[153155] in North American Network Operators' Group
Re: Vixie warns: DNS =?utf-8?Q?Changer_?=
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu May 31 11:52:30 2012
Date: Thu, 31 May 2012 08:51:41 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CALvoTpvCJV66xVo-JEud-Zk57tF9KocAiDKjqR15=VADRE8DRg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, May 31, 2012 at 08:14:40AM -0500, cncr04s/Rand=
y wrote:
> Exactly how much can it cost to serve up those requests... I mean for
> 9$ a month I have a cpu that handles 2000 *Recursive* Queries a
> second. 900 bux could net me *200,000* a second if not more.
> The government overspends on a lot of things.. they need some one whos
> got the experience to use a bunch of cheap servers for the resolvers
> and a box that hosts the IPs used and then distributes the query
> packets.
The interesting bit with DNSChanger isn't serving up the requests,
but the engineering to do it in place. Remember, all of the clients
are pointed to specific IP addresses by the malware.
The FBI comes in and takes all the servers because they are going
to be used in the court case, and then has to pay someone to figure
out how to stand a service back up at the exact same IP's serving
those infected clients in a way they won't notice. This includes
include working with the providers of the IP Routing, IP Address
blocks, colocation space and so on to keep providing the service.
In this case it was also pre-planned to be nearly seamless so that
end users would not see any down time, and the servers had to be
fully instrumented to capture all of the infected client IP addresses
and report them to various parties for remediation, including further
evidence to the court for the legal proceedings. The FBI also had
to convince a judge this was the right thing to do, so I'm sure
someone had to pay some experts to explain all of this to a judge
to make it happen.
I suspect the cost of the hardware to handle the queries is neglegable,
I doubt of all the money spent more than a few thousand dollars
went to the hardware. It seems like the engineering and coordination
was rather significant here, and I'll bet that's where all the money
was spent.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT8eTjbN3O8aJIdTMAQJcnRAAnhj9QFf8mZZSnxwkIUf8fg00HfSO+2w7
+ZkpN0hVKeH6mzNsx5ZN7c51+nuYdu8GcE9kBXt7supvJgfKu0W7TUjs9cK05+9c
+L9vFMI9htgXfdiQVM1CMmACOAKm6EjDcV+VwKCrFJY5IJ9TArAGO27BwTOTDWER
Z8bO+nz6U4gql0nIMYIlyuac9DC3qtiaA5IkY1yR3nAG4+/LTdfksvmv2flBKdeX
edYU+n4dk+xHxXxZn3V3MjlXNbVKctRt0nu43XGQZ0AbU9cwzqVrFsx4q165Pr9T
L549yD+oNSjDgSAf+Dgr5oeeQIwO4KAy+DPMTwmxnoeD9ZaMDSa9MKNYldRol4/j
6UY3MsSW970NglN75XpUTz2iyHgaa0WEOyBR69kjp2+pp29rIeyYzg4dBIfSQlID
lQ3kuaHoLYy4h7G9tW6tKDT88XnGRBnegGlSi48Yb77LMvsYYkg/v/jsiPeOdwm3
Qz9X+vrnt4AMTo9I5V8agdaX0dD7k8hn3lD4+el8Y8Z53BGmef+yobKZtOaAMCFO
jweG94uxlj2/guH/mTQQHdPza7LiwNFi0MQQt3GZvVIwaA63El8PAn+8fTgrj/AM
8esVwCUZ1LyQuMzZSrPJqHn4X2sAsrMogWSH9xOfINdIflMIMf0XaUooTmDTe3Oy
PBJ+enPYxjE=
=g4Py
-----END PGP SIGNATURE-----
--Kj7319i9nmIyA2yE--
