×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TimeWarner DNS Hijacking

kdawson posted more than 6 years ago | from the can-you-spell-ham-handed dept.

Networking 339

Exstatica writes "It looks like TimeWarner is taking vigilante action on the botnet problem. They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net — both part of EFNet. (irc.vel.net was hijacked earlier but has been restored.) Using ns1.sd.cox.net, the lookup returns an IP for what looks to be a script that forces the user into a channel and issues a set of commands to clean the drones. There have been different reports of other IRC networks being hijacked and other DNS servers involved. Is this the right way to handle the botnet problem? Is hijacking DNS legal?" Botnets are starting to move off of IRC for command and control, anyway.
Update: 07/24 00:01 GMT by KD : Updated and added more links; thanks to Drew Matthews at vel.net. 07/24 11:52 GMT by KD : Daniel Haskell wrote in to say that ircd.nac.net is seeing cox.net connections again, and that they are in discussion with the EFF over the matter.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

339 comments

New Update since i submited this yesterday (5, Informative)

Exstatica (769958) | more than 6 years ago | (#19963505)

Since submitting this article yesterday there have been some new developments. There was a large debate on Nanog about what has been happening and eventually was published to wired [wired.com] . The full description of everything that has happened and how it happened can be found on my site at http://www.exstatica.net/hijacked/ [exstatica.net] as for irc.vel.net we have been returned our dns, but irc.mzima.net appears to still be hijacked.

Re:New Update since i submited this yesterday (1)

__NR_kill (1018116) | more than 6 years ago | (#19963665)

I've been dealing with botnets for some years now.
As far as I know, it is illegal to use the backdoors of the bots to remove them as it is equal to hacking and/or breaking into another's computer, so whoever is doing this challenges more then just DNS hijacking laws.

Re:New Update since i submited this yesterday (4, Insightful)

TheRealMindChild (743925) | more than 6 years ago | (#19963845)

That sounds like dirty lawyer logic.

Next you'll argue that reverse engineering a virus is a violation of the DMCA.

Ill be the first to say it. Who the fuck cares. The problem is being delt with.

Re:New Update since i submited this yesterday (0)

thc69 (98798) | more than 6 years ago | (#19964129)

The trouble with dirty lawyer logic is that it may be backed up by dirty lawyers.

Oh, and the word is "dealt" [wiktionary.org] .

Re:New Update since i submited this yesterday (2, Insightful)

Lawn Jocke (1064716) | more than 6 years ago | (#19964299)

Next you'll argue that reverse engineering a virus is a violation of the DMCA.

Bit exaggerated use of a slippery slope metaphor. IANAL but to my understanding, their actions were closer to breaking into somebody's house to steal back your remote control. Not to justify their actions- just clarifying.

Ill be the first to say it. Who the fuck cares. The problem is being delt with.

I'll be the first to ask: If you don't give a hoot about this issue, what are you doing in this topic, let alone in the /. community?

Re:New Update since i submited this yesterday (4, Interesting)

Anonymous Coward | more than 6 years ago | (#19964027)

This is in no way a new practice -- Time Warner has been doing this for well over two years. In the past script kiddies who have been caught hosting botnet servers on *.res.rr.com machines had their DNS's redirected to a single server in which all registered IRC users would be directed to #badbotbad, with the topic as .remove. It did, and still does, little to stop the botnet problem since the methods TW uses to sniff out the botnet servers are very specific to IRC protocol. That, and the server would only remove a standard kiddie rxbot with unchanged commands. --Manix

Who is driving? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19963515)

Bear is driving!
How can that be (first post)?

Re:Who is driving? (0)

Anonymous Coward | more than 6 years ago | (#19963717)

Moose and squirrel beat you again.

Better luck next time!

first post (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19963523)

first post

In other news (1, Funny)

MonGuSE (798397) | more than 6 years ago | (#19963543)

In other news Redhat has begun using arp poisoning and TLD hijacking to remove the Malicious and insecure Microsoft Windows installs. After all windows installs are purged there is expected to never ever be a future threat and heavy handed tactics will never be used again. Sometimes the cure is worse than the ailment.

Re:In other news (1)

acidrain (35064) | more than 6 years ago | (#19963829)

Sometimes the cure is worse than the ailment.

This doesn't seem much different than blocking access to a mail server that is sending too much spam. Except they went one step further and redirected their customers to a site that fixed the problem.

The ISP hasn't done anything to the actual IRC site, just cut off communication with it because it is allowing itself (inadvertently) to assist in abusing the ISPs and it's customers.

Personally, blacklisting machines that have bots installed seems fine to me. This is all good in my books.

Re:In other news (1)

HomelessInLaJolla (1026842) | more than 6 years ago | (#19963857)

Until the definition of "bot" is "anything which connects on port 6667". Then we'll have a problem with abuse of authority, again.

Re:In other news (1)

acidrain (35064) | more than 6 years ago | (#19964509)

yeah, a bot isn't a irc server I get that. I was being general, but if you like you can add "black-listing sites that do not prevent themselves from being used in the command-control of a bot-net" to my list of things that are fine by me.

This is a DNS hijacking. (5, Funny)

woodchip (611770) | more than 6 years ago | (#19963551)

OK DNS Server resolve me to .cu and no body gets hurt.

