The Register® — Biting the hand that feeds IT

Feeds

Vixie warns: DNS Changer ‘blackouts’ inevitable

Father of BIND fears ISP crisis in July

By Team Register, 17th May 2012
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Ridding the world of the DNS Changer is proving a long, slow process that won’t be accomplished by July 9, when the court orders granted to the FBI expire and infected users suffer their inevitable blackout.

That’s the bleak warning given by BIND father and ISC founder and chair Paul Vixie to the AusCERT security conference on the Gold Coast today, 17 May.

“Remediation, which has not worked, has taken many forms, which did not work,” Vixie drily noted.

The notorious “operation ghost click” is well-known and understood, having been analysed in the six months since arrest of the Estonians (Vladimir Tsatsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov) who hosted their ad-redirecting DNS on Rove Digital’s infrastructure.

Vixie said ISC’s ongoing research demonstrates that when the court order expires, there will still be in the vicinity of 300,000 DNS Changer-infected computers, in spite of the best efforts at remediation. Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem.

On the coming “dark day”, Vixie says, there’s a strong likelihood that ISPs will be swamped with help calls demanding to know what’s wrong. Had it been possible to do so, Vixie said, he would at least have contrived some way to “spread out the pain”, because “the way we’re doing it now, there will be no end to it.”

Although the DNS Changer incident emphasizes the importance of DNSSec, implementation is a slow process that depends on industry-wide cooperation.

He also took the opportunity to criticize the increasing willingness of governments to try and use misdirected DNS requests to enforce policies (such as porn-blocking or, in the case of Italy, blocking offshore gambling site).

“If it becomes popular [to use DNS] to block things that users want, they will move their DNS requests elsewhere.” The threat remains, however: SOPA-style legislation is still on the wish-list of entertainment lobbies, and will not leave the political agenda. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (38)
Highly Rated
TeeCee
Reply Icon

Re: Australia STILL does not have DNSSEC !

Maybe they just can't tell what it is yet?

14
0
Salad
Reply Icon

Re: Hey Paul, this is an opportunity

"Perhaps the ISPs, who know exactly which customers are infected, should be asked to contact their customers prior to the cutoff date and explain to them how fucked up their computers are, and tell them how to fix it."

That's actually what we've been doing. The original article alludes to this... "Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem."

We set up the necessary monitoring to see which of our subscribers is contacting the known bad DNS servers and sending the IDs to Tech Support to give them a ring... but that doesn't mean they all take action! To the average Joe, their PC works fine, and they'd have to hire someone to run a virus scan (sad, I know). So they're not going to do it. I'm up in Canada but I'm sure in the USA you'd probably get people claiming its part of their right to free speech or some nonsense.

9
0
Anonymous Coward
Anonymous Coward
Reply Icon

Re: Redirect them to a message that says they're infected

So, there's what, roughly 50 days until this court order expires?

Day 1, for 1 minute out of every 50, the DNS server returns the IP of a webserver hosting the aforementioned warning in response to any request at all, and works normally the rest of the time.

Day 2, 2 minutes out of every 50

Day 3, 3 minutes out of every 50

...

During that period, every now and then they'll see your message popping up, ever more frequently as time goes on. Sooner or later, if they're at all capable, they'll get curious enough about what this odd thing is that keeps coming up to try reading it. It should be written, designed and laid-out clearly, with a big 'Why am I seeing this' section. Note that once they start clicking around within the site, they'll stay there and be able to read it all even if the redirect drops out while they're browsing.

And perhaps for the last week or so, to catch the last stragglers who clearly can't cope with a computer at all, you just switch it on full time and adjust the warning to simply say "Your internet is broken. Call an engineer or take your PC to a repair shop and tell them you have a virus and ask them to 'fix your DNS settings'. They'll know what that means."

7
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19