Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks

Unknown Lamer posted about a year and a half ago | from the check-your-sources dept.

Networking 179

msm1267 writes with an excerpt From Threat Post: "While the big traffic numbers and the spat between Spamhaus and illicit webhost Cyberbunker are grabbing big headlines, the underlying and percolating issue at play here has to do with the open DNS resolvers being used to DDoS the spam-fighters from Switzerland. Open resolvers do not authenticate a packet-sender's IP address before a DNS reply is sent back. Therefore, an attacker that is able to spoof a victim's IP address can have a DNS request bombard the victim with a 100-to-1 ratio of traffic coming back to them versus what was requested. DNS amplification attacks such as these have been used lately by hacktivists, extortionists and blacklisted webhosts to great success." Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

cancel ×

179 comments

Sorry! There are no comments related to the filter you selected.

First post (5, Funny)

Anonymous Coward | about a year and a half ago | (#43306485)

In before the fight between those two guys and their walls of text...

Re:First post (4, Funny)

noh8rz10 (2716597) | about a year and a half ago | (#43306801)

maybe if the routers had been configured with HOSTS FILES then all of this could have been avoided...

Re:First post (2)

AdmiralXyz (1378985) | about a year and a half ago | (#43307593)

You are IGNORANT and EVIL for ignore Earth 4 day simultaneous Time Cube rotation and preaching Academic Religious Singularity... wait.

Bloody hell, I'm on the wrong thread.

Re:First post (1, Offtopic)

Tynin (634655) | about a year and a half ago | (#43306851)

In before the fight between those two guys and their walls of text...

I've begun to think it is actually just one guy just trolling (poorly) for all they are worth. Either that or it has turned into a meme that encourages the the likes of 4chan /b/tards to, in their own way, declare I am Spartacus(APK), just for the lolz...

Re:First post (2)

gl4ss (559668) | about a year and a half ago | (#43306967)

it's a meme.
the sign of a meme is that discussion about it fills first few posts even if the actual subject of the meme is nowhere to be seen.
and spamhauscraft confirms: gnaa is dead.

but why is such source address spoofing still such a problem? ironically this ties in to dozens of post-packages signed apk.

and the hosts file approach isn't that bad way to filter bunch of ads. it works...

Re:First post (1)

Githaron (2462596) | about a year and a half ago | (#43307669)

... Either that or it has turned into a meme that encourages the the likes of 4chan /b/tards to, in their own way, declare I am Spartacus(APK), just for the lolz...

More like Spamtacus.

It really isn't me... apk (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#43307493)

You're stupid enough to think it's me? A corrupt slashdot luser has infiltrated the moderation system to downmod all my posts while impersonating me.

Nearly 170++ times that I know of @ this point for all of March 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...

Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:

---

A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 170 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]

&/or

B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here

---

(Albeit massively repeatedly thru all threads on /. this March 2013 nearly in its entirety thusfar).

* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!

(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).

APK

P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...

Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March now, & 170++ times that I know of @ least)... apk

Re:It really isn't me... apk (0)

Anonymous Coward | about a year and a half ago | (#43307679)

And how many of these 200 + comments [slashdot.org] were appropriate to a story unrelated to hostfiles?

Re:It really isn't me... apk (1)

Anonymous Coward | about a year and a half ago | (#43307713)

That was an internal dispute between the Allied Southern APK Schism and the Second Western APK Heresy. It was a private matter but unfortunately tempers reached a boiling point and things spilled over into public view. The New Central APK Orthodoxy stepped in a few days later & now everybody's back on civil terms. Don't post shit when you don't know a damn thing about APK culture and governmental structure.

Re:It really isn't me... apk (0)

Anonymous Coward | about a year and a half ago | (#43307851)

I've been monitoring these threads so much that I've started recognizing repeat visitors. I dub you "LHC Guy".

Re:It really isn't me... apk (0)

Anonymous Coward | about a year and a half ago | (#43308335)

I posted that link twice a couple days ago, seeing if some of these posts were from the real APK or not, as he's usually so easy to troll with such things. Looks like some other boring imposter instead. But it is nice others have noticed and carried the flag on. Although I think it is a waste of time until the real APK shows up again. We are Legion... we are "LHC Guy."

Accidentally, or not? (3, Interesting)

six025 (714064) | about a year and a half ago | (#43306509)

Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

One has to wonder if this is caused by negligence, or if it's more a case of "oopsie, we left this door open, oh well" - which would be a great way to set up nodes around the 'net specifically to allow these types of attacks to occur.

Not saying that is right or wrong - asking a genuine question.

Peace,
Andy.

Re:Accidentally, or not? (1)

h4rr4r (612664) | about a year and a half ago | (#43306551)

It might also be an old DNS server no one is using or remembers they have up.

Re:Accidentally, or not? (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43306661)

Isn't the real problem the originating ISPs for allowing spoofed packets to be sent in the first place? Is it really correct to be blaming the DNS resolver that it's responding to packets it has no way to authenticate? If the original ISP dropped a packet it shouldn't be routing, the whole problem would go awa.

Re:Accidentally, or not? (5, Informative)

Anonymous Coward | about a year and a half ago | (#43306781)

Yep. Had BCP38 (Best Current Practice No. 38) [ietf.org] been in effect at those ISP's, this attack would not have occurred.

Re:Accidentally, or not? (1)

Urd.Yggdrasil (1127899) | about a year and a half ago | (#43306749)

That would seem to be a matter of what the default configuration is. Do these DNS servers have these protections enabled by default, and are then disabled? Is it that they left it off by default on older versions? Do they still leave it off by default?

Re:Accidentally, or not? (3, Informative)

LordLimecat (1103839) | about a year and a half ago | (#43307209)

A DNS server has no way of verifying whether the source address is valid. Only the ISP who provides access to the originator of the traffic can do that.

By Design (1, Interesting)

Anonymous Coward | about a year and a half ago | (#43306753)

DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.

Now compound the above with the fact that neither of the two most widely used DNS servers on the planet, BIND and MicrosoftDNS(That's right Bernstein fans so STFU.), check requesting source address validity. It's not in the spec, so why should they?

This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.

Re:By Design (1)

quintus_horatius (1119995) | about a year and a half ago | (#43306989)

It's not the job of the DNS server or protocol to check the source ip; that job belongs to the firewall.

Re:By Design (2, Insightful)

LordLimecat (1103839) | about a year and a half ago | (#43307221)

Can someone explain how a DNS server can check source address validity? Is it going to fire off more packets to that source address (worsening the DDoS) or what?

Re:By Design (2, Informative)

Anonymous Coward | about a year and a half ago | (#43307741)

There is no way that DNS over UDP can verify a source address. The solution is that all ISPs drop traffic with invalid source addresses before it leaves their network.

Re:By Design (3, Interesting)

Alex Pennace (27488) | about a year and a half ago | (#43308169)

DNS resolvers were originally intended to be open. There was no reason for them not to be. But furthermore, the recursive functionality of DNS made open resolvers a near requirement. This has changed a little and slowly over the years, but it's still largely the case.

