
Unbound is indeed fantastic. It's my resolver of choice, and I use it heavily.
Re: (Score:3)
feel free to operate your own resolvers
Your ISP can still sniff your traffic.
Re:8.8.8.8 (Score:4, Informative)
This means that without some directed effort on the part of your ISP (MITM/brute force) all your ISP knows is which site you visit, not the contents of your conversation with the servers.
HTTPS-Everywhere [eff.org] helps.
Re: (Score:2)
They can still discover what pages you are visiting, that was the original complaint. SSL won't protect you against that.
Re: (Score:2)
Re:8.8.8.8 (Score:4, Insightful)
Great, so go ahead and set up fully tunneled point to point VPN communications from your home to $somewhere_else. I'm really not kidding; you're completely free to implement this. However, if you're operating at that level of paranoia, make sure you're operating your own DC, with your own fiber, etc. Then of course that upstream provider could still sniff your traffic, so make sure everything is encrypted, ad infinitum. Have fun with all that.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yep, that also takes setting the DHCP server to relay the correct DNS server (the machine you just installed bind).
Re:8.8.8.8 (Score:4, Informative)
No they don't. See their FAQ [google.com].
Re: (Score:2)
Re: (Score:2)
If you want DNSSEC and don't want BIND, your only other open-source option is Unbound; MaraDNS doesn't have DNSSEC either, and PowerDNS only has it for the authoritative code.
Re: (Score:2)
You must have missed the fact that I was addressing potential concerns stemming from Google logging DNS queries and using them for (insert something horrible here). In fact, I said "Any DNS provider you use can do the same thing." This is a true statement. Note that I never said there weren't alternate DNS resolver services in operation; of course there are dozens, and they all theoretically suffer from the same potential issues as Google's service.
Specifically, one of the services you listed (OpenDNS) has
Re: (Score:2)
Re: (Score:2)
You don't appear to understand how data mining and behavioral modeling on a massive scale actually work. I'm sorry to have to be the one to inform you of this, but (1) you're leaking data like a sieve every day, regardless of what you think you are or aren't signed into, and (2) you are not the unique, delicate flower you might perceive yourself to be. If anything, a month's worth of your DNS queries is more than adequate to build a surprisingly accurate model of "you." Have fun with that thought, and think
Re: (Score:2)
Re: (Score:2)
OpenDNS? Ugh, they hijack NXDOMAINs.
Re: (Score:2)
Re: (Score:2)
Web browsers aren't the only thing that does DNS requests, you know.
Re:8.8.8.8 (Score:5, Insightful)
I would worry more about your ISP being forced to cache (for 2 years) all the same information for the government or their employers to use then google using your habits to form better directed ads..
http://www.capitol.hawaii.gov/measure_indiv.aspx?billtype=HB&billnumber=2288 [hawaii.gov]
all it takes is this legislation to gain footing in a few states, then the rest start caving.
Google watching you really should be the least of your online privacy worries..
harumph! (Score:5, Funny)
If you just listened to APK and put everything in your HOSTS file, you wouldn't have to worry about any of this folderoll!
Re:harumph! (Score:4, Funny)
DO NOT SUMMON HIM!
Re: (Score:2)
I hate you for that.
A appreciate your post (Score:2)
I do not have mod point, so I can't mod you up again
But anyway, I do appreciate what you are doing here
Re: (Score:2)
I relay the queries that my local server doesn't know to OpenDNS.
I really don't know if they are good, maybe they're there, reading the name of every new page I visit. I never bothered to verify.
My ISP's DNS is pure garbage. Lookup failures don't fail, it fails to find pages that exist (but the lookup doesn't fail, because of the first part), it is slow and the uptime isn't that good, thus, I don't use it. Anyway, nothing can beat a local server in speed and, if you are using your desktop as server, uptime.
How DO I know that the checker web page is legit (Score:2)
If DNS changer redirects gov.au then I could be looking at the look-alike DNS changer checker telling me all is fine? They should have listed this as an IP address.
My computer says it is 165.191.2.65 Is that what yours says?
Re: (Score:2)
Yeah but do the mums and dads know about it? We already know that the /. crowd will find a way to fix the problem.
Re: (Score:2)
He got banned?
Re: (Score:2)
I've read that this can bollix things like Limewire to Akamai by sending you to a far away source rather thant near one that your ISP's DNS would select. I won't pretend to understand that.
Re: (Score:3)
Google DNS uses anycast, which should actually give you a DNS server right close to you.