Re:This is a DNS hijacking. (1)

DigitalSorceress (156609) | more than 6 years ago | (#19963627)

Woodchip,

That was both funny and depressing at the same time. Thank you for bringing me a delightful moment of ambivalence.

Re:This is a DNS hijacking. (0)

Anonymous Coward | more than 6 years ago | (#19964097)

Hey Fidel, you can have all of the spam traffic you want brother.

The criminal code calls it "Theft of Services" (5, Interesting)

cenonce (597067) | more than 6 years ago | (#19963563)

In Pennsylvania, it sounds like it might fall under Theft of, or Diversion of Services. [aol.com]

Re:The criminal code calls it "Theft of Services" (1)

EvanED (569694) | more than 6 years ago | (#19963723)

I don't think so. It's not theft of services... the only thing along that line would be failure to provide the service for which they are contracted, namely internet access.

Heck, if this is theft of services, my ISP should be indicted for grand larceny. (If you're ever in Ithaca, NY and have a chance to subscribe to Clarity Connect, run away as fast as you can. Their service sucks donkey balls.)

As a side note, I love how the only copy of the PA Crimes code online is on some personal page at AOL.com.

Re:The criminal code calls it "Theft of Services" (0)

Anonymous Coward | more than 6 years ago | (#19964281)

Er... I'd be very surprised if there wasn't a clause in AOL's TOS that would let them do this legally.

No, probably not (5, Interesting)

Sycraft-fu (314770) | more than 6 years ago | (#19964479)

Since it sounds like they were doing it with their DNS servers. While it would be illegal for me to break in to your DNS server and modify it, it is not illegal for me to modify my DNS server, even if you use it. If you dislike it, you can use another service, but unless I have a contract with you there's nothing wrong with it (legally). You can argue it is a bad idea, but changing their equipment on their network is well within their rights.

Yes, it is the right way (2, Interesting)

Anonymous Coward | more than 6 years ago | (#19963571)

Politicians are more concerned with pampering the amok-running entertainment industry, providers are more concerned with keeping their pink contract customers, users are more concerned with getting cheap viagra and don't care about the number of botnets their computers are part of and law enforcement is chasing whoever is tagged with the kiddieporn or terrorism flag.

If admins don't take it into their own hands, nobody is going to do anything.

Re:Yes, it is the right way (0)

Anonymous Coward | more than 6 years ago | (#19964213)

"users are more concerned with getting cheap viagra and don't care about the number of botnets their computers are part of"

You couldn't be more wrong. 99% of users do care, which is not to say they know what to do about the problem. Because I have a BB gun, I should go up against a gang with AK-47's? If slashdotters maintain your attitude, (blame the users), the problem with botnets will only proliferate. How about some real help here?

IRC networks must police themselves (2, Interesting)

Anonymous Coward | more than 6 years ago | (#19963573)

Police thyself, or others will do the policing for you.

Re:IRC networks must police themselves (1)

HomelessInLaJolla (1026842) | more than 6 years ago | (#19963585)

How long until an AC posts some hate filled reply to this?

Re:IRC networks must police themselves (0)

Anonymous Coward | more than 6 years ago | (#19963617)

But what hatred could they spew about them policing theirselves?

Re:IRC networks must police themselves (1)

HomelessInLaJolla (1026842) | more than 6 years ago | (#19963643)

They don't even know anything about it.

Re:IRC networks must police themselves (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19964221)

But you certainly know about mah dick in yo mouth

Re:IRC networks must police themselves (1)

nschubach (922175) | more than 6 years ago | (#19964331)

If you hate the Police, does that mean you hate yourself for self-policing?

Re:IRC networks must police themselves (1)

AndroSyn (89960) | more than 6 years ago | (#19963591)

IRC networks like EFnet *do* police themselves.

Re:IRC networks must police themselves (0)

Anonymous Coward | more than 6 years ago | (#19963705)

And if I understand correctly, EFnet is not affected by this action by Cox networks. Cox is only manipulating DNS for certain networks.

Re:IRC networks must police themselves (0)

Anonymous Coward | more than 6 years ago | (#19963861)

The servers mentioned are part of EFNet.

Re:IRC networks must police themselves (1)

EvanED (569694) | more than 6 years ago | (#19963887)

Dude, did you even skim the summary?

They've hijacked DNS for a few IRC servers, the latest being irc.mzima.net and irc.nac.net -- both part of EFNet.

way to blame the victim. (0, Troll)

twitter (104583) | more than 6 years ago | (#19964275)

Michael Dell estimates that 25% of the computers he sells ends up controlled by a bot net. Botnets used to abuse IRC while launching spam and DNS. The problem is Windows, but you would like to blame and punish IRC servers and users. Why?

Your plan does not even make sense. Botherders have already moved to their own distributed command and control systems that have nothing to do with IRC.

The only people disrupted by this are IRC users, who mostly use gnu/linux and other systems that don't have botnet problems. People with infected computers are not IRC users.

duh. (1)

twitter (104583) | more than 6 years ago | (#19964301)

Botnets used to abuse IRC while launching spam and DNS.

That's supposed to be Botnets used to abuse IRC while launching spam and DoS (denial of service attacks).