[...] It's not in the spec, so why should they?

The changing environment now calls for doing things that weren't done years ago. We have already crossed this bridge with open email relays; this isn't necessarily the case here (the real problem is the lack of IP spoofing protection), but it would be nice for administrators to realize that they may have an open resolver. Many of them will decide that there is no point in offering free DNS resolution services to the whole world and take steps to restrict access. Some will decide that they want to continue offering it; more power to them.

Far from being a requirement, a DNS resolver works just fine if it isn't wide open.

This attack suggests that the spec needs refinement, but don;t go blaming people for doing what has been accepted best practice for the past 20 years or more.

I wouldn't go as far as to accuse them of malfeasance or negligence, particularly since the real problem is lack of BCP38 compliance. So lets not do that. Instead lets educate administrators and permit them to make their own decisions; in this case the decision will likely be to restrict.

So what are the defaults? (1)

Ungrounded Lightning (62228) | about a year and a half ago | (#43307649)

Running an open DNS resolver isn't itself always a problem, but it looks like people are enabling neither source address verification nor rate limiting.

One has to wonder if this is caused by negligence, ...

Also, one has to wonder if it's negligence by the person installing the resolver, or by the person distributing the resolver.

What are the default values for source address verification and rate limiting? If having them both disabled is a problem, at least ONE of them should be on by default, requiring it to be explicitly DISabled by the user, and the config file should have a warning about WHY it's on/even there.

If the default configuration is vulnerable you can't expect a whole user population to ALL figure out ALL the fine details and tweak the configuration into safety the FIRST TIME and EVERY TIME. It should be safe (if crippled) out of the box and a warning obvious during the process of changing it to be less safe.

Re:Accidentally, or not? (1)

Yaa 101 (664725) | about a year and a half ago | (#43308143)

This has to do with not good thought out default settings of the various DNS servers out there, but also has to do with people running too old DNS servers.
You can restrict recursing resolve based on source IP, groups of IP or subnets.
First I do is define an internal mode and an external mode where external mode only sees an authoritive server and the internal mode can do recursed resolving.

Why are people not being alerted? (2)

h4rr4r (612664) | about a year and a half ago | (#43306517)

Why are they not sending out emails to the people running these things.

Check which domains these servers are authoritative for and send them a damn email.

Re:Why are people not being alerted? (1)

electron sponge (1758814) | about a year and a half ago | (#43306713)

Why are they not sending out emails to the people running these things.

Check which domains these servers are authoritative for and send them a damn email.

I agree, something proactive needs to be done. The question I have is: whose job is it to do something proactive in these instances? Does anyone do these sorts of things?

According to the article, there are ~27 million open DNS resolvers. That might take some time. I suppose it could be automated, though, with a "Dear [admin and/or technical contact], your DNS located at [ip address] is breaking the internet. Love, Some people you have never heard of. Click here for more information." I wonder how many of the emails would get chucked as spam?

Re:Why are people not being alerted? (0)

Anonymous Coward | about a year and a half ago | (#43307021)

I suppose it could be automated, though, with a "Dear [admin and/or technical contact], your DNS located at [ip address] is breaking the internet. Love, Some people you have never heard of. Click here for more information." I wonder how many of the emails would get chucked as spam?

I get those e-mails from higher up at my work. My department's DNS isn't open, but it look open to the automated scanning software that looks for them. I'm glad they do that scanning. They do catch real problems most of the time.

Re:Why are people not being alerted? (1)

pavon (30274) | about a year and a half ago | (#43306823)

There are over 25 million known open DNS resolvers [openresolverproject.org] that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem. The same is true of pretty much any DDOS attach vector; there are too many broken machines to deal with them directly.

Re:Why are people not being alerted? (5, Funny)

six025 (714064) | about a year and a half ago | (#43306971)

There are over 25 million known open DNS resolvers [openresolverproject.org] that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem

It sounds like the solution is to send out a huge amount of unsolicited email.

Oh, wait ...

Re:Why are people not being alerted? (4, Funny)

bobstreo (1320787) | about a year and a half ago | (#43307389)

There are over 25 million known open DNS resolvers [openresolverproject.org] that can be used in DNS amplification attacks. Directly contacting the administrators of all the servers used in the attack is not a tractable problem

It sounds like the solution is to send out a huge amount of unsolicited email.

Oh, wait ...

Well we could do a kickstarter, and hire our friends at Cyberbunker to host the email sending...

Re:Why are people not being alerted? (3, Informative)

LordLimecat (1103839) | about a year and a half ago | (#43307245)

Because the DNS servers are doing nothing wrong.

The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.

All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.

Re:Why are people not being alerted? (3, Informative)

Shoten (260439) | about a year and a half ago | (#43307469)

Because the DNS servers are doing nothing wrong.

The problem is that people can spoof source addresses (because ISPs arent stopping it). Fix this issue, and youll still have to worry about any of a million other scenarios where a small request gets a lot of data back.

All you have to do is make sure source addresses are filtered when they hit the ISP, and the huge majority of these issues (as well as being able to cloak where an attack came from) go away.

Actually, they are. The feature being leveraged here is that the servers are performing recursive lookups for domains that they do not control for the open Internet; BIND turns this off, by default, starting with version 9.4. The problem is that a lot of 9.3.X and older DNS servers are still out there, as well as a lot of bad network architecture jobs. The servers should only handle recursion for IP addresses that are on the inside. And as for the spoofing? Well, ingress filtering is trivial to do at the border. And these two things in concert shut this problem down entirely.

Re:Why are people not being alerted? (1)

Em Adespoton (792954) | about a year and a half ago | (#43307693)

ingress filtering at the border also has the benefit (for the providers) that customer-hosted open relays will also be blocked. Things like Tor will still work, but no more auto-forwarding/reflecting of packets. This could REALLY clean up the bandwidth the current infrastructure has to deal with, while minimally impacting legitimate traffic.

Re:Why are people not being alerted? (1)

Shoten (260439) | about a year and a half ago | (#43307457)

Trust me...it's not that simple. For one, there usually isn't an email to send to...there may be one listed somewhere, but it may not be real or nobody may read it. But on top of that, who is this "they" you are referring to...Spamhaus? So, Spamhaus should do a lookup on every single DNS server that is hammering them during the largest DDoS in history, find the abuse email address for each of them, and send them an email? All while getting hit with the biggest DDoS ever?

To get a sense of why abuse email accounts get ignored in a lot of organizations, Google 'site:sans.edu abuse' and read the first 5 or six articles.

I had a server doing this for years. (0)

Anonymous Coward | about a year and a half ago | (#43306519)

Never even noticed until I ran Ethereal for an unrelated problem, and was like, "What is all this shit?"

Sorry about that.

The rate was slow enough that it never made a dent in the bandwidth usage. They must keep it throttled down but have a massive number of servers in parallel.

