swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
edit:
July 24th, @12:48AM
| ISP action against bots
From Slashdot: Cox and Time Warner have been hijacking DNS for certain IRC servers to which some bots connect.
»blog.wired.com/27bstroke6/2007/0···aki.html ,
»www.exstatica.net/hijacked/ ,
»www.gossamer-threads.com/lists/f···re/55016
Innocent parties are affected too. The false entries direct clients to channels which run scripts that are intended to remediate infected computers. |
|
EGeezer
Summer is passing
Premium
join:2002-08-04
Country!
·RoadRunner Cable
 ·AT&T CallVantage
| I wonder how the server owners would respond if they were asked to clean and ban the bot herders and malware pushers from their systems?
It seems like cooperation from the system owners would remove any justification for the actions the ISPs took.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
edit:
July 24th, @05:21AM
| This has caused a huge uproar. Did you read all the links? Here is just one example of the harm this has done:
"
Tuesday, July 10, 2007
Timewarner/AOL and Verizon are pillaging IRC networks.
Listening to:
Mood:
TIME WARNER/AOL and VERIZON are KILLING IRC!!!
Time Warner/AOL known to many as AOL and RoadRunner are redirecting traffic on IRC ports (such as 6667) to their own network (it says irc.foonet.com but you can't connect to it directly). At this point they force you to join a channel called #badbotbad, at which they put .remove in the subject. Instead of targeting bots, they are targetting everyone, with an outmoded and half assed method. To top it off, they are not restoring access past their transparent proxy and their lower level tech support claims to know nothing of it. Time Warner/AOL just goes to show how they are one to two years behind the curve, as most botnets are now targeting P2P file sharing networks.
Verizon on the other hand has taken to blocking entire IPs, outright! Meaning that users can not connect on any port, nor can they view websites associated with those IPs. This type of behavior by major ISPs can legitimately cause the death of IRC as we know it, thusly killing entire communities by removing an internet users right to choose! FIGHT BACK!! Protect your freedom of choice!
These ISPs have provided us, the IRC Networks, no means of redress! We can not even address our concerns with a real person and there is no way to speak with anyone! We can not even defend ourselves in the process! I personally implore all of you to contact your ISPs and tell them to STOP selectively restricting the internet of their safe communities. Protect your right to choose how to responsibly use your service!
If these ISPs really wanted to solve their problems, they would offer free intrusion scanning and protection for their clients as well as a more comprehensive virus scanning service for their average users! AbleNET is very aggressive against botnets and illegal activity, by choice! We can protect ourselves better than the ISPs can... The ISPs seek only to destroy our communities!
One of our users was nice enough to take screen captures (see reference below), from Time Warner/AOL. As you can see, this is CLEARLY NOT AbleNET!
This is clearly NOT
Reference:
1: »s46.photobucket.com/albums/f116/···net1.jpg
2: »s46.photobucket.com/albums/f116/···net2.jpg
3: »s46.photobucket.com/albums/f116/···net3.jpg
4: »s46.photobucket.com/albums/f116/···net4.jpg
5: »s46.photobucket.com/albums/f116/···net5.jpg
Posted @ 20:22 PM | Views: 965 | Comments: 8
by Anthony (IRCop) @ 00:44 AM, Jul 19 2007
I wrote the following e-mail to Full-Disclosure. I hope beyond hopes that someone can help...
---------------------------------------------------------------------------------- --------------
Subject: Major ISPs arbitrarily blocking IRC and hijacking DNS entries
Greetings:
I am writing to this list because I no longer know where to turn. Over the course of the past 2 to three weeks I have watched my services on the internet become systematically blocked and redirected by no less than 3 major isps in their efforts to stop botnets from connecting to IRC. Allow me to provide a little background info.
My name is Anthony Sanchez and I have run a small irc network, for the past 6 years, along with a couple websites and my mail server (utilized by two people). Approximately 2 weeks ago, we discovered that TimeWarner/Road Runner/AOL was redirecting traffic from irc.ablenet.org port 6667 to their own dummy install of ircd along with commands to connecting users to ".remove" in the event that the connection was a bot. If the end user were to attempt to speak or issue a command, that user was banned from the 'dummy' network.
At about the same time, we noticed that verizon was restricting access to the IPs all together, apparently using some form of port restriction as the DNS still resolved on their name servers correctly. I have documented this informally, with screenshots, on my weblog, found at »anthony.blogs.ablenet.org/ .
As of today, it now appears that Cox is also redirecting traffic apparently in an effort to disable botnets.
As you can see below, the correct resolution of irc.ablenet.org is as follows:
Name: irc.ablenet.org
Address: 65.23.156.37
Name: irc.ablenet.org
Address: 65.19.178.15
Contrary to the truth, cox.net resolves it as so:
Server: ns1.dc.cox.net
Address: 68.100.16.30
Name: irc.ablenet.org
Address: 70.168.70.4
Out of concern, I had emailed the irc-unity.org security discussion list (currently cc'd; I hope that is ok) and confirmed that while not everyone is experiencing this problem, it is not entirely new. That being said, I am not sure anyone has experienced it on this level. We have never harbored botnets; in fact, we have very strict connection policies and have flown under the radar for a good number of years.