First they came for malware... (1)

Qzukk (229616) | more than 6 years ago | (#19963597)

Then they came for IRC, and dammit, I use IRC, and if my ISP blocks it, it's a dealbreaker, even if I have to sue to cancel the contract.

Re:First they came for malware... (1)

twitter (104583) | more than 6 years ago | (#19963681)

I use IRC, and if my ISP blocks it, it's a dealbreaker, even if I have to sue to cancel the contract.

Next level time, apt-get install bind.

TimeWarner != Cox (2, Informative)

OverlordQ (264228) | more than 6 years ago | (#19963605)

While Cox used to use Time Warner's RoadRunner for their cable internet service, Cox's Internet offerings are In-House now.

Is there an easier and more effective way?? (4, Interesting)

grapeape (137008) | more than 6 years ago | (#19963645)

If Time Warner was really concerned about it wouldnt it be easier and more effective to use their virtual truck (TW Self help) application to redirect the users browser start page to a list of instructions, tools and a support number to clean up their system? I have seen several instances were they redirect users to a "disabled due to non-payment" type pages...would a "Hey idiot your computer is infected" page be that difficult?

Re:Is there an easier and more effective way?? (4, Interesting)

sqlrob (173498) | more than 6 years ago | (#19963685)

Knowing them, yes, and probably not a good idea.

A while back, I got a "your computer is infected" notice from them. I checked all my computers, the Windows ones with tools that weren't even available to the public at the time, and zero, zip, nada. Everything was clean, sniffs showed nothing out of place.

Finally talked with someone with a clue, and they classified my SpamAssassin install as a DOS on their name servers because they were caching the negative responses from the various blacklists.

What??? (5, Interesting)

bogie (31020) | more than 6 years ago | (#19963999)

You mean you actually talked to someone in tech support who not only knew what a packet was but also looked up what was happening on their end at a technical level? How many drones did you have to speak to telling you to A)reboot or B)reinstall your machine? Did you use chicken blood or ox blood to perform this magic?

Re:What??? (3, Informative)

Martin Blank (154261) | more than 6 years ago | (#19964177)

Actually, if you can get past the first level of drones (and sometimes the second level, depending on the company), you'll talk to people who know not only what a packet is, but also can do actual troubleshooting on the modem connection and make some sense of it. I've experienced this with Comcast, Adelphia, and Time-Warner (it was completely absent, so far as I could tell, from MediaOne when they were around); in one case, I got a very thorough explanation of the problem as it related to head-end equipment and what needed to be done to fix it from the tech as she was entering it into the work order.

The problem, of course, is that almost all users that call in don't need more than scripted hand-holding, and those of us that know what we're talking about call in and hit that wall, through which it can be very difficult to find an open window through which to crawl to find a knowledgeable person.

Re:What??? (3, Informative)

DigiShaman (671371) | more than 6 years ago | (#19964251)

Remember, the job of a TSR and CSR is among the jobs with the highest turn-over rate.

The people that apply (and get) these jobs fall in two main categories. The first being entry level. The second being highly skilled IT professionals who got laid off and need something to pay the bills until the find a better job. As such, you will get a nice mix of idiots and very brilliant staff manning the phone queue.

Re:What??? (1)

sqlrob (173498) | more than 6 years ago | (#19964259)

Damn if I know. It's taken me 20-30 minutes at time to convince them problems are with their mail server, not my computer. If someone mention telnet and SMTP in the same sentence, just escalate them.

Maybe because this one was initiated by them and not me?

About time (3, Insightful)

beefcake1942 (996262) | more than 6 years ago | (#19963649)

Frankly, I think it's about time somebody started ACTING on the problems we face online. Botnets are a huge global issue, and we simply must do all that we can to stop them. Although I suppose this probably could be considered illegal (remotely installing software on somebody's PC without their authorisation breaks pretty much every anti-hacking law in the land), how else can we tackle these issues? Zombie PCs aren't going away any time soon, so more needs to be done. The only problem is as the OP originally stated - botnet control is moving away from IRC networks anyway, so this may also be a case of too little too late. What other methods can be used to help curb the botnet problem?

Re:About time (1)

poetmatt (793785) | more than 6 years ago | (#19963851)

so the end justifies the means? people who have not done anything wrong are getting SHIAT on by their provider...oh and I'd give it about 3 days before someone hammers the hell out of cox in response.

Re:About time (1)

Darundal (891860) | more than 6 years ago | (#19963969)

I think the problem is that, IMHO, at least from my understanding of this, people who AREN'T infected in any way are being screwed as well.

Re:About time (1)

beefcake1942 (996262) | more than 6 years ago | (#19964001)

Yes, people who are trying to legitimately use those IRC networks are being redirected away from where they actually wanted to go, which for anybody with even vague technical knowledge can get around easily (ie nslookup off another nameserver to find the real IP), those who aren't so technically inclined (or haven't read Slashdot/Wired to figure out what's going on) are going to be screwed until they find another server to use. As for "so the end justifies the means" - Consider it an online War Against Terror(tm) :)

Re:About time (1)

jasen666 (88727) | more than 6 years ago | (#19964373)

So there's a temporary interruption to what, 2 irc servers? Out of thousands?
Oh, the humanity!!!
Pick another damn server to get your chat on. It's not like they're blocking port 80. I'd bet only a tiny percentage of users even still use IRC, and out of those only a few even use the servers affected.