Re:I had a server doing this for years. (0)

Anonymous Coward | about a year and a half ago | (#43306677)

*sigh* add me to the list. It was open for years and years, and closing it was a careful process because I had to make sure it wasn't going to break anything.

Article is garbage (5, Insightful)

Anonymous Coward | about a year and a half ago | (#43306559)

It claims that the problem is DNS resolvers that don't authenticate the sender's IP address using BCP38 [ietf.org] . It is comparing chalk and cheese. Filtering out spoofed IP addresses is something that needs to happen at the edge of the network. It's not something that a single server on the network can do.

Re:Article is garbage (2)

asc4 (413110) | about a year and a half ago | (#43306609)

This. Rate-limiting can help...I'm quite sure Google has rate-limiting in place on 8.8.8.8 for instance. But for those who don't have Google's budget, it's a challenge. There are not currently any sufficiently tested and stable DNS rate-limiting features in any of the top 3 resolvers out there. The problem here is networks letting spoofed packets out of their nets, not DNS servers performing correctly.

Re:Article is garbage (0, Flamebait)

Synerg1y (2169962) | about a year and a half ago | (#43306669)

Rofl, why is this discussion at the bottom, and a bunch of newbs asking why a bunch of open DNS admins haven't doing anything about it up top. I don't get slashdot techies anymore, except the consensus they're all stupid.

There's no point to spoofing out IP addresses at the edge of the network when the throughput is choked, it won't do anything, you can keep dropping them and turn off SYN to keep internal communication up with the edge, but the way out is clogged.

In regards to Open DNS servers and not doing IP verification, I'd imagine that has to do with the amount of resources available to them.

Rate limiting would help, but one day may block legitimate users as internet use expands.

Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.

Re:Article is garbage (0)

Anonymous Coward | about a year and a half ago | (#43306735)

The point is that there's no reason for this trafic to hit DNS servers in the first place. They're spoofed addresses that should be dropped by the ISP. Sure they might still choke due to the sheer amount of trafic, but they shouldn't route it to the entire world.

Re:Article is garbage (1)

t4ng* (1092951) | about a year and a half ago | (#43306805)

ISPs could very easily drop packets with fake source IPs at their borders. They know what IP addresses they own, and it's not resource intensive to check it. It would stop a whole host of problems if all ISPs did this.

Then again... are smartphones and tablets using a mobile-ip protocol that would get screwed up by this? If so, good! Maybe those damn kids will stop staring at their phones to two seconds and get the hell off my lawn!

Re:Article is garbage (2)

sl3xd (111641) | about a year and a half ago | (#43307247)

If so, good! Maybe those damn kids will stop staring at their phones to two seconds and get the hell off my lawn!

Now will you believe that there are good reasons to not open your WiFi?

!!! You've got kids from the whole neighborhood just hanging out on your lawn, leeching your WiFi. Think of all the pheromones coming from all those kids wishing that cute thing a few steps over would look up from the phone and talk to them. All of those awkward glances and giggles.

At this point, the last thing you need is one of them downloading a nude picture of one of their classmates (which will happen several times a week...). Can you imagine the fallout if you not only have "kiddie porn" being downloaded on your network -- but said "kiddie" was regularly seen on your yard

Keep your WiFi closed. Turn on your sprinklers, loose the hounds! You'll get those damn kids off your lawn, clean up your air, and stay out of jail!

Re:Article is garbage (1)

LordLimecat (1103839) | about a year and a half ago | (#43307293)

Youre not understanding how the spoofing works, and "the way out being clogged" is irrelevant when youre getting 100-1 amplification off of large numbers of bots.

The attacking computers are claiming that their source address is that of the person they want to attack; they request a large DNS file; the DNS server sends its gigantic response to the victim (who has been impersonated).

The DNS server CANNOT realize that the source IP was forged without sending additional traffic. The ISP however CAN, since they know what IPs should reside at each edge of their network, and all they have to do is block those forged addresses, and every single amplification-based DDoS goes away.

Re:Article is garbage (1)

Synerg1y (2169962) | about a year and a half ago | (#43307463)

Right, the post I was talking about was saying that the traffic should be filtered at the edge of the network, my point is that wouldn't do anything.

I meant...

There's no point to filtering out spoofed IP addresses

w proper sentence structure lol.

AC didn't specific which network the ISP's or spamhaus. I agree the ISP can fix it though, getting them to do so carries its own set of challenges.

Here's a good read for anybody still confused: http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/ [arstechnica.com]

Basically restates the above post + politics.

Re:Article is garbage (1)

Em Adespoton (792954) | about a year and a half ago | (#43307789)

Right, the post I was talking about was saying that the traffic should be filtered at the edge of the network, my point is that wouldn't do anything.

I meant...

There's no point to filtering out spoofed IP addresses

w proper sentence structure lol.

AC didn't specific which network the ISP's or spamhaus. I agree the ISP can fix it though, getting them to do so carries its own set of challenges.

Here's a good read for anybody still confused: http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/ [arstechnica.com]

Basically restates the above post + politics.

Actually, all that needs to happen is for the ISPs to correctly set their drop tables on their BGP policies. These tables should be set up by default when the ISP acquires a netblock, and updated each time a netblock is added/dropped. It's SOP, and not difficult.

For consumer-facing ISPs who don't have BGP to peer with other networks (but are just a subscriber themselves), they can just configure the drop tables on their border switches so that only source IPs within their netblock can be sent outbound. This provides them with MANY advantages (as it lowers potential bandwidth usage and lessens service abuse and resulting support tickets) and for most providers (except those who dynamically lease from multiple netblocks for the same pool -- something you shouldn't be doing without BGP) carries no risk. It's 2 hours during the maintenance window (to allow for testing before deploying) that will likely pay for itself within a day.

In short, the only reasons I can see not to do this are complicity, laziness and ignorance.

Re:Article is garbage (1)

MaraDNS (1629201) | about a year and a half ago | (#43308165)

Out of all those though, rate limiting seems to make the most sense and is the lesser of the evils.

Except for the fact that some DNS servers do not have rate limiting nor the funds to implement rate limiting (it's non-trivial to implement), you're right.

In my case, without EDNS support, the highest amplification factor my DNS server has is 23x (as opposed to the 100x+ EDNS servers have). Also: My server doesn't have open recursion enabled by default.

Re:Article is garbage (1)

Stan92057 (737634) | about a year and a half ago | (#43307125)

Well, We can say it this persons job or that persons job or it should be done this way but then that way wont work according to some people and they write to say so. The Problem is no one wants to do anything or take responsibility. This is going to cost money and its going to suck for some people. But We Have let the bad guys take over the internet, so now its going to be a costly thing to fix. Christ, we would have never made it to the moon with all the negative thinkers we have now its a crying shame.

Determining vulnerability? (1)

ShaunC (203807) | about a year and a half ago | (#43306565)

I see that the Open Resolver Project has a tool to scan for offending servers in your IP space, but it doesn't explain what the results indicate. I'm guessing that an RCODE value of 0 means you're not part of the problem?

