[150207] in North American Network Operators' Group
Re: DNS Attacks
daemon@ATHENA.MIT.EDU (Robert Bonomi)
Sat Feb 18 17:25:15 2012
Date: Sat, 18 Feb 2012 16:29:17 -0600 (CST)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
To: nanog@nanog.org
In-Reply-To: <4F401B13.3060202@opus1.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Joel M Snyder <Joel.Snyder@Opus1.COM> wrote;
>
> > http://thehackernews.com/2012/02/fbi-will-shutdown-internet-on-march-8.html
>
> Quoting the FBI:
>
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
> Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
> to your own recursive servers, or dump them on Google at 8.8.8.8 if
> you're so inclined. Extra bonus result: NAT logs will show who needs a
> pleasant email from customer service.
Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose. This special-purpose machine returns a
customized 'error message' for any/all 'standard' protocols -- one that
states that they are infected with the particular malware, that none of
their attempts at intnernet access will work until they get that malware
removed, that they need to contact a 'computer repair' business ("See the
Yellow pages") to get the problem dealt with, -and- that assistance with
such malware removal is -not- part your 'support' services. Lastly, add
a statement that any calls to -your- support staff will cause the customer's
account a fee of $xx -- just for repeating the above. Th special-purpose
machine logs all inbound connection attempts -- timestamp, source IP, and
protocol -- for matching against customer accounts, providing a provable
audit trail to support the 'penalty' charge, when users -do- call 'support'.
Optionally, you refer them to a 'paid consulting' division of your operation,
which provides additional services on a time-and-materials basis.
This approach is -not- particularly 'customer-friendly' in the short term,
but it -will- have long-term benefits for the customer -- they _will_ have
learned something about the risks of not 'practicing safe hex', and their
machine(s) will (well, _probably_) be safer/more secure in the future. Thus
reducing future problems for both the customer and the provider support desk.
> Or you could just let 'em[1] suffer, BoFH-style.
>
> [1] "'em" in this case is "your customer service reps" who will see a
> 'higher than normal call volume' should the FBI's warning mean anything.