Re: "... all that we can to stop them." (1)

macraig (621737) | more than 6 years ago | (#19964359)

Botnets are a huge global issue, and we simply must do all that we can to stop them.

No matter the collateral damage? Protecting freedom by restricting rights again, are we?

Re:About time (4, Insightful)

CrazedWalrus (901897) | more than 6 years ago | (#19964503)

I think this action is right-on. The parts of the equation missing are trust and accountability.

We don't trust vigilantes, not because we don't agree with them, but because we don't trust them to always act in the greater good. Their future actions and motivations are unknowns. Since their identities may even be secret, there's no way to hold them accountable.

Why are we ok with the police taking the same actions as a vigilante would take? Because of trust earned through accountability. To retask a familiar saying: "Put all your eggs in one basket and then watch that basket". That basket is the police, and we've put all our eggs in it. That means the public at large can watch the police, who are well-known and generally easy to spot. It means that internal controls can be set up, and rules of engagement can be put in place. We trust the police as much as we do because we know that, ultimately, they're under the control of the general public, who can exert pressure on them when they act badly. This is why we tend to put more trust in organizations, rather than individuals. Organizations are easier to censure.

Understanding that, it's easy to see what the course of action needs to be. As much as we here at /. tend to have a love/hate relationship with authorities, I think one needs to be set up specifically to deal with these problems. They need to be given what power is necessary to deal with the problems like spam, trojans, botnets, whatever, but at the same time, they need to be directly accountable to the public in a similar manner to police forces. Legitimize the vigilante action by coupling it with accountability.

I don't really know the specifics of setting up something like this, but I think using the police as a model would be the way to go. Rules and procedures, all the requisite bureaucracy, but also the ability to launch tactical "busts", "cyber" or otherwise. They'd need all the same approvals, warrants, etc. They'd have branches in all concerned countries, and would work through the legal systems in their home countries. In some countries, they might be a part of the police force, since much of the administrivia would be similar. Ultimately, I'd think CERT or something like it would be a good headquarters or parent organization for such a group.

The point is that we've already worked this out in the "Real World". Applying it to The Internet shouldn't be a patent-worthy exercise. While I wish we didn't need government involvement, much of the authority required is the type of authority that only government can legitimately grant, such as the ability to seize equipment.

I aplogize that this isn't as eloquently described as I'd have liked, but I think the general idea is there. You may now procede to flame me for advocating the Policing of the Intertubes but ultimately, I think that's where we're headed.

Fair game (1)

BubbaFett (47115) | more than 6 years ago | (#19963653)

Anything goes on the Eris Free Network.

Re:Fair game (0)

Anonymous Coward | more than 6 years ago | (#19963695)

The problem with this is it is a slippery slope. What is stopping them from changing www.google.com to go to search.cox.net?

It has been said that, "The road to hell is paved with good intentions". That pretty much sums this up.

Another vote for OpenDNS! (4, Insightful)

sillivalley (411349) | more than 6 years ago | (#19963673)

So we can expect the next generation of malware to alter systems to use OpenDNS?

Might make some systems a little more useful!

Re:Another vote for OpenDNS! (0)

Anonymous Coward | more than 6 years ago | (#19963867)

OpenDNS has highjacked google.com without telling their users.

Is that you Eugene? (1)

rs79 (71822) | more than 6 years ago | (#19964393)

"So we can expect the next generation of malware to alter systems to use OpenDNS?"

I remenber a fella named Kashpuereff tried this once...

is this suppose to mean something to us? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19963709)

or is this just another filler article like 95% of all the articles on cmdrdildo's site?

About Time Someone Tried Something (2, Insightful)

Anonymous Coward | more than 6 years ago | (#19963711)

Let's face it, the company with the most responsibility in the Botnet mess, Microsoft, has been sitting on their hands when it comes to dealing with the issue. Well, until they figured out they could make a buck at it.

Botnets are used by organized crime for spam, stock scams and a host of other illegal activities. It's time someone did something...if only for the political effect.

The Right Way? (5, Funny)

Kozar_The_Malignant (738483) | more than 6 years ago | (#19963725)

>Is this the right way to handle the botnet problem?

No. The right way involves castration with rusty linoleum knives, Turkish prisons, and rabid wolverines. If that doesn't work, we should quit being nice and get nasty with these folks. Seriously, this problem will not go away until people start doing some hard time, preferably with a cell mate who does not need Erct|le Member Help!

Maybe this explains... (1)

Ant P. (974313) | more than 6 years ago | (#19963729)

...the sudden increase in irc proxy scanners hitting my server over the past week.

Though I'm not sure what kind of explanation justifies doing that.

This will NOT raise awareness or work in any way. (5, Interesting)

twitter (104583) | more than 6 years ago | (#19963783)

Wired found someone who approves of breaking the internet:

Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me. And if it raises awareness around the seriousness of the bot problem I'm all for it.

Right, because the kind of people who might actually use IRC know nothing about botnets and the kind of Windoze users who are part of the botnet care about IRC. This is just another attack on the free software community as outlined in the Haloween Documents.

Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

Re:This will NOT raise awareness or work in any wa (5, Insightful)

thegrassyknowl (762218) | more than 6 years ago | (#19963913)

Once again, the ISP has punished the good guys for problems crated by the bad guys. The root cause of the botnet is Windoze. Fixing it and raising awareness is as simple as cutting the problem computers off your network and telling their owners why. This is as it should be and pretending otherwise props up third rate software and threatens the stability of the net.

I wish I hadn't run out of mod points; this is gold.

That's a pretty cut and dried way of reducing the number of bots. Cutting the user off forces them to understand what is wrong and why they're cut off. If you just give them information most will just click past it and continue on their merry way. Users don't want information. They want the pr0nz as quick as possible. Didn't you know that?

I can think of one case where a (now ex) friend of mine would email To: every single person in her work address book with SPAM for her work. I started out telling her to use the Bcc: field at least and pointed her to a web page describing why you'd want to do that. she replied "I don't want to read all that technical garbage" then carried on the same. Then I asked her to remove me from her list. She replied "I am going to send you this stuff because I know you want it" (it really was SPAM for her work, it wasn't even jokes or chain mail). There ended our friendship as I reported them to their ISP. They were warned by their ISP and still continued doing what they did. They lost hosting pretty quick after that.

People don't want to learn. They are, by and large, idiots. Heavy handed measures are the only way to force them to realise that fact.

No "awareness" needed (1)

dedazo (737510) | more than 6 years ago | (#19963955)

Other than that aimed at users being responsible for their own computers. The botnet's root cause is not "Windoze", it's the people who are ignorant or lazy enough to let their computers be taken over by trojans and worms. Since it's stupidly simple to avoid that, the problem lies squarely between keyboard and chair.

I expect that the same people who neglect their PCs by downloading and opening random crap and not even bothering to leave automatic updates running will be as detrimental to OS X or Linux if they ever grow tired of "Windoze" and blame Microsoft (or as you like you call them, "M$") for their inexperience and lack of interest in basic security enough to switch platforms. You know what? You're more than welcome to them. Those of us who choose to run Windows and do it responsibly as with any other OS can certainly do without the "wow this email with a zip attachment from the CIA looks important, I think I'll open it and run it" masses. You can have all of them, and then when there's enough of them and malware writers start targeting them, you can post on Slashdot about how "Linsux" is third rate because it lets these stupid people install stuff on their own computers. I'll be looking forward to that.

"awareness" is needed (1, Troll)

twitter (104583) | more than 6 years ago | (#19964149)

Leet-man dedazo insultingly blames the users again:

The botnet's root cause is not "Windoze", it's the people who are ignorant or lazy enough to let their computers be taken over by trojans and worms. Since it's stupidly simple to avoid that, the problem lies squarely between keyboard and chair.

Both ignorance and apathy would be cured by kicking off infected computers. I'd be looking forward to "responsible user" dedazo being kicked off but I think the PR firm he works for uses a botnet to post all it's pro M$ blather, so he could stay one step ahead of the terminations.

Interestingly enough, he scornfully proposes the right solution:

[lots of namecalling for normal computer users] You know what? You're more than welcome to them.

That wold be cool. Steve Jobs does not have a problem with average users on Apple. Sun does not have a problem with Solaris in hospitals. No one but M$ has a problem and liberating their users would be a great thing for everyone. It can't be done by force but it will happen when people have knowledge and choices.

Re:"awareness" is needed (1)

dedazo (737510) | more than 6 years ago | (#19964307)

Both ignorance and apathy would be cured by kicking off infected computers

Well, yes. That's one solution I guess.

I'd be looking forward to "responsible user" dedazo being kicked off

Unfortunately for you, none of my "M$ Windoze" machines are in any botnets, have any malware or are otherwise compromised, much like many other hundreds of millions of other PCs running "Windoze" out there.

I think the PR firm he works for uses a botnet to post all it's pro M$ blather

Jeepers, you are so cool.

Steve Jobs does not have a problem with average users on Apple. Sun does not have a problem with Solaris in hospitals.

Neither Apple nor Sun have a billion users - which is of course the inconvenient little detail you conveniently "forget" all the time.

Re:No "awareness" needed (2, Insightful)

QuantumG (50515) | more than 6 years ago | (#19964151)

No, no, and no.

The problem is the assholes who take over people's computers to send spam and flood web sites.

The solution is a well funded police force to hunt them down.

Re:No "awareness" needed (1)

dedazo (737510) | more than 6 years ago | (#19964339)

Well, of course it's the criminal's fault, not the victim's. The victims could do (or not do) a hell of a lot more to avoid being "victimized", though.

Yeah, good luck. (0, Troll)

twitter (104583) | more than 6 years ago | (#19964427)

The problem is the assholes who take over people's computers to send spam and flood web sites. The solution is a well funded police force to hunt them down.

Start in Redmond. No really. Start rooting around the PR firms they pay and see what you find.

Then you can move on to Madison Avenue where big name companies like American Express, Home Depot, American Airlines and others have been busted paying these assholes to take over people's computers. Think those companies got more than a slap on the wrist? No, they had "plausible deniability [wikipedia.org] " and all of them claimed absolute shock that these things were done in their name - shock I tell you, while they continue to support laws that make the internet look like broadcast TV and force the same thing.