Re:Determining vulnerability? (1)

h4rr4r (612664) | about a year and a half ago | (#43306603)

I believe any server it lists is part of the problem.
Servers that are not part of the problem should not be listed at all.

Re:Determining vulnerability? (1)

ShaunC (203807) | about a year and a half ago | (#43306921)

I found 8.8.8.8, 4.2.2.4 etc. on there, which I'm hoping are set up responsibly. But I don't know of a "known bad" resolver to scan and see if the results come out differently.

Re:Determining vulnerability? (1)

heypete (60671) | about a year and a half ago | (#43307085)

Well, that makes sense: the Google Public DNS servers are indeed open resolvers but they have all sorts of mechanisms in place to prevent their being abused.

Misconfigured slashdot editors (0)

Anonymous Coward | about a year and a half ago | (#43306579)

Repeatedly post the same story.

Hoax? (4, Interesting)

Ubi_NL (313657) | about a year and a half ago | (#43306581)

I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake

http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie [gizmodo.com]

Re:Hoax? (2)

Anonymous Coward | about a year and a half ago | (#43306871)

I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake

http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie [gizmodo.com]

WHOA WHOA WHOA. No.

This 'thing' is definitely real. It's happening. That's not in question. What ISN'T real, however, is CloudFlare's assertion that it's "jamming crucial infrastructure around the world".

Re:Hoax? (1)

gl4ss (559668) | about a year and a half ago | (#43306977)

dunno, it is real if you define spamhaus as crucial infrastructure.

it isn't though..

Re:Hoax? (1)

liamevo (1358257) | about a year and a half ago | (#43307263)

The article itself state this exactly.

Re:Hoax? (0)

Anonymous Coward | about a year and a half ago | (#43307093)

gizmodo and "evidence" are an oxymoron aren't they? Anything under Gawker is suspect, and giz has always been gutter level.

Re:Hoax? (1)

Shoten (260439) | about a year and a half ago | (#43307489)

gizmodo and "evidence" are an oxymoron aren't they? Anything under Gawker is suspect, and giz has always been gutter level.

If I hadn't just posted twice, I would mod this up in agreement. Gizmodo is a blog that posts gadget-related rumors and the like...and even then they suck up the snake oil like Robert Evans snorts cocaine.

Re:Hoax? (1)

Em Adespoton (792954) | about a year and a half ago | (#43307959)

Added to that, if it was a hoax, it piggybacked the IXes mentioned having significant routing issues, all at the same time, around the time CloudFlare, a respected hosting service who claimed to be affected, started blogging about it. You might not have noticed, but anyone with a network presence in the UK, Netherlands or HK definitely did; traceroutes were all you needed to see the disruption for yourself.

So... documented reports from those who actually route the Internet plus much anecdotal evidence vs comments on Gizmodo from anonymous sources -- I think I know what I'll prefer to believe.

The cyberbunker part might be pure conjecture, but the DDoS was pretty obvious.

Re:Hoax? (0)

Anonymous Coward | about a year and a half ago | (#43307839)

Definitely not fake. I can verify that both Spamhaus and Project Honey Pot (which was also attacked but not mentioned anywhere) were down. Also in dispute from Giz is not that it happened, but rather if the DDoS was 300Gbs and if that was enough to interfere with tier 1 traffic to "break the Internet". All I can say is that you RTFA from Giz before saying it's a hoax.

Re:Hoax? (1)

Max DollarCash (2874161) | about a year and a half ago | (#43308159)

I know Its not the primary topic here,, but gizmodo has some evidence that the whole cyberbunker thing is a fake

http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie [gizmodo.com]

Well reading your quoted article is worrisome as it goes as far as describing a Ddos attack as a nuke. Do I feel another law, restriction coming up?

46.244.10.0 - 46.244.10.31 (0)

Anonymous Coward | about a year and a half ago | (#43306593)

Are there any routers that will ever talk to that range of IP addresses ever again, other than the ones run by a2b-internet.com?

Arrest them! (1)

Billly Gates (198444) | about a year and a half ago | (#43306607)

Have the SWAT team bust down their door and hall their asses to jail. Seriously, this is rediculous. Hacking into someone elses servers is a sevre crime the last time I looked and there is ample evidence from OpenDNS who does not even have to file charges.

Otherwise you are showing the Russian Mobfia and others they are not accountable to their actions and can do whatever the hell they want. I wish more arrests would be made. Shutting down and arresting cyberpunk officers would be a great start. After all they got KimDotCom and he didn't do damage. I have noticed youtube is barely working with syncing issues and I am on fios which is no doubt related as Google admits they trying to absorb the punch so the internet doesn't get knocked out

Re:Arrest them! (0)

Anonymous Coward | about a year and a half ago | (#43306807)

And you know 100% for sure that these bunker spammer folk are the ones that actually carried out the attack, and not some random stranger on the internet that just felt like showing off his skillz by taking two people arguing with each other and making the whole planet think that one attacked the other for "the lulz"?

SWAT/police need a little more proof than "I think they did it" before they kick in a door (or a bunker...) with guns.

Re:Arrest them! (1)

burne (686114) | about a year and a half ago | (#43306825)

Have the SWAT team bust down their door and hall their asses to jail.

Smart! Leave nobody to switch off the botnet!

Re:Arrest them! (0)

Anonymous Coward | about a year and a half ago | (#43307079)

Agree to reduce the sentencing if one of them pleads guilty and gives instructions on how to shut it off? Make it known if they do no cooperate a coworker gets to walk if he or she agrees or gets a reduced sentence.

Boy, will that get an answer fast as hacking is a crime where you can get up to a decade or more in prison. This is what cops and the FBI do all the time.

Re:Arrest them! (0)

Anonymous Coward | about a year and a half ago | (#43306839)

Have the SWAT team bust down their door and hall their asses to jail. Seriously, this is rediculous. Hacking into someone elses servers is a sevre crime the last time I looked and there is ample evidence from OpenDNS who does not even have to file charges.

"What? You're saying the kids are just copying a bunch of bits for free? Come come, how can the movie studios be mad about THAT? Those little scamps get into all sorts of mischief these days, and the studios should know that!"

"Oopsie-doodle! Someone installed a <voice mode='mocking'>big mean scary hacking backdoor at his job</voice> because his own self-absorbed paranoia led him to believe nobody could ever do his job at all, so he needed to hold an entire city's tech infrastructure hostage? Oh, please! Now you're just being silly! We've all had days just like that! He's just a silly-willy innocent sysadmin who everyone can relate to! Obviously, the city should've trusted him more, else he wouldn't have had to put everyone at risk like that! If only you worrywarts would look at the big picture, you'd see it was perfectly fine to have a single emotionally unstable psychopath with a god complex in control of the communication network of one of the largest metropolitan areas in the world!"

