| View previous topic :: View next topic ? |
| Author |
Message |
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
 Posted: Tue Jul 24, 2007 8:09 am?? ?Post subject: Major US ISPs Hijack IRC Server DNS
|
 |
|
"I am writing to this list because I no longer know where to turn" admin Anthony from Ablenet started his email to the full-disclosure list. "Over the course of the past 2 to three weeks I have watched my services on the Internet become systematically blocked and redirected by no less than 3 major isps in their efforts to stop botnets from connecting to IRC."
What happened was that three major ISPs (TimeWarner/AOL, Verizon and Cox) had set the DNS of the servers from Ablenet to resolve to their alternative IRCd instead of the actual IP, resulting in the users being redirected to the ISPs IRCd. Once connected to this IRCd they were being directed into a channel, where they would be presented by a list of commands intended to remove zombie software. For many years IRC was a popular place for dronerunners to control and command their dronenet from.
"Because we were hit by 3 major ISPs at the same time," Anthony starts explaining to IRC-Junkie in a reaction, "... for a period of approximately one month, we have seemingly lost approximately 75% of our user base, who were either directly affected or peripherally affected and followed their communities to an unaffected network.
The action did not remained restricted to this relatively small network however, also 5 servers from EFnet were caught. One of them is irc.vel.net, with Exstatica as its admin. He explained how he discovered his server was involved as well. "Yesterday July 22nd, The admin-body discovered that a handful of EFNet servers have been "juped". Not only have they taken the irc record, but they've also hijacked the SOA and NS records too."
Anthony tried to contact the ISPs in question but got either no reply at all, or a standard message that resources were too limited to reply. Also Exstatica tried to contact the ISPs; "Yes I've tried, I've contacted the abuse team at cox, they've requested logs, which I provided in the first email, and then gave me a canned response that I need to check my computer for viruses."
Anthony stressed the character of his network was far from being a rogue one that hosted drone networks. "Our network has always been one that relied on their communities, under the premise that people come to irc to share ideas, meet new people and to gather in their own communities. We were never big on the notions of unnatural expansion, inflated, false communities or hierarchies. We're tough on botnets and non-conducive to file sharing... We have (had?) literary communities, fan communities, hobbyists, gamers, etc; pretty much running the gamut of personalities."
Both Anthony and Exstatica have considered legal actions. But as there is no monetary loss and it involves only a violation of the RFC specifications such an action will most likely not be very fruitful.
For Anthony and Exstatica there is one reason left to fight back however, stand for Net neutrality. Anthony: "I also hope that our representatives do something, regarding Net Neutrality, to prevent the monopolization of the Internet. This could in some ways be compared to racketeering or a corporate equivalent of China's restriction on the Internet. I firmly believe this to be a constitutional violation to our right of free speech and if we do not act now, when do we act? When will it be too late?"
Reviewing the move from the ISPs, how many drones could have been caught is unknown, it can not be that much as most of the zombie software has since moved from IRC to use P2P and HTTP. Also the text commands can either be given in a private message, channel message or topic. Prefixes range from . to , to & and can be virtually anything, including the word of the command itself, remove, uninstall, etc.
Admins advice users to use alternative DNS servers if they experience these problems when connecting to their IRC network. Since the media attention on this issue started yesterday several DNS records have been restored, of course without an explanation why they have been hijacked in the first place.
Over the past few years this has happened a few times before, but never ona scale as this move, and not involving networks as large as EFnet's.
IRC-Junkie was unable to contact any ISPs named in this article.
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
katsklaw
Joined: 03 Nov 2004
Posts: 155
|
|
Posted: Tue Jul 24, 2007 9:42 pm?? ?Post subject:
|
|
|
wow! .. now THAT is a good piece of news! thnks Asmo! 
|
|
| Back to top |
|
|
El Rico
Joined: 29 Oct 2004
Posts: 7
|
|
Posted: Wed Jul 25, 2007 6:22 am?? ?Post subject:
|
|
|
Woah, thats... evil.
Today they hijack DNS entries to clean infected PCs and tomorrow they hijack their competitors entires to re-direct the traffic to their site?
Ok, this might be a bit exaggerated but you get the idea, this is totally the wrong road to follow.
|
|
| Back to top |
|
|
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
|
Posted: Wed Jul 25, 2007 6:57 am?? ?Post subject:
|
|
|
Very scary move indeed. The whole online world is upside down when Google enters China, but apparently companies in the USA can determine themself as well what their customers can do on the Internet...
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
katsklaw
Joined: 03 Nov 2004
Posts: 155
|
|
Posted: Wed Jul 25, 2007 10:05 pm?? ?Post subject:
|
|
|
| El Rico wrote: |
Woah, thats... evil.
Today they hijack DNS entries to clean infected PCs and tomorrow they hijack their competitors entires to re-direct the traffic to their site?
Ok, this might be a bit exaggerated but you get the idea, this is totally the wrong road to follow. |
Actually not all that exaggerated as it's happened before.
Also irc networks have hijacked other networks dns and er-routed to them .. many many moons ago though .. so it's not really worth elaborating on.
|
|
| Back to top |
|
|
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
|
Posted: Thu Jul 26, 2007 7:24 am?? ?Post subject:
|
|
|
| katsklaw wrote: |
Actually not all that exaggerated as it's happened before.