Honeynets are a nice way to start tracking these things down but it's not going to work when the herds are all moved over to redundant and decentralized command and control structures. Police effort will dig up thousands of home users who know nothing about what's happened to their computers, unless you can make a TIA network as big as the plannet. The crooks will then add their own networks to the official one and you are back at square one.

No, the only way to get rid of the problem is to make it expensive though platform diversity. Making the user aware of the problem and making it cost the user time and trouble is the first step. At some point the network will be so degraded that users will start dropping off anyway.

AFT Defense/Offense Corporatist attack their enemy (-1, Offtopic)

OldHawk777 (19923) | more than 6 years ago | (#19963853)

AFT (About Fyucking Time) Defense/Offense Corporatist attack a real enemy of US. They (Corporations/associations/laws... RIAA, MPAA, DMCA ...) have been using the law to spy on and attack citizens, now they can attack with virtual-impunity some real criminals (maybe DoD, China, Halliburton ...) that can counter-attack with some real whoop-ass. This should be more interesting than anything on ESPN/HBO... I hope some folks are monitoring the start of one of the first cyberwars. God, I hope NSA, CIA, DoD ... collect enough data to make it worth their while in a non-simulation vicarious voyeuristic lessons-learned from real professionals fighting in cyber-warfare. If Vegas is taking bets, my money is on the prideful and vain counter-attackers. YaGo 31!t3CMF (Cyber Marine Forces).

PS: I have never claimed to be sane, just reasonable.

Defense/Offense, which is legal and why?
(Score:3)
by OldHawk777 (19923) * on 2007.07.18 14:21 (#19904495)
(http://www.mygothicheart.com/oh10101 | Last Journal: 2007.07.12 14:41)
Defense is legal, Offense is illegal, and why? "I don't know." THIRD-BASE!

My logic, you need defense to be able to do what you need/want to do (like go on the offense).
Also, you need offense to prevent others from doing what you don't want them to do (like they can't go on offense).

IOW: The real purpose of defensive action is to provide force/operations security, until offensive action is possible.

Intel/CoOps (like chicken "coops") are a defensive actions that disrupt the ability of others to take a successful offensive action, while allowing you to develop effective and successful offensive actions. It all (technology security) confuses an old war monger like me.

Anyway; any/all defense will fail, unless the purpose is "Offense". So; with my way of thinking, the laws/regs/policies for preventing the use of technology (gun, lock, Internet, encryption ...) are the problem. If someone a/o some country/religion tries to crack your network ... it is a hell of allot more reasonable to go on the offensive and destroy the enemy ... collecting forensics and bits/body data is important to defense (as defined above), but legally can be insubstantial false-trail/trap for debate and for court worthless.

If you want to win you must always be on the offense. Offense or Defense will always win a battle, but only offense can win the war.

So; put the criminal crackers out of business with brilliant offense, don't legislate technology out of business with draconian idiotic "defense-only". Defense-only is as dumb as all the ObSec (Obscurity Security) governments and business want to implement. Clear the decks, clear the laws, clear for battle, take the SOBs out, and don't provoke the good public and citizens with further legislative/regs/policies stupidity.

Advice: If you have a Defense-only/ObSec policy get rid of it quick (as legally as possible), If you have a Defense-only/ObSec consultant/service company get rid of it quick (as legally as possible). Always look to solve problems permanently, because always being reactionary is a dogmatic (non-thinking) suicidal tactic. Gut-feelings truthyness (comically) is always fun for the clueless losers.

Re:AFT Defense/Offense Corporatist attack their en (1)

Creepy Crawler (680178) | more than 6 years ago | (#19964021)

---AFT (About Fyucking Time) Defense/Offense Corporatist attack a real enemy of US. They (Corporations/associations/laws... RIAA, MPAA, DMCA ...) have been using the law to spy on and attack citizens......

Wow. That is one hell of a rant. Too bad it's just full of sticking points towards every group you hate. That adds nothing.

---If you want to win you must always be on the offense. Offense or Defense will always win a battle, but only offense can win the war.

Your key supposition is this.

What is winning to Time-Warner? They wish to make money.

Can attacking lead to elimination of threat? Yes, it can.

Can attacking lead to more money lost due to unforeseen complications? Yes, it can.

What is the percentage that is lost? It is a great percentage. Why? Because IP addresses are not checked to verify whether source/destination are correct.

If the majority of companies went to 1'st strike like what you wish, then I, as one person could imitate that of a rival company and engage each other in a cyberwar. If you dont understand this, I am simply blending in the prisoners dilemma and tragedy of the commons.

Thats probably why you were -1'ed.

Their DNS Server... (4, Insightful)

flyingfsck (986395) | more than 6 years ago | (#19963855)

If I wish to black hole something on my DNS, it is my prerogative to do so. If someone else is using my server for free and complains about the shitty service, then I'll gladly refund his money...

Re:Their DNS Server... (1)

networkzombie (921324) | more than 6 years ago | (#19964071)

I agree! I don't trust Time Warner and/or Cox (I'm on Cox) so I don't use their DNS servers anyway. I expect no less from these ISPs. If you are using their DNS, you must actually want them to do this for you. This is only to protect Internet Joe who doesn't know what DNS is! Hell, I remember when 4.2.2.2 resolved to something like i.will.not.steal.dns.service.from.gtei.com. If kiddies are using DNS for bots, let's use it against them! You can always run your own DNS and get your updates from the root 13. Those 13, of course, should be left alone.