"Guffaw! Well, wouldya look at that? The tykes arranged a DDoS of some government entity I don't like! Well, ain't that just the cutest darned thing? And look! Now they're releasing the personal information of innocent government workers who're just trying to do their jobs! Aww, that's just adorable! Better luck next time, people who expect to be able to do their jobs or have an expectation of privacy working for a larger group we don't like right now! Maybe if your entire function wasn't marginalized by the comic books we immerse ourselves in regularly, we might be able to see deeper and find some pity for you as human beings, rather than dismiss you all as comical exaggerations of a binary good vs evil battle!"

"Hey, isn't that someone doing a DDoS on some server I don't find offensive? MURDER. EVERYBODY. NOW. This is an abomination not only against GOD HIMSELF, but against ALL POSSIBLE DEITIES EVER CONCEIVED BY MAN, BEAST, OR ALIEN. No punishment is too severe. We must wipe the attacker's current country of residence from existence until we find him and know he is dead. Then his birth country must be cleansed to ensure nothing like him can ever be born again. THIS WAS A DDoS, PEOPLE. YOU NOW ALL HAVE LICENSES TO MURDER. FAILURE TO DO SO IS A FURTHER CRIME AGAINST EXISTENCE."

Re:Arrest them! (1)

PlusFiveTroll (754249) | about a year and a half ago | (#43307063)

>Have the SWAT team bust down their door and hall their asses to jail.

Cannot tell if serious...

If you read the cyberbunkers website, that happened once. Dutch swat showed up.. Looked at gigantic steel doors for a nuclear bunker... Left.

Re:Arrest them! (1)

mjwalshe (1680392) | about a year and a half ago | (#43307437)

OK just cut of the power and wait for them to come out :-) or come back with a thermic lance or as its the police just lob teargas into the vents (the cops being allowed to use gas where military forces are not) .

of course the classic way of solving the this sort of problem was done at Eben-Emael forts in WW2 was to use shaped charges to blow a hole.

Re:Arrest them! (1)

Em Adespoton (792954) | about a year and a half ago | (#43308019)

OK just cut of the power and wait for them to come out :-) or come back with a thermic lance or as its the police just lob teargas into the vents (the cops being allowed to use gas where military forces are not) .

  of course the classic way of solving the this sort of problem was done at Eben-Emael forts in WW2 was to use shaped charges to blow a hole.

Or, just go to their physical upstream provider (the one who feeds them the cable) and tell them to cut the connection. Then wait for someone to show up to complain.

I'm not quite sure how you're supposed to do it? (1)

green1 (322787) | about a year and a half ago | (#43306645)

Maybe this is over my head. But how would one rung a "safe" DNS server then? My interpretation of the article basically says to let only specific people use your DNS server, but then how would a company run a public resolver?

For example, Google runs open public name servers on 8.8.8.8 and 8.8.4.4, same with OpenDNS, and many, many more. What is to stop those servers from being used in this sort of attack? Is this article really advocating a situation where you MUST use only your own ISP's resolver and trust them not to do what so many of them consistently do and mess with the results?

Or am I completely missing the point to this article?

Re:I'm not quite sure how you're supposed to do it (2)

nairnr (314138) | about a year and a half ago | (#43306705)

Maybe this is over my head. But how would one rung a "safe" DNS server then? My interpretation of the article basically says to let only specific people use your DNS server, but then how would a company run a public resolver?

For example, Google runs open public name servers on 8.8.8.8 and 8.8.4.4, same with OpenDNS, and many, many more. What is to stop those servers from being used in this sort of attack? Is this article really advocating a situation where you MUST use only your own ISP's resolver and trust them not to do what so many of them consistently do and mess with the results?

Or am I completely missing the point to this article?

Two different things. If you are running a DNS server yourself, for your own domain then you should only respond to requests for your domain from the outside. IE - Non-recursive. The only answers you serve are for those queries you are authoritative for. You only accept recursive queries from inside your own network. Those are the recursive ones.

Public servers would use rate-limiting to to protect against being effective in spoofed attacks.

Re:I'm not quite sure how you're supposed to do it (0)

Anonymous Coward | about a year and a half ago | (#43306803)

"If you are running a DNS server yourself, for your own domain then you should only respond to requests for your domain from the outside."

This can be used for DDOS, right?

Re:I'm not quite sure how you're supposed to do it (0)

Anonymous Coward | about a year and a half ago | (#43306857)

To reply myself... no it can't, it's non..recursive..

Re:I'm not quite sure how you're supposed to do it (1)

PlusFiveTroll (754249) | about a year and a half ago | (#43307087)

To reply myself... no it can't, it's non..recursive..

Um, not exactly... You an have an authoritative non-recursive DNS server that gives large responses to questions used in an amplification attack...

'dig a www.authoritative.domain @authortative.domain.ip'

RESPONSE = 1000+ bytes follows...

Re:I'm not quite sure how you're supposed to do it (1)

t4ng* (1092951) | about a year and a half ago | (#43307113)

Sure it could. If it is (mis)configured to allow a zone transfer, you could have a bot net send it zone transfer requests for your own domain with the source ip address spoofed to be your target. A little more complex setup than a recursive request, but you still some get good amplification. Do that on thousands or millions of DNS servers that aren't recursive, but allow zone transfers, and you still get a DDOS attack with very little input traffic. You could also do it on root servers (or any recursive server) by asking for MX records on a domain that has a bunch of MX records, like big ISPs. Not as much amplification as a zone transfer, but still some.

So really the only way to stop it is for ISPs to just stop traffic with spoofed source addresses from leaving their networks.

Re:I'm not quite sure how you're supposed to do it (1)

Shimbo (100005) | about a year and a half ago | (#43308243)

Sure it could. If it is (mis)configured to allow a zone transfer, you could have a bot net send it zone transfer requests for your own domain with the source ip address spoofed to be your target. A little more complex setup than a recursive request, but you still some get good amplification.

You're less likely to do this by accident. Besides, a spoofed zone transfer will almost always fail on the TCP three-way handshake step.

Re:I'm not quite sure how you're supposed to do it (1)

green1 (322787) | about a year and a half ago | (#43307119)

Why not? sure, it would be more difficult as each request would have to be tailored to the DNS server it's using, but the same principle should apply, spoof the source address, request information (in this case something within the domain being hosted) and let the larger reply go to the spoofed (victim's) address.

The only thing preventing this is that it's more work than the easier current method of being able to send the same request to every name server, but there's no reason it couldn't still be done.

Re:I'm not quite sure how you're supposed to do it (1)

Qzukk (229616) | about a year and a half ago | (#43307223)

It could, but only if they knew what domain your server was authoritative for when they picked your DNS server at random.

Your server would also have to be able to cough up a pretty big response to make it worthwhile.

Re:I'm not quite sure how you're supposed to do it (1)

t4ng* (1092951) | about a year and a half ago | (#43306961)

Two other different things...

1) ISPs could drop out-going tcp and udp packets on port 53 from all their IP address except their own DNS servers. That would stop their customers from using public DNS server outside their networks. But it would also stop this kind of attack.

