Vixie warns: DNS Changer ‘blackouts’ inevitable
Father of BIND fears ISP crisis in July
Ridding the world of the DNS Changer is proving a long, slow process that won’t be accomplished by July 9, when the court orders granted to the FBI expire and infected users suffer their inevitable blackout.
That’s the bleak warning given by BIND father and ISC founder and chair Paul Vixie to the AusCERT security conference on the Gold Coast today, 17 May.
“Remediation, which has not worked, has taken many forms, which did not work,” Vixie drily noted.
The notorious “operation ghost click” is well-known and understood, having been analysed in the six months since arrest of the Estonians (Vladimir Tsatsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov) who hosted their ad-redirecting DNS on Rove Digital’s infrastructure.
Vixie said ISC’s ongoing research demonstrates that when the court order expires, there will still be in the vicinity of 300,000 DNS Changer-infected computers, in spite of the best efforts at remediation. Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem.
On the coming “dark day”, Vixie says, there’s a strong likelihood that ISPs will be swamped with help calls demanding to know what’s wrong. Had it been possible to do so, Vixie said, he would at least have contrived some way to “spread out the pain”, because “the way we’re doing it now, there will be no end to it.”
Although the DNS Changer incident emphasizes the importance of DNSSec, implementation is a slow process that depends on industry-wide cooperation.
He also took the opportunity to criticize the increasing willingness of governments to try and use misdirected DNS requests to enforce policies (such as porn-blocking or, in the case of Italy, blocking offshore gambling site).
“If it becomes popular [to use DNS] to block things that users want, they will move their DNS requests elsewhere.” The threat remains, however: SOPA-style legislation is still on the wish-list of entertainment lobbies, and will not leave the political agenda. ®
Re: Australia STILL does not have DNSSEC !
Maybe they just can't tell what it is yet?
Re: Hey Paul, this is an opportunity
"Perhaps the ISPs, who know exactly which customers are infected, should be asked to contact their customers prior to the cutoff date and explain to them how fucked up their computers are, and tell them how to fix it."
That's actually what we've been doing. The original article alludes to this... "Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem."
We set up the necessary monitoring to see which of our subscribers is contacting the known bad DNS servers and sending the IDs to Tech Support to give them a ring... but that doesn't mean they all take action! To the average Joe, their PC works fine, and they'd have to hire someone to run a virus scan (sad, I know). So they're not going to do it. I'm up in Canada but I'm sure in the USA you'd probably get people claiming its part of their right to free speech or some nonsense.
Re: Redirect them to a message that says they're infected
So, there's what, roughly 50 days until this court order expires?
Day 1, for 1 minute out of every 50, the DNS server returns the IP of a webserver hosting the aforementioned warning in response to any request at all, and works normally the rest of the time.
Day 2, 2 minutes out of every 50
Day 3, 3 minutes out of every 50
During that period, every now and then they'll see your message popping up, ever more frequently as time goes on. Sooner or later, if they're at all capable, they'll get curious enough about what this odd thing is that keeps coming up to try reading it. It should be written, designed and laid-out clearly, with a big 'Why am I seeing this' section. Note that once they start clicking around within the site, they'll stay there and be able to read it all even if the redirect drops out while they're browsing.
And perhaps for the last week or so, to catch the last stragglers who clearly can't cope with a computer at all, you just switch it on full time and adjust the warning to simply say "Your internet is broken. Call an engineer or take your PC to a repair shop and tell them you have a virus and ask them to 'fix your DNS settings'. They'll know what that means."