Re:Their DNS Server... (2, Interesting)

DarkOx (621550) | more than 6 years ago | (#19964133)

Yes, but arguably DNS is a services you expect your ISP to provide. I know I do. I rather like my ISPs DNS server, its fast and near to me in terms of hops. Its a great forward DNS server for the DNS server on my personal network.

I expect my ISP to provide me with correct DNS loopup results. If they don't then they would not be providing me with part of the service I understand I am paying them for. They would hear from me about it pretty quickly and more then likely loose my business over it. There are after all lots of ISPs out there.

Re:Their DNS Server... (1)

vux984 (928602) | more than 6 years ago | (#19964513)

Remember how well that worked for email. If you don't want to use your ISPs SMPT server because you didn't like their policies you could just run your own. Now, many of them do their absolute damnedest to force you to use theirs by blocking access to others... all in the fight against spam.

If the botnets/etc get wise to the fact that the ISPs are fucking with DNS, they'll just start dodging the ISPs DNS service, like the spambots dodged the ISPs smpt server.

The obvious ultimate outcome - the ISPs force you to use their DNS servers. Any dns traffic originating from your PC to an external server will be blocked.

It's not like the police are doing anything.. (4, Interesting)

QuantumG (50515) | more than 6 years ago | (#19963881)

Uhhhh.. see, I'm kinda of the opinion that vigilante action is only bad if there are proper channels. There are none.

Personal freedom (1)

flyingfsck (986395) | more than 6 years ago | (#19963893)

only extends to where someone else's nose begins. If someone is harming your chattels, then you have the right to take appropriate action to limit the damage. I'd love to see a botnet operator sue Time Warner - "Judge it is not fair, they hit back first! Waaaaaahhhh..."

UGH just create a virus that gets rid of ALL virii (0)

Anonymous Coward | more than 6 years ago | (#19963995)

think it cant be done why? they can make them and get detected so why not one that completely goes off like a worm and attacks all this virii and even updates it self.
Question now arises whom do we trust for that.
So not going to happen.

In the long run, not a great idea (4, Insightful)

BertieBaggio (944287) | more than 6 years ago | (#19964007)

I have mod points, but I'd like to collectively reply to a few of the comments I see here. for those of you that are commending this act of vigilantism, stop and think - is this the most effective way to tackle the problem? The way I see it is that being a vigilante is akin to being involved in a constant game of whack-a-mole. The only problem is that when you start taking down bots (or even whole botnets), the people running them begin to realise that their current generation of malware isn't effective enough, and create something that is harder to detect. As the summary notes, we've already seen [slashdot.org] them trying to improve their resources. There was another post I saw on here that put it more eloquently, essentially saying: vigilantism only helps the bad guys work out where they need to improve.

So how about instead of trying to fight a brushfire with an extinguisher, we get to the root of the problem and start educating users. Yes, that takes effort. I can't begin to count the hours I've spent trying to explain to folk why using an alternative browser (or OS or whatever) is a good idea, and what they should look for in a reputable site, and so on and so on ad nauseum. It's a slow process, but the more people that are aware of the risks - and more importantly, the reasons for the risks - the less there potential 'marks' there are for all the script kiddeez, rooters and organised criminals out there.

And for us on /. - less requests to fix the family computer when we visit at Christmas.

Re:In the long run, not a great idea (1)

OS24Ever (245667) | more than 6 years ago | (#19964169)

Have you walked down your street, knocking on doors, offering to educate them? It doesn't work too well. I tried it as a 'break the ice' to help secure unsecured networks from my neighbors (live in a single family home neighborhood, not an apartment complex) right after we moved in. A lot of people looked at me odd, and only one wanted to know about it, out of the 7 homes I tried before quitting. I'd walk the culdesac with my iBook showing them how anyone could log on and just a simple WEP password would scare most but the hardcore away, or if their router did it WPA-TSK.

Trying to clean a botnet infestation is about 100 times more invasive. ISPs have got to do what they can to help, and since people don't know/don't care/are completely fucking clueless about the entire idea of a bot let alone a huge bot net concept I find the education, while valiant, pretty damn near impossible.

Re:In the long run, not a great idea (1)

BertieBaggio (944287) | more than 6 years ago | (#19964473)

Actually, I haven't proffered my services like that, but I actually think it's a good idea. When I move into my next apartment (looking for a place at the moment) I think I'll give it a shot. As you say it may not have a great success rate but it is a good icebreaker.

I'd recommend other folk try this too - it can come in very handy to have a reputation as 'that helpful guy in the building / on the block'.

Re:In the long run, not a great idea (0)

Anonymous Coward | more than 6 years ago | (#19964249)

what they should look for in a reputable site

Pr0n. Lots of top notch pr0n.

Re:In the long run, not a great idea (1)

QuantumG (50515) | more than 6 years ago | (#19964265)

There's no hope of that.

We need a dedicated police force to track botnets and their creators and run them to ground.