2) Drop all outgoing traffic that has a spoofed source IP address. This is a very simple bit mask operation. Yes, it requires more compute power than not doing it, but not very much. The ISPs know what IP addresses they own, they can very easily prevent spoofed traffic from leaving their networks, effectively stopping this kind of attack, as well as other types of hacking. At the same time, it would still allow legitimate use of public DNS servers.

Re:I'm not quite sure how you're supposed to do it (2)

PlusFiveTroll (754249) | about a year and a half ago | (#43307115)

#2 is the right answer, be responsible for the traffic on your network.

#1 is the wrong answer. Too many ISPs fuck with DNS by returning IP addresses to advertizing domains instead of NXDOMAIN.

Re:I'm not quite sure how you're supposed to do it (1)

green1 (322787) | about a year and a half ago | (#43307129)

1) would be REALLY bad, and I hate anyone who would even consider such a solution.

2) I can't imagine why every ISP and transit provider doesn't already do this. This has been a known problem for over a decade, deal with it already!

Re:I'm not quite sure how you're supposed to do it (1)

Alex Pennace (27488) | about a year and a half ago | (#43308249)

Two other different things...

1) ISPs could drop out-going tcp and udp packets on port 53 from all their IP address except their own DNS servers. That would stop their customers from using public DNS server outside their networks. But it would also stop this kind of attack.

It would also have a high collateral cost: diagnosing many DNS issues becomes impossible when you can only work with one recursive resolver (which may be what is causing the DNS issues!) It is necessary to access legitimate open resolvers and authoritative servers on any kind of Internet connection, even residential broadband (don't think of grandma but think of the tech helping grandma).

In short, we *need* TCP and UDP port 53 traffic unfiltered.

2) Drop all outgoing traffic that has a spoofed source IP address. This is a very simple bit mask operation. Yes, it requires more compute power than not doing it, but not very much. The ISPs know what IP addresses they own, they can very easily prevent spoofed traffic from leaving their networks, effectively stopping this kind of attack, as well as other types of hacking. At the same time, it would still allow legitimate use of public DNS servers.

This is what we need more of. Provided, of course, that it isn't applied in situations where it breaks things, but in those cases the customer is hopefully smart enough to implement their own filtering.

Re:I'm not quite sure how you're supposed to do it (1)

mcrbids (148650) | about a year and a half ago | (#43307433)

You simply configure your DNS server properly, including setting the networks it's allowed to resolve for. A nameserver can be both authoritative for certain domains globally, and also be recursive for specific hosts.

Of course, there's also the problem of DNS amplification using source address spoofing by requesting authoritative DNS records, but simply doing the above greatly mitigates the effectiveness of the attack.

Re:I'm not quite sure how you're supposed to do it (1)

radiumsoup (741987) | about a year and a half ago | (#43306769)

Or am I completely missing the point to this article?

Yes.

It's talking about spoofed requests - much like if someone sent a request for more information to a Scientology center, and they put your return address on the form. Suddenly you're getting very creepy mail from the Scientologists and you have no idea where it came from. If they do it enough times to enough organizations, and your mailbox is full, and your Netflix Blu-ray of Tootsie is deferred until you can clean out your mailbox.

Re:I'm not quite sure how you're supposed to do it (1)

green1 (322787) | about a year and a half ago | (#43307169)

You're confirming that I understood the article perfectly. The problem is in their choice of solution.

It seems there are 2 possible solutions.

1) get ISPs and transit providers to actually start blocking IP spoofing (something they all should have been doing years ago)

2) break the internet by banning all public resolvers.

Unfortunately the article seems to me to be advocating for number 2, which would harm many people, and just cause the attackers to continue to use IP spoofing on different services or protocols.
Fix number 1 and you fix a lot. implement number 2, and you delay the issue by a few days while the attackers work around it.

Re:I'm not quite sure how you're supposed to do it (1)

gparent (1242548) | about a year and a half ago | (#43306773)

The problem is that almost no one actually needs to run a public resolver.

Your ISP provides a DNS server to you that is recursive (usually), so they can use ACLs to make sure only their clients are using them.

Domain owners provide DNS servers that are authoritative, but only for their own domain, so it limits the scope of the problem as well.

The problem is when domain owners provide DNS servers authoritative for their domain, but -also- allowing other people to use them as public recursive servers. There's usually no reason for this other than the server administrator's competence.

There are legit uses for open recursors, you mention Google DNS and OpenDNS as an example. These guys have to use rate limiting and defeat the attacks themselves, there's no easy solution.

these people are worse (1)

v1 (525388) | about a year and a half ago | (#43306681)

than the users that get their computers infected with botnets and spew spam. These people are supposed to know what they're doing.

Take away their Geek Card, and then suspend their internet license ;)

Re:these people are worse (0)

Anonymous Coward | about a year and a half ago | (#43306767)

Ah do you know which version of bind it is auto off in? Do you know the settings to turn it off? Or did you get a copy that was installed with you oldish copy of ubuntu and you did not even know it was there?

By your logic everyone should know every setting of every server program out there if you just want to run something. You should have a masters degree before tuning some software on.

More than likely these are older copies of bind (on by default bellow 9.3ish). Bind is the sort of software you stand up and forget about it because it 'just works'.

The real issue is these packets are even leaving the L1/L2/L3 networks with 0 checking of source address. Address spoofing is interesting in an academic world. However it should be a rare thing on the live internet... But it is amazingly common...

Re:these people are worse (1)

v1 (525388) | about a year and a half ago | (#43306951)

By your logic everyone should know every setting of every server program out there if you just want to run something.

If you've got a fat enough pipe to do damage from someone abusing your system, and are running an externally-facing service like DNS, that is KNOWN to be an attack vector, then YES, I can, and WILL expect you to know what you're doing, so you're not a danger to others, or ME. You've gone to the trouble of taking off the training wheels, and with power comes responsibility.

As it is now, the internet is like the interstate with their 80 yr olds flinging giant Winnebagos down the road without requiring them to hold a CDL, and they're just as much of a problem. People wielding dangerous tools need to be knowledgeable and responsible with them, and held accountable and partially liable when they aren't. Ignorance is not a defense.

Mitigation while it still happens? (1)

gmuslera (3436) | about a year and a half ago | (#43306775)

The kind of traffic it generated could practically disconnect entire countries from internet, and is still open to whatever with the right resources to use it, What kind of measures can be taken to prevent it? To have as DNS mirrors several with really big bandwidth?

NOT "OPENDNS" but "open" "dns" servers. (1)

Anonymous Coward | about a year and a half ago | (#43307011)

OpenDNS is a DNS service, whereas "open dns servers" were abused - but not at OpenDNS...

Sad thing is... (0)

Anonymous Coward | about a year and a half ago | (#43307027)

Nobody from Cyberbunker will go to jail for it most likely and they SHOULD go to jail....

Open DNS? (0)

Anonymous Coward | about a year and a half ago | (#43307391)

forgive my ignorance but the only Open DNS that I know of is http://www.opendns.com. I wonder if the article is talking about opendns.com. I didn't see any news releases on their website.