Re: (Score:2)
nslookup a1.phobos.apple.com 8.8.8.8
Name: a1.da1.akamai.net
Address: 203.106.85.64
tracert 203.106.85.64
7 pos0-3-0.bdr2.nrt1.internode.on.net (203.16.211.6) 180.163 ms 180.985 ms 182.178 ms
8 as4788.ix.jpix.ad.jp (210.171.224.194) 229.548 ms 213.651 ms 214.562 ms
9 * * *
10 203.106.85.64 (203.106.85.64) 230.374 ms 228.848 ms 229.060 ms
nslookup a1.phobos.apple.com
Name: a1.da1.akamai.net
Address: 203.206.129.16
7 te1-4.syd-u
Re: (Score:3)
Are you sure it's Google, and not your local provider? Botched routing tables can do that. What is your other DNS server? Is it a temporary issue? Is it only with a1.phobos.apple.com? Anycast should get a response back from the fastest server to respond.
I'll guess that you're in Australia, since I noticed the .au router you crossed. It doesn't look like Google has a datacenter there yet. I wouldn't be surprised if they have a presence in locations that are not official "Google Datac
Re: (Score:3)
8 google-public-dns-a.google.com (8.8.8.8) 82.579 ms 64.420 ms 65.664 ms
I've tried the 8.8.8.8 resolver a couple of times, and in all cases iTunes will give slow downloads, simply due to not optimal resolution of the CDN host. Switch it to another DNS resolver, and everything is fine again. Querying the DNS of our ISP (Internode):
#nslookup a1.phobos.apple.com 192.231.203.132
Server:
Re: (Score:2)
Well, in your case it is best to stay with the ISP DNS. Then again, it avoids the problem of the story entirely. If you weren't using the provider DNS, and it redirected you to the other DNS servers, you'd be hit with some pretty serious fees.
I don't know for sure, but I suspect that iTunes probably uses Akamai also. Well, unless that is what a1.phobos.apple.com is. :) If they're a large provider, Akamai would have cut a deal with them. Their whole business model is to put
Re: (Score:2)
What the OP is saying is 8.8.8.8 will generally be close to you. So if you use 8.8.8.8 you will get DNS responses fast (if they are cached already).
So for your post to be relevant you should be doing a tracert (or traceroute if on Linux) to 8.8.8.8 not 203.106.85.64.
Re: (Score:2)
Maybe Google doesn't like Apple for some reason
A question or 8... (Score:2)
TFA says "The affected customer modems make up about a third of the 350,000 to 400,000 internet users believed to still have the DNSChanger malware on either their modems or Windows computers."
I don't get it. Is this malware Windows specific? How does it infect modems? Is a Linux user affected by this? What if you have Linux cabled to your router and a Windows machine using wifi? How can one determine if they have an infected modem?
Re: (Score:2)
Re: (Score:2)
Why not warn them? (Score:5, Insightful)
Why don't they just start redirecting web users to a warning page explaining the situation to them at some point before the cut off date?
Re:Why not warn them? (Score:4, Informative)
Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.
Re:Why not warn them? (Score:5, Insightful)
Because they would probably do what they do any other time something complicated appears on the screen: click OK and get back to searching for pr0n.
They couldn't if their DNS doesn't return anything but the warning page.
You would be amazed how many times some people would click the OK button before giving up and either telling everyone the Internet isn't working, or calling and screaming at their OS platform support until redirected to their ISP, and then calling their browser support instead and screaming at them. It's incredible the lengths to which some people will go to avoid reading what's on their effing screen..
Re: (Score:2)
"Please...sir, if you stop yelling at me long enough I can explain to you why yelling at the computer guy will not get your internet fixed..."
Why bother warning them? (Score:2)
Why warn them at all? If they can't be bothered to keep their equipment in good working condition, which means free of malware, the rest of the internet doesn't need them polluting the waters.
We don't let people drive cars on public roads that risk the safety of the other drivers. Why should we put up with an infected virus-spewing computer?
Re: (Score:2)
I see your argument, but they could do it purely to reduce the burden for all these clueless user's tech support people. Whether you like it or not, they are going to want their "internet" fixed...
Re:Why bother warning them? (Score:5, Informative)
There are some people who will call tech support whether they get a warning or not. Usually the wrong support, and usually to unload a half hour of angry rants that do absolutely nothing to fix the problem. If there's any reading involved beyond about the 2nd-3rd grade level, they'll ignore warning dialogs and just call and complain. This is a constant in the tech support universe.
(And I still have to laugh when people tell me their internet isn't working but they can send and receive email..)
