[154628] in North American Network Operators' Group
RE: DNS Changer items
daemon@ATHENA.MIT.EDU (Tomas L. Byrnes)
Fri Jul 6 15:59:18 2012
Date: Fri, 6 Jul 2012 12:58:44 -0700
In-Reply-To: <4FF72B49.2020302@gmail.com>
From: "Tomas L. Byrnes" <tomb@byrneit.net>
To: "Andrew Fried" <andrew.fried@gmail.com>,
"Cameron Byrne" <cb.list6@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.
> -----Original Message-----
> From: Andrew Fried [mailto:andrew.fried@gmail.com]
> Sent: Friday, July 06, 2012 11:16 AM
> To: Cameron Byrne
> Cc: nanog@nanog.org
> Subject: Re: DNS Changer items
>=20
> The DNS redirection began on November 8, 2011. The servers were
> instrumented to capture a very small portion of the dns data (source
ip and
> port only) so that reports of infected users could be sent to the ISPs
via
> reporting organizations like Shadowserver.
>=20
> Some ISPs did create walled gardens. Some merely redirected affected
> customers to their own internal DNS servers. Some ISPs did aggressive
> notifications to their users. And some ISPs did nothing.
>=20
> Sites were set up to allow users to check their systems (dns-ok.us,
etc). The
> DCWG set up an information site to provide information on how to
detect
> the DNSchanger infection and how to fix it. AV companies provided
tools to
> help clean up systems, and the tools were published on the DCWG.org
> website.
>=20
> The FBI went to great lengths to get press coverage to get the word
out.
>=20
> This operation has been ongoing for 7 months, 27 days and 14 hours.
>=20
> How much more of a graceful ramp down could there have been?
>=20
> Andy
>=20
> Andrew Fried
> andrew.fried@gmail.com
>=20
>=20
> On 7/6/12 1:52 PM, Cameron Byrne wrote:
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type of
reponse
> > saying "hey, since you use this server, you are broken, go here to
get fixed"
> >
> > Seems that would have been a more graceful ramp down.
> >
> > CB
> >
>=20