Learn the truth about DNS... apk (-1)

Anonymous Coward | about a year and a half ago | (#43307503)

Mainly in efficiency - it runs in Ring 0/RPL 0/PnP Kernelmode (on Windows), as merely a filter for the IP stack (no overheads of more driver layers OR browser level slower less efficient addons):

21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):

Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).

2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:

Adblock Plus To Offer 'Acceptable Ads' Option

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org] )

AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.

Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, OR make you reach them faster since you resolve host-domain names LOCALLY w/ hosts out of cached memory, hosts do ALL of those things (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions (in-addr.arpa) via NSLOOKUP, PINGS (ping -a in Windows), &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles (or ELECTRICITY) like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can since hosts files run in MORE EFFICIENT & FASTER Ring 0/RPL 0/Kernelmode operations acting merely as a filter for the IP stack (via the "Plug-N-Play" designed IP stack in Windows) vs. SLOWER & LESS EFFICIENT Ring 3/RPL 3/Usermode operations (which webbrowsers run in + their addons like AdBlock slow down even MORESO due to their parsing operations).

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than remote DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server, typically 30-100's of ms, vs. 7-10ms HardDisk speed of access/seek + SSD seek in ns, & back to you - hosts resolutions of IP address for host-domain names is FAR faster...). Hosts are only a filter for an already fast & efficient IP stack, no more layered b.s. (remote OR local). Hosts eat less CPU, RAM, I/O in other forms, + electricity than a locally running DNS server easily, and less than a local DNS program on a single PC. Fact. Hosts are easier to setup & maintain too.

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
  http://someonewhocares.org/hosts/ [someonewhocares.org]
  http://hostsfile.org/hosts.html [hostsfile.org]
  http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
  http://hosts-file.net/?s=Download [hosts-file.net]
  https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
  https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
  http://ddanchev.blogspot.com/ [blogspot.com]
  http://www.malware.com.br/lists.shtml [malware.com.br]
  http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org]
  http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code (to customize it better than the GUI front does @ least). With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL (even moreso "automagically" for Vista, 7/Server 2008 + beyond by UAC by default) &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

Adbanners slow you down & consume your bandwidth YOU pay for:

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT THAT EASILY "webbug" BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked on AdBlock in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

21.) Custom HOSTS files gain users back more "screen real estate" by blocking out banner ads... it's great on PC's for speed along with MORE of what I want to see/read (not ads), & efficiency too, but EVEN BETTER ON SMARTPHONES - by far. It matters MOST there imo @ least, in regards to extra screen real-estate.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( http://adblockplus.org/en/ [adblockplus.org] ), IE 9's new TPL's ( http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] ), &/or NoScript ( http://noscript.net/ [noscript.net] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( http://adblockplus.org/en/ [adblockplus.org] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

---

DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]

---

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]

---

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]

---

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]

---

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]

---

Photobucketâ(TM)s DNS records hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]

---

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
  ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
  OpenDNS -> http://www.opendns.com/ [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

20++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ [someonewhocares.org] and http://winhelp2002.mvps.org/hosts.htm [mvps.org] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to 127.0.0.1" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525) Homepage Journal

"A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

---

* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 26++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
  HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
  HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
  HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
  APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
  HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
  HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
  HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
  HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
  HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
  HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
  HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
  HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
  HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
  HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
  0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]
  0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
  HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
  HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]

---

Windows 7, VISTA, & Server 2008 have a couple of "issues" I don't like in them, & you may not either, depending on your point of view (mine's based solely on efficiency & security), & if my take on these issues aren't "good enough"? I suggest reading what ROOTKIT.COM says, link URL is in my "p.s." @ the bottom of this post:

1.) HOSTS files being unable to use "0" for a blocking IP address - this started in 12/09/2008 after an "MS Patch Tuesday" in fact for VISTA (when it had NO problem using it before that, as Windows 2000/XP/Server 2003 still can)... & yes, this continues in its descendants, Windows Server 2008 &/or Windows 7 as well.

So, why is this a "problem" you might ask?

Ok - since you can technically use either:

a.) 127.0.0.1 (the "loopback adapter address")
b.) 0.0.0.0 (next smallest & next most efficient)
c.) The smallest & fastest plain-jane 0

PER EACH HOSTS FILE ENTRY/RECORD...

You can use ANY of those, in order to block out known bad sites &/or adbanners in a HOSTS file this way??

Microsoft has "promoted bloat" in doing so... no questions asked.

Simply because

1.) 127.0.0.1 = 9 bytes in size on disk & is the largest/slowest
2.) 0.0.0.0 = 7 bytes & is the next largest/slowest in size on disk
3.) 0 = 1 byte

(& HOSTS files extend across EVERY webbrowser, email program, or in general every webbound program you use & thus HOSTS are "global" in coverage this way AND function on any OS that uses the BSD derived IP stack (which most all do mind you, even MS is based off of it, as BSD's IS truly, "the best in the business"), & when coupled with say, IE restricted zones, FireFox addons like NoScript &/or AdBlock, or Opera filter.ini/urlfilter.ini, for layered security in this capacity for webbrowsers & SOME email programs (here, I mean ones "built into" browsers themselves like Opera has for example))

MS has literally promoted bloat in this file, making it load slower from disk, into memory! This compounds itself, the more entries your HOSTS file contains... & for instance? Mine currently contains nearly 654,000 entries of known bad adbanners, bad websites, &/or bad nameservers (used for controlling botnets, misdirecting net requests, etc. et al).

Now, IF I were to use 127.0.0.1? My "huge" HOSTS file would be approximately 27mb in size... using 0.0.0.0 (next smallest) it would be 19mb in size - HOWEVER? Using 0 as my blocking IP, it is only 14mb in size. See my point?

(For loads either in the local DNS cache, or system diskcache if you run w/out the local DNS client service running, this gets slower the larger each HOSTS file entry is (which you have to stall the DNS client service in Windows for larger ones, especially if you use a "giant HOSTS file" (purely relative term, but once it goes over (iirc) 4mb in size, you have to cut the local DNS cache client service)))

NO questions asked - the physics of it backed me up in theory alone, but when I was questioned on it for PROOF thereof?

I wrote a small test program to load such a list into a "pascal record" (which is analagous to a C/C++ structure), which is EXACTLY what the DNS client/DNS API does as well, using a C/C++ structure (basically an array of sorts really, & a structure/record is a precursor part to a full-blown CLASS or OBJECT, minus the functions built in, this is for treating numerous variables as a SINGLE VARIABLE (for efficiency, which FORTRAN as a single example, lacks as a feature, @ least Fortran 77 did, but other languages do not))!

I even wrote another that just loaded my HOSTS file's entirety into a listbox, same results... slowest using 127.0.0.1, next slowest using 0.0.0.0, & fastest using 0.

And, sure: Some MORE "goes on" during DNS API loads (iirc, removal of duplicated entries (which I made sure my personal copy does not have these via a program I wrote to purge it of duplicated entries + to sort each entry alphabetically for easier mgt. via say, notepad.exe) & a conversion from decimal values to hex ones), but, nevertheless? My point here "holds true", of slower value loads, record-by-record, from a HOSTS file, when the entries become larger.

