Networking

ISP caught doing DNS hijacking in fight against bots

According to Wired Blogs, Internet service provider Cox Communications is reportedly diverting attempts to reach certain online chat channels.

When a legitimate attempt is made to connect to certain channels, Cox sends the IP address of its own IRC server instead of responding with the correct one. This server then forwards (IRC) commands to the redirected computer, sending commands designed to remove certain malware.

Excerpt from ISP Seen Breaking Internet Protocol to Fight Zombie Computers:

#martian_

[INFO] Channel view for "#martian_" opened.

—>| YOU (andrew.m) have joined #martian_

=-= Mode #martian_ +nt by localhost.localdomain

=-= Topic for #martian_ is ".bot.remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is ".remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is ".uninstall"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!bot.remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!remove"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

=-= Topic for #martian_ is "!uninstall"

=-= Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM

<Marvin_> .bot.remove

<Marvin_> .remove

<Marvin_> .uninstall

<Marvin_> !bot.remove

<Marvin_> !remove

This tactic is now being heavily debated by networking experts on the NANOG mailing list.

There are some who give it a thumbs-up though. Says Adam Waters of Support Intelligence:

[I]t can't be a surprise that the ISP's have come, at long last, to fixing zombies