Re: (Score:3)
(A) Not every jurisdiction enforces very much in the way of vehicle safety and emissions inspection laws, so your "We don't" is unsupportably broad. I could certainly agree with a more factually accurate phrase like "We shouldn't", but that's not very good reinforcement for your absolutist position. Sorry.
(B) Speaking of inspections, are you advocating for public safety inspections of online computing assets? It sure sounds like it. And if so, by whom and using what criteria, and very specifically how do yo
Re:Why bother warning them? (Score:5, Funny)
I'm still in favor of the big red button with a clearly worded warning on it that says it will render the computer unusable and/or void the warranty if pressed. The people who read instructions and warnings and in general have some clue what they're doing will leave it alone and get years of service out of the computer; the ones who just poke and click at things totally at random when things don't do what they expect get what they deserve...
Re: (Score:2)
C'mon, you know it's inevitable.
Re: (Score:2)
You're making a lot of stuff up to fill in gaps in what I didn't bother typing.
I'm simply saying that if they can't be arsed to fix their crappy virus laden computers today, why should I care if taking down a malware-stand-in DNS server leaves them hanging without a working name server tomorrow? It's. Not. My. Problem.
What my bad car analogy was referring to is that cops don't perform car inspections today, but they will pull you over and tag you if your bumper is dragging behind you on the freeway, or if
you've won a brand new car [analogy] (Score:4, Funny)
"We don't let people drive cars on public roads that risk the safety of the other drivers."
Is that really true? I'm having difficulty believing that.
I think a better car analogy is:
"We imprison people for drunk driving, because it is a felony, unless they are Senators. Why not imprison people who spew viruses and malware too? (unless it's the NSA or RIAA)"
Re: (Score:2)
Why is it hard to believe? In the US, at least, it's completely true; you can be ticketed for driving an unsafe car. Most states also have a regular safety inspection requirement. Here in Virginia, a car must get a safety inspection yearly and a car that does not have a valid inspection sticker (which displays the expiration date in big bold numbers) is not
Re: (Score:2)
If it was at all hard to warn them I would see your point, but warning them is so trivial that there is no reason not to do it.
Even with the warning though it ain't going to change anything. It will probably just freak them out.
Re: (Score:2)
But if the warning comes with a nice download link to fix the problem, that they can just click and make it all go away...
No, wait. Prior art. [wikipedia.org] The bad guys have already beat us to it.
I guess the only responsible thing we can do is freak them out and then disconnect 'em and put 'em out of our misery.
Re: (Score:2)
You must seriously not have anyone who turns to you for tech support who has the ability to make you miserable if she, err, they want to.
Not to mention, this isn't about infected computers, but infected DSL modems, and how sure are you about yours, again? Or about whatever sits between the no-doubt-godlike-perfection of your PC and the DNS server? I seriosly don't want to have to care about policing parts like that.
Re: (Score:2)
"We don't let people drive cars on public roads that risk the safety of the other drivers."
you must not drive much. Here in Michigan out roads are full of complete morons that cant drive without being a risk to others.
HOLY CRAP, WHAT A TYPO! (Score:2, Funny)
peer-to-queer downloads
what an embarrassing Freudian slip.
you're running the buttorrent client I take it?
Re: (Score:2)
As a paralel of the famous punching in the face quote:
You right to spew things out stops just before that spew reaches a computer that doesn't want it.
Is that a hard concept to understand? Because when it doesn't involve computers, nearly everybody understands it de pronto. People at /. shouldn't have this kind of problem.
Depends, was it a honest usage of so
Re: (Score:2)
I think that is an awful idea. The last thing you want to do is train people that it is OK, under any circumstances, to do what an unexpected or unsolicited web page says. That is, after all, exactly how scareware winds up getting installed.
The best thing to do is let them fail, and gear up the help desks to be ready with the onslaught of calls.
Re: (Score:2)
Re: (Score:2)
Because http isn't the only thing that uses DNS? We got pissed when a certain DNS authority redirected bad lookups to their own search engine for the same reason. The ISPs could take note of which customers are hitting the temporary servers and let them know. Some ISPs are quietly redirecting the lookups to their own server.
Re: (Score:2)
Sure, it's bad if the ISP does it on their own DNS servers, but these are some criminal's servers that have been seized. Are those things really equivalent?
Of course HTTP isn't the only DNS user, but you can't pretend that this won't inform the overwhelming majority of users. They obviously use HTTP a lot.
Every single ISP doing traffic inspection or redirection seems like a lot more work than just doing this at the source.