Also irc networks have hijacked other networks dns and er-routed to them .. many many moons ago though .. so it's not really worth elaborating on. |
It did, but at this scale? And with networks the size of EFnet?
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
bc
Joined: 26 Jul 2007
Posts: 2
|
|
Posted: Thu Jul 26, 2007 10:11 am?? ?Post subject:
|
|
|
| Asmo wrote: |
| katsklaw wrote: |
Actually not all that exaggerated as it's happened before.
Also irc networks have hijacked other networks dns and er-routed to them .. many many moons ago though .. so it's not really worth elaborating on. |
It did, but at this scale? And with networks the size of EFnet?
|
While this should have never happened in the first place, the IT admins of those DNS servers should have done a lot of research to where the actual botnets are going to. Not the casual IRC nets that users connect to. That's where i see the flaw in this. 
|
|
| Back to top |
|
|
katsklaw
Joined: 03 Nov 2004
Posts: 155
|
|
Posted: Thu Jul 26, 2007 10:56 am?? ?Post subject:
|
|
|
| Asmo wrote: |
| katsklaw wrote: |
Actually not all that exaggerated as it's happened before.
Also irc networks have hijacked other networks dns and er-routed to them .. many many moons ago though .. so it's not really worth elaborating on. |
It did, but at this scale? And with networks the size of EFnet?
|
1 involved was a Big 4 network, yes. Larger than EFnet. However, as I said .. it was a long time ago in a galaxy far away and not really worth getting into details over. Besides I only have a few facts, not all of them. I know just enough to know it happened. Not to mention that victimized net doesn't exist anymore.
ciao
|
|
| Back to top |
|
|
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
|
Posted: Thu Jul 26, 2007 11:14 am?? ?Post subject:
|
|
|
Hmm, when it happened a long time ago, other issues might be involved as well, such as it simply being easier to pull something like that off.
The Internet has far bigger economic importance these days then even as far as 5 years back. ISPs having the power to redirect traffic for any reason or no reason at all without having to explain is a dangerous thing. Its also impossible IMO to at the same time point a finger at for example China if you allow the same thing to happen in your own country.
And this is all beside the issue whether it was a worthwhile action to begin with...
Very strange indeed =D
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
El Rico
Joined: 29 Oct 2004
Posts: 7
|
|
Posted: Thu Jul 26, 2007 2:32 pm?? ?Post subject:
|
|
|
|
I found a ZDNet article regarding this matter and I think their point with the Computer Misuse Act is rather interesting.
|
|
| Back to top |
|
|
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
|
Posted: Thu Jul 26, 2007 4:53 pm?? ?Post subject:
|
|
|
| El Rico wrote: |
| I found a ZDNet article regarding this matter and I think their point with the Computer Misuse Act is rather interesting. |
Hmm, but if the UK will ever see a US based ISP in their courtroom? I can see multiple reasons why that will fail...
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
El Rico
Joined: 29 Oct 2004
Posts: 7
|
|
Posted: Fri Jul 27, 2007 7:43 am?? ?Post subject:
|
|
|
Well, the article states that it was a move by TimeWarner ISPs and some of those are active in the UK as well (not to mention that there are other countries with similar laws where they're active, Germany for example).
And it was more the point of being sued for trying to remove a malicious software that was probably installed by an unlawful act in the first place that made be wonder.
But it is an intrusion into the customers PC without his consent, even if it is with good intentions, so that law should apply.
Unfortunately judges over here in Germany are quite unpredictable when it comes to Internet related cases, so they might even get away with stunts likes this over here.
|
|
| Back to top |
|
|
Asmo
Site Admin
Joined: 26 Oct 2004
Posts: 845
Location: Undernet
|
|
Posted: Fri Jul 27, 2007 8:12 am?? ?Post subject:
|
|
|
Ah I see your point. Removing trojans/virusses/zombiesoftware etc indeed can cause such problems in some countries due to law. Thats viewing it from a different angle legally wise.
I think in the end they can't really have taken THAT many drones at all. I'm sure the amount of users that were innocent and tried to connect to their irc network was substantially more.
_________________
Asmo
webmaster www.IRC-Junkie.org
|
|
| Back to top |
|
|
phrozen77
Joined: 11 Nov 2004
Posts: 25
|
|
Posted: Sat Jul 28, 2007 12:22 am?? ?Post subject:
|
|
|
| Asmo wrote: |
| I think in the end they can't really have taken THAT many drones at all. I'm sure the amount of users that were innocent and tried to connect to their irc network was substantially more. |
Very probably, yeah 
|
|
| Back to top |
|
|
nenolod
Joined: 20 Jul 2005
Posts: 6
|
|
Posted: Fri Aug 03, 2007 5:09 am?? ?Post subject:
|
|
|
| El Rico wrote: |
| Well, the article states that it was a move by TimeWarner ISPs and some of those are active in the UK as well (not to mention that there are other countries with similar laws where they're active, Germany for example). |
Cox is not owned by TimeWarner. The move was actually initiated by Savvis, a common upstream peer for both providers. Additionally, UK laws are irrelevant in our jurisdiction, so I don't understand what valid point, if any, that article makes.
While some non-FTTP Cox systems offer roadrunner, the cox.net internet service is an entirely seperate thing from TW.
Oh wait. It's a blog entry. Nevermind logic in those.
I do have good news though. The good news is that cox has discontinued with this behaviour.
|
|
| Back to top |
|
|
|
|
???
