dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1081
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog

Member

DNSchanger

Is anyone redirecting DNS traffic to warn users if they are infected with DNSchanger? If so, how are you doing it?
OHSrob
join:2011-06-08

1 edit

OHSrob

Member

I run a snort IDS it detects most network worms and many virus's. (It also gets false positives mainly ftp ones)

That said once people are on my service it is rare for them to get a virus.

In our policy we strongly recommend against Internet explorer as its the number 1 cause of infections, We require our customers keep their pc's up to date (after the install them I turn on auto update) and forbid people having virus's on our network (If I see spam email going out or a DDOS their internet is shut off). We also require the customer installs an anti-virus and that they have a minimum security on their router of WPA-TKIP to prevent wifi theft and to avoid possible mis-identification if an intruder got in there network. We also install microsoft security essentials on all our customers pc's if we see they don't have anything.

We also offer virus removal, When we do an install if we see a virus infected computer we will try to get the customers approval for a format and reload. ($100).

Due to these policies our customers are significantly less likely to get infected then a customer on a competitors service.

edit: Switchport mirroring is your friend

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas to wirelessdog

Premium Member

to wirelessdog
I'm redirecting the DNS traffic, but not warning them.

I guess it could be done via address lists and perhaps hotspot or even a squid proxy.

IE with the following logic:

SRC IP detected attempting to use one of the known bad DNS servers. SRC IP Added to Address List for X minutes.
Firewall NAT's TCP port 80 for SRC IP's in Address List to Squid server setup with a splashpage/portal.
After X minutes browsing goes back to normal unless they attempt to accesses known bad DNS servers again then the process starts over.

battleop
join:2005-09-28
00000

battleop to OHSrob

Member

to OHSrob
Wow thats the most off topic answer I've seen in some time.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

1 recommendation

Inssomniak to OHSrob

Premium Member

to OHSrob
said by OHSrob:

We also offer virus removal, When we do an install if we see a virus infected computer we will try to get the customers approval for a format and reload. ($100).

Wow that's ballsy I would never think of doing that during an install. I'm not gonna be the one that deleted that important (real or not) document or picture and have them demand their money back or free Internet. Not to mention they sucker you in for life for any future service.

We tell them take it to a computer store, get it fixed. We are an ISP, not a computer repair shop.
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog

Member

Is there a list of DNS addresses I should be redirecting somewhere?

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

said by wirelessdog:

Is there a list of DNS addresses I should be redirecting somewhere?

Yea I'd be interested to know too

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

said by Inssomniak:

said by wirelessdog:

Is there a list of DNS addresses I should be redirecting somewhere?

Yea I'd be interested to know too

»www.fbi.gov/news/stories ··· ware.pdf

2nd last page lists the subnets that were hosting the rogue DNS servers.

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas to Inssomniak

Premium Member

to Inssomniak

/ip firewall nat
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=85.255.112.0/20 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=67.210.0.0/20 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=93.188.160.0/21 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=77.67.83.0/24 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=213.109.64.0/20 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
add action=dst-nat chain=dstnat comment="Ghost Click" disabled=no dst-address=64.28.176.0/20 dst-port=53 protocol=udp to-addresses="your DNS server" to-ports=53
Jim_in_VA (banned)
join:2004-07-11
Cobbs Creek, VA

Jim_in_VA (banned) to wirelessdog

Member

to wirelessdog
Not sure if this is what you need: »code.google.com/p/namebench/

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to Rhaas

MVM

to Rhaas
You should also capture TCP and redirect them if that can be done.

DNS queries that result in packets larger than 512 bytes typically cant use UDP transport.

Rhaas
Premium Member
join:2005-12-19
Bernie, MO

Rhaas

Premium Member

said by TomS_:

You should also capture TCP and redirect them if that can be done.

DNS queries that result in packets larger than 512 bytes typically cant use UDP transport.

I thought the initial request was UDP regardless? If so then all I need to do is redirect the first packet and my DNS servers take over.
OHSrob
join:2011-06-08

OHSrob to Inssomniak

Member

to Inssomniak
said by Inssomniak:

said by OHSrob:

We also offer virus removal, When we do an install if we see a virus infected computer we will try to get the customers approval for a format and reload. ($100).

Wow that's ballsy I would never think of doing that during an install. I'm not gonna be the one that deleted that important (real or not) document or picture and have them demand their money back or free Internet. Not to mention they sucker you in for life for any future service.

We tell them take it to a computer store, get it fixed. We are an ISP, not a computer repair shop.

They acknowledge that I am not responsible for any and all dataloss that occurs and that they are aware everything will be gone.

If they want backup they can pay for it and tell me in a documented way exactly what they want backed up. If they don't understand how to operate a computer well enough to know I won't touch it but will tell them not to plug it into the internet. (I can't have someone sending out spam emails or participating in a ddos) They can pay for exactly how long it takes to back it up at $50 per hour.

I keep my network and the computers connected to it as clean as possible. Too many viruses on subscribers computers make for a unhappy network with lots of wasted upload.

Also I never had one customer with dnschanger.

My policy’s also allow me to disable the internet to a subscriber with a virus until it has been removed. All isp's should have this policy the internet would be a much better place with much less fraud and identity theft if all providers did this.
wirelessdog
join:2008-07-15
Queen Anne, MD

wirelessdog

Member

Wow. So much for providing a connection and what the customer does with it is their business. What you described creates a huge liability.
jcremin
join:2009-12-22
Siren, WI

jcremin

Member

said by wirelessdog:

Wow. So much for providing a connection and what the customer does with it is their business. What you described creates a huge liability.

What is wrong with having a clause that states any virus propagation or spamming is terms for having service suspended until the virus is removed? I do the same thing... Although hard to detect, if I see a customer who has tons of upload traffic when they typically wouldn't (and especially if it is SMTP) I will call them and try to troubleshoot to see if it is intentional. If it appears to be a virus, I either tell them "sorry, I'm going to have to block internet access until you remove the virus or unhook the computer from the internet" or I ask them to bring the computer to me.

I don't see computer repair as a big issue. I did computer repair commercially for 15 years before starting an ISP, and it has never been an issue. I always warn people that there is a chance the virus may have damaged the computer to the point data may be lost, and then I ask them how recent their backup is. It is a good way to start the process out with it being clear that any data loss is their own fault for not having a backup. Once they have accepted that, then we move on. I did have one person who said his stuff was mission critical, so I decided it was best to say I didn't want that liability, but that's only happened once in over 15 years.