I'm not advocating false DNS results from ISP's servers or treating other protocols
Captain Obvious (Score:2, Interesting)
The FBI has control of the DNS servers. Why can't they just resolve every address to point to a webserver instructing people how to fix their DNS settings?
Re: (Score:3)
Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.
What is more interesting is that they dont make any stabs at
Re: (Score:3)
Surely there are options on the table. However, the fact that Vixie concluded that "these will be very difficult to re-program" when a group of Estonian hackers managed to do it through a completely illegitimate virus, completely remotely, is troubling. Something about the process must have been irreversible otherwise a simple "undo" page distributed through DNS forwarding could have taken care of it as soon as the servers were under FBI control.
I suspect the "difficulty" is more legal than technical. The Estonians don't care if they brick an occasional device, and they don't try to get the users' legal consent. And people and governments in other countries might not be happy to trust the FBI to reprogram their router/modem.
Re: (Score:2)
I think he was advocating letting the ISP's know, not the customers directly.
Re: (Score:2)
Because then you are teaching people that under some circumstances it is OK to follow instructions from an unexpected/unsolicited source. Imaging the flood of scareware that would arrive after that: THIS IS THE FBI! CHANGE YOUR DNS SETTINGS IMMEDIATELY!
ISP should warn them (Score:3)
Assuming that these were modems provided by their ISP, then the ISP has responsibility here. They can easily watch for packets going to the fake DNS servers, and then warn the customers by email, letter, and even phone. They should have done this back when the issue first arose, with steps to correct the problem included in a letter with the monthly bill.
Re:ISP should warn them (Score:5, Funny)
Re:ISP should warn them (Score:4, Interesting)
Bonus douchebag points for any ISPs that have a large number of infected customers and have, purely coincidentally of course, moved support calls to a premium rate number in the last few months.
Re: (Score:3)
Disclaimer: I work for a 3rd party contractor to Comcast. I don't work directly for them and I don't condone everything they do so lets leave that out of the discussion.
Comcast does exactly this. When they see traffic going to the known hijacked IP's, the customer gets emails, popups, and generally annoyed to hell until they do something about it. Its not always hijacked DNS. Sometimes its one infected device that is not owned by the customer, and its a neighbor who is stealing their wifi. Solution:Secure t
The easy fix (Score:2)
Let companies bid for them and put ads on error... (Score:2)
Scripted changes (Score:4, Insightful)
I'm not sure I understand the problem...
Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?
One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.
If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
Even if the modem web-config only answers to the LAN IP, and it was an infected Windows box that automatically reconfigured the router... wouldn't there be a password of some sort?
And why doesn't the ISPs maintain a "maintenance" subnet where they CAN access the DSL modem?
All the ISP needs to do is add a route to their core routers for the old DNS server IPs that will be going down soon, and redirect those packets to their internal DNS servers.
Failing That, the ISP can log any customers that access the hijacked DNS IPs, build up a list, and mail out a letter to them postal style. If they don't read their ISPs snail-mail, then they deserve whatever outage they get.
Believe me, once service goes down, they WILL be calling the ISP. I can understand wanting to lessen the massive amounts of calls they are expecting on the 9th, but in order to lessen that flood they will need to do Something. Anything. Anything except the nothing they seem to be doing.
Just setup a web site with all the info they need, which can be accessed with an IP alone. Give that to them on the phone. Include both the address and IP in the snail mail letter.
Hell, at that point the ISP can include a link that when clicked will connect to the internal IP of the router and submit new DNS settings in the GET request. A small amount of javascript will handle if a POST is needed.
There is clearly no password on the web interface to deal with, or they wouldn't have this problem from the malware in the first place, so this should be trivial to fix semi-automated, and likely totally automated with a bit more work.
This sounds more like laziness and ineptness rather than any technical reason for fixing the problem.
Re: (Score:2)
I don't know much about DNSChanger, but in general I don't think this is necessarily true. If one was going to infect DSL modems with something like DNSChanger, it would be sensible to also attempt to have DNSChanger cut off the ability to make further changes (at least by anyone but the authors/distributors of DNSChanger - perhaps requiring a password known only to these partie
Re:Scripted changes (Score:4, Informative)
What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
Re: (Score:2)
I'm not sure I understand the problem...
Did this malware hit the DSL modem web-config page from the Internet to change it's DNS settings?
No. Most routers do not allow the admin page to be accessed via the wan side, only the lan side.
Or is this Windows malware that, once infecting a PC on the LAN, used that PC to hit the web-config page?