I assure you all that we have never and will never contribute to the abuse of the internet. A cursory scan of the general blacklists does not appear to show any submission of my IPs or my URL. To make matters worse, we have no means of recourse or correction. No one has made an effort to contact me with regards to their plans and how I may have been able to prevent what amounts to a systematic crippling of services. I have no way to circumnavigate the domain hijacking, port blocking or traffic redirection being employed. Nor do I have any useful contact information that would put me in contact with any of their network security personnel. These providers, while perhaps noble in their cause, are denying us our right to exist. If we were a large organization, this very likely would not be happening.
I appeal to the members of this list and those that read it. If anyone can offer any form of assistance, knows anyone who can, or can help me get my story out... please do. Beyond the inability to exist, I am concerned for the communities that have
congregated with us and contributed to the greater good. Any and all assistance will be beyond appreciated, as our very existence is at stake and I no longer know what to do...
Best Regards,
Anthony S
Anthony at AbleNET dot Org
»anthony.blogs.ablenet.org/ "
I sympathize with the ISPs but deliberately breaking DNS protocol is simply wrong and a dangerous precedent has been set here.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to swhx7
The defenders were saying something like the following:
* ISPs have to do something about botnets
* ISPs have no obligation to give true results for queries to their DNS servers
* (I would add, they would incur big costs if they tried to educate customers or get them to clean up infected machines; users don't have the patience or aptitude; they don't care and won't cooperate as long as they can web-surf; ISPs can't spend more on tech support and can't afford to lose customers by disconnecting infected ones)
The critics agreed with you Mele:
* breaking DNS is unacceptable
* running scripts without consent on other people's computers is unacceptable and illegal
* innocent parties are harmed by denial of non-bot IRC connections
* lots of trojans aren't using IRC anymore
It is a dilemma. I would suggest, if the ISP could identify the bot-infected computers at least they should deal with them individually, not by falsifying DNS for everyone. |
|
bky
Premium
join:2002-07-05
Austin, TX
 ·AT&T U-Verse
edit:
July 24th, @03:19PM
| reply to EGeezer
said by EGeezer  :I wonder how the server owners would respond if they were asked to clean and ban the bot herders and malware pushers from their systems? It seems like cooperation from the system owners would remove any justification for the actions the ISPs took. While that sounds fine in theory, most server ops react too late, depending on the size of the network. I have no clue which irc networks they modified DNS for, so they could have been big or small I suppose.--
My Consulting Plug |
|
ftthz
If love can kill hate can also save
join:2005-10-17 | its wrong to break the dns |
|
Vista RTM
join:2006-09-13
ChilliwackBC
| reply to swhx7
IRC has been killing the internet since before 1993.
There is a good read about it here:
»www.grc.com/dos/grcdos.htm
quote:
. . (living in Kenosha, Wisconsin) who goes by the hacker handle "Wicked", was informed by some senior hackers — among them "HeLLfiReZ" a member of the notorious Sub7 crew — that I had referred to them in an online forum, using the derogatory term "script kiddies". I had not. But these senior hackers were upset over a dispute that had erupted in one of our Internet security newsgroups.
"Wicked's" response was to team up with two other hackers, all of whom tend and manage large fleets of "IRC Attack Bots". They launched a concerted and extended "packet attack" against grc.com. In the slang that I learned while monitoring their many conversations, they "packeted" us. They did this, not using any tool they had written, and not possessing the ability to create such a tool themselves, but using a powerful "IRC Bot" that had been passed around extensively. Neither Wicked nor his friends know who wrote it or even where it came from
|
|
robo_mojo
join:2006-01-11
Ada, OK
| reply to swhx7
1) Too bad that working DNS is not a requirement to deploy/operate a bot (at least, I can imagine a bot that attempts to connect to an IP address, duh).
2) The ISP is in no position to be determining which data going over a customer's line is "good" or "bad" for the customer. That should be the customer's responsibility.
3) Why does an ISP even need to do anything at all? Don't they have Common Carrier status, which would limit their liability for any damages? If that is the case, I expect an ISP to do nothing about bot infestations. Just supply the pipe and let the customer worry about it.
4) If the ISP justifies itself in manipulating internet traffic for purpose X, what stops them from going ahead and manipulating traffic for purpose Y next?
5) Hijacking DNS for any purpose is simply not cool. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by robo_mojo :4) If the ISP justifies itself in manipulating internet traffic for purpose X, what stops them from going ahead and manipulating traffic for purpose Y next? 5) Hijacking DNS for any purpose is simply not cool. Number four is the important one.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Vista RTM
said by Vista RTM :IRC has been killing the internet since before 1993. There is a good read about it here: » www.grc.com/dos/grcdos.htm
I hope you were not serious about IRC "killing the internet".
Gibson suffered from a DOS (denial of service) attack using a lot of compromised PCs. They were coordinated by IRC, and supposedly it was motivated by a misunderstanding in IRC chat.
But it would have worked just as well if the captive PCs has been commanded over HTTP or another protocol. Blaming IRC is like saying telephones blow up buildings because terrorists use them to make plans. The proportion of phone calls used for crime, or the proportion of IRC used for bot-herding, is less than your chance of winning the lottery. |
|