In fact, we need a specially trained police force in every country in the world with international co-operation between each of them.

I suggest that we fund it with an "Internet License" and that could include some education component (but don't get too excited, it won't be anything useful).

Re:In the long run, not a great idea (0)

Anonymous Coward | more than 6 years ago | (#19964397)

It sounds like by saying

vigilantism only helps the bad guys work out where they need to improve
you are advocating doing nothing unless its the perfect solution. I agree, I see education of the common user as the perfect solution to this problem (as well as many other problems) but that is never going to happen.

Too many users are too unfamiliar with computers to effectively make education work. What motivation is somebody going to have who uses the internet to look up movie times and send the occasional email to family members to learn how to patch their computer? You might say, "just cut them off of the internet, that'll motivate them!" Now, can you imagine these thousands of users calling their ISPs pissed off that they cant access the internet. That cant be good for business. I can say first hand, witnessing my parents berating cox and aol (back in the day), the average user doesn't want to do any unrequired work if they can help it.

Re:I have mod points... (0)

Anonymous Coward | more than 6 years ago | (#19964459)

I have mod points...

And I care WHY?

There are worse ways... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#19964031)

I'm a student at Clemson University. After some problems with IRC-based badware 4-5 years ago, the University decided to block the default IRC port for students to try to help.

Thing is, they never removed the block. And at a University, well, when someone does this, you're pretty much boned.

(Yes, I know there are multiple ports on many IRC servers -- but not all of them.)

crackz.ws dns (0)

Anonymous Coward | more than 6 years ago | (#19964079)

I have Cox Communications, and i just checked, irc.mzima.net is still hijacked...

More interestingly, (i think), the website 'crackz.ws' is permanently hijacked by Cox :
 
;; ANSWER SECTION:

crackz.ws. 300 IN A 68.0.15.8

it redirects to a "Scam Blocked" page...

I've been keeping a timeline (1)

Santavez (1132093) | more than 6 years ago | (#19964093)

I think my network was the first full network hit, although FDF did have a singular server issue about a year ago and there were some smaller instances as much as two years ago. I've been keeping a collection of reports and information on a blog page found here: http://anthony.blogs.ablenet.org/time_warner_aol_r oadrunner_and_verizon_kill_irc [ablenet.org] It started with TW/AOL and then Verizon and lastly Cox. At first I thought were were on a blacklist somewhere, but when that didn't check out, I was totally baffled!

Not perfect, but (3, Interesting)

davmoo (63521) | more than 6 years ago | (#19964117)

This isn't the perfect or ideal way to do things. But its about damned time the ISPs did something.

There is simply **NO** excuse for a bot to be running on any ISP for more than the time it takes to detect it pumping out massive volumes of email. My solution, as I've stated several times, would be to disconnect the offending computer, and then fire them off a snailmail letter stating that they will not be permitted back until their computer is disinfected. But since that would cost them customers, no one will do that.

ISP's are allowed corrective action (1)

MrWin2kMan (918702) | more than 6 years ago | (#19964217)

This is really no different from when I used ISA server to redirect ad sites to a benign company graphic that eliminated pop-up ads, cookies and quickened page loading times. Cox and other ISP's operate a private network up to the point they peer, and they are allowed to control the traffic on their network by using DNS seeding on their own servers to redirect client traffic from within their own network to another server on their own network. I'm sure some verbiage is buried in their terms of use policy, but if you object to their cleaning bots off of your systems, then police yourself or get a different ISP.

Lawsuit (0)

Anonymous Coward | more than 6 years ago | (#19964333)

If it was my IRC Server that they hijacked I'd sue Timewarner to the maximum extend..

about fucking time (1)

timmarhy (659436) | more than 6 years ago | (#19964363)

This might give us some brief reprieve, timewarner needed to do this to prevent their network getting banned in places, i already banned it from my mailservers. the botnetters will just use ip addresses next...

Re:about fucking time (1)

DDLKermit007 (911046) | more than 6 years ago | (#19964537)

They can use IP addresses all they want. TW can easily just reroute where it goes on their network. Hijacking the DNS request is just a simple means of accomplishing this. Not to mention these people won't be able to hide so well if they actually use an IP address.

I'm of two minds (1)

sjames (1099) | more than 6 years ago | (#19964425)

I can easily understand the urge to disable as many bots as possible, particularly those that are making their network look bad.

At the same time, they're blocking legitimate accesses to legitimate services without even notifying their users.

I don't really mind that they're manipulating the machines given that they only affect owned machines.

This does seem to be a vigilante action, but it's not as if "legitimate" law enforcement seems to have any interest at all in catching cyber-criminals even when they and victim are in the same jurisdiction unless, of course, the victim is a large corporation. Whenever legitimate law enforcement is absent, vigilantes tend to fill the vacuum.

Tortious Interference (2, Interesting)

Spazmania (174582) | more than 6 years ago | (#19964461)

Is hijacking DNS legal?

"Tortious interference," is part of english common law roughly defined as the causing of harm by disrupting something that belongs to someone else. The original example was a guy who repeatedly drove ducks away from his neighbors' pond by firing a gun in the air on his own property.

So no, its not legal. But if you want to pursue it in court, you have only one of the weaker common-law torts to rely on.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...