Or Mac malware. But in general, yes. Most residential routers have pretty weak default passwords are a cinch to get into.
One would assume the web-server in the DSL modem doesn't answer on the public interface or IP, but clearly they fucked up the security to start with so that's not an assumption I want to make.
If this malware hit it from the Internet, then it would be trivial for the ISP to do the same exact thing to put the settings back.
You're right, that was a dumb assumption. Even over the back-end control channels of whatever sort that ARE used, nothing having to do with the overall configuration can be changed. Most ISP's use such communication to check modem status etc, but not to change DNS info or passwords. That would
Re: (Score:2)
The ISP even has legit and legal access to their customer premise equipment, so it wouldn't be illegal or labeled as "hacking" in that case.
Is this how things work in the US? Somehow I don't think this would fly where I live, it would most likely be illegal. (If you're renting a flat in the US, does that mean that the landlord can stroll through your apartment at whim? Also illegal here.). Why the hell would they need it anyway? We have a DSL line, the modem came preconfigured and no one ever had to touch the WAN settings for years. Why the hell would the ISP need to do that? If they need me to change something, they can ask me There's no need
TR-069 (Score:5, Interesting)
This is a trivial number (Score:5, Insightful)
Even if there has been no growth in DSL usage, 100,000 modems represents 0.3% of all DSL users.
BUT, this 100,000 number is world wide modems that have been compromised. That makes the actual percentage of modems affected so small that it hardly seems worth the time to calculate it.
Turn the "bad" DNS off, and most tech support lines will not even notice the increase in support calls.
duh (Score:4, Interesting)
So why not just go to the "bad" DNS servers, which they now control, find out the IP addresses of the compromised modems, and use the same vulnerability to reconfigure the resolver to point back to "good" DNS servers?
Re: (Score:2)
Most routers and modems do not have remote control available over the WAN. Any consumer grade router will have the WAN access turned off by default, you have to be on the local LAN to get to the admin interface. But once you infect a Mac or PC with DNS Changer malware, its trivial to run a script to change the DNS on the router. That's why its smart to change the password on your router. But most people don't even secure their wifi unless that's the default config.
Why would a MODEM need DNS? (Score:2)
Surely the modem is a layer1/layer2 device, and not anything higher? Why does the modem itself need DNS settings?
Re: (Score:2)
I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.
If they're being used as such, for internal DHCP, that might be a problem, I guess...
Re: (Score:2)
As far as I know pure DSL modems don't even exist anymore. Every one of them is a NAT router/modem, they only differ at the default config and how hard it is to activate the NAT functionality.
Re: (Score:3)
I was wondering the same thing. Then I remembered a few years back when my provider, replacing a modem that had taken a power surge, tried to pawn off one of those "NAT router/modems" on me.
If they're being used as such, for internal DHCP, that might be a problem, I guess...
What's with all the "combined router/modem" bashing in this thread? Is it really that big a problem for you, to not be /forced/ to use a separate router and/or switch? Most router/modems I have seen can also be set to a direct or bridge mode to disable the router and go back to being a dumb modem.
Even more so, what's with all the people who seem to be surprised at the concept? I can't remember the last time I even saw a consumer-level DSL modem that was not also a router - maybe ten years? This is not new
Re: (Score:2)
Call it residual bad taste. Between the fact that I didn't know that the default config had changed, and that I was dealing with Tier 1 tech support, I was fighting with it for the better part of 5 hours since I was plugging it in to my existing router.
And you usually can't get the good firmwares for the combo units.
Paul's picture (Score:2)
That eye-glasses shadow in his picture sure makes him look evil. But my wife says that she's seen him look like that without his glasses. I remember at LISA '96 I asked him a question (ok, it was kinda stupid) and he responded, "RTMF. Next!" But then again at a later LISA he, even though he was sick as a dog, took the time in the hallway to give my wife a detailed answer to a question about round-robin with CNAME records
I totally respect the man.
Get back their IPv4 addresses (Score:2)
Re: (Score:2)
I have had nothing but good service from TWC here in Austin, I understand that in some other markets though that they do indeed suck.
My experience with DSL though has been nothing but shitty. YMMV.
Re: (Score:2)
Sounds like someone needs to buck up the escalation chain until someone who knows anything gets on the phone.
That's a definite problem. Network admins hate those kinds of shenanigans, provided they know about them. That last part is the hard part - how to get it to their attention.
Re: (Score:3)
He still missed correcting "Internet elder" to "elder of the Internet".
Re: (Score:2)
And my first thought was Got Proof?