So, to "prove my point" to my naysayers?

I timed it using the Win32 API calls "GetTickCount" & then again, using the API calls of "QueryPerformanceCounter" as well, seeing the SAME results (a slowdown when reading in this file from disk, especially when using the larger 127.0.0.1 or 0.0.0.0 line item entries in a HOSTS file, vs. the smaller/faster/more efficient 0).

In my test, I saw a decline in speed/efficiency in my test doing so by using larger blocking addresses (127.0.0.1 &/or 0.0.0.0, vs. the smallest/fastest in 0)... proving me correct on this note!

On this HOSTS issue, and the WFP design issue in my next post below?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I am convinced they (MS) do NOT have a good reason for doing this... because of their lack of response there on this note. Unless it has something to do with IPv6 (most folks use IPv4 still), I cannot understand WHY this design mistake imo, has occurred, in HOSTS files...

AND

2.) The "Windows Filtering Platform", which is now how the firewall works in VISTA, Server 2008, & Windows 7...

Sure it works in this new single point method & it is simple to manage & "sync" all points of it, making it easier for network techs/admins to manage than the older 3 part method, but that very thing works against it as well, because it is only a single part system now!

Thus, however?

This "single layer design" in WFP, now represents a SINGLE POINT OF FAILURE/ATTACK for malware makers to 'take down'!

(Which is 1 of the 1st things a malware attempts to do, is to take down any software firewalls present, or even the "Windows Security Center" itself which should warn you of the firewall "going down", & it's fairly easy to do either by messaging the services they use, or messing up their registry init. settings)

VS. the older (up to) 3 part method used in Windows 2000/XP/Server 2003, for protecting a system via IP Filtering, the Windows native Firewall, &/or IPSEC. Each of which uses diff. drivers, & layers of the IP stack to function from, as well as registry initialization settings.

Think of the older 3 part design much the same as the reason why folks use door handle locks, deadbolt locks, & chain locks on their doors... multipart layered security.

(Each of which the latter older method used, had 3 separate drivers & registry settings to do their jobs, representing a "phalanx like"/"zone defense like" system of backup of one another (like you see in sports OR ancient wars, and trust me, it WORKS, because on either side of yourself, you have "backup", even if YOU "go down" vs. the opponent)).

I.E.-> Take 1 of the "older method's" 3 part defenses down? 2 others STILL stand in the way, & they are not that simple to take them ALL down...

(Well, @ least NOT as easily as "taking out" a single part defensive system like WFP (the new "Windows Filtering Platform", which powers the VISTA, Windows Server 2008, & yes, Windows 7 firewall defense system)).

On this "single-part/single-point of attack" WFP (vs. Windows 2000/XP/Server 2003's IP stack defense design in 3-part/zone defense/phalanx type arrangement) as well as the HOSTS issue in my post above?

I also then questioned MS' own staff, even their VP of development (S. Sinofsky) on this here -> http://blogs.msdn.com/e7/archive/2009/02/09/recognizing-improvements-in-windows-7-handwriting.aspx?CommentPosted=true#commentmessage [msdn.com] & other places in their blogs, to get them to tell me WHY this seemingly intentional inefficiency was implemented... & I have YET to get a solid LOGICAL answer on this as to why it was done - THUS, @ this point?

I'll stick to my thoughts on it, until I am shown otherwise & proven wrong.

----

Following up on what I wrote up above, so those here reading have actual technical references from Microsoft themselves ("The horses' mouth"), in regards to the Firewall/PortFilter/IPSec designs (not HOSTS files, that I am SURE I am correct about, no questions asked) from my "Point #2" above?

Thus, I'll now note how:

----

1.) TCP/IP packet processing paths differences between in how Windows 2000/XP/Server 2003 did it (IPSEC.SYS (IP Security Policies), IPNAT.SYS (Windows Firewall), IPFLTDRV.SYS (Port Filtering), & TCPIP.SYS (base IP driver))...

2.) AND, how VISTA/Server 2008/Windows 7 do it now currently, using a SINGLE layer (WFP)...

----

First off, here is HOW it worked in Windows 2000/XP/Server 2003 - using 3 discrete & different drivers AND LEVELS/LAYERS of the packet processing path they worked in:

http://technet.microsoft.com/en-us/library/bb878072.aspx [microsoft.com]

The Cable Guy - June 2005: TCP/IP Packet Processing Paths

====

The following components process IP packets:

IP forwarding Determines the next-hop interface and address for packets being sent or forwarded.

TCP/IP filtering Allows you to specify by IP protocol, TCP port, or UDP port, the types of traffic that are acceptable for incoming local host traffic (packets destined for the host). You can configure TCP/IP filtering on the Options tab from the advanced properties of the Internet Protocol (TCP/IP) component in the Network Connections folder.

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com]

APK [mailto]

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once? GET CACHED! Right into the kernelmode diskcaching subsystem (fast & efficient RAM speed), for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL initial load 1 time lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point #20 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apk

THIS IS NOT ME... apk (-1)

Anonymous Coward | about a year and a half ago | (#43307629)

A corrupt slashdot luser has infiltrated the moderation system to downmod all my posts while impersonating me.

Nearly 170++ times that I know of @ this point for all of March 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...

Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:

---

A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 170 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307 [slashdot.org]

&/or

B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here

---

(Albeit massively repeatedly thru all threads on /. this March 2013 nearly in its entirety thusfar).

* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!

(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).

APK

P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...

Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March now, & 170++ times that I know of @ least)... apk

Re:THIS IS NOT ME... apk (0)

Anonymous Coward | about a year and a half ago | (#43308219)

Makes no difference. BOTH of you should be forced to use a cholla cactus as a butt-plug.

Illicit webhost? (0)

Anonymous Coward | about a year and a half ago | (#43307543)

Why is Cyberbunker [wikipedia.org] judged to be an "illicit webhost" by Threat post? If corporations are people, isn't that defamation of character?

Thoughts from MaraDNSâ(TM) implementer (0)

MaraDNS (1629201) | about a year and a half ago | (#43308103)

As the implementer of MaraDNS, here are my thoughts:
  • 1) MaraDNS 1 and Deadwood do not support a technology called "EDNS" that allows for large DNS packets. By only supporting 512-byte packets, both DNS servers do not allow for the 100x amplification used in this DDOS that other DNS servers have.
  • 2) My DNS software does not come with unrestricted recursive access enabled by default, and the documentation strongly discourages open recursion.
  • 3) I will have to double check, but, as I recall, the documentation and example configuration files do not include an example with unrestricted recursive access.

One feature that would be nice would be to be able to restrict how much data my DNS server sends to a given IP (again, as noted above, MaraDNS/Deadwood already has a form of this because they do not support EDNS). Unfortunately, since I am not developing new features for MaraDNS like this without being compensated for my time, I would need a corporate or government grant to implement this. TANSTAAFL [wiktionary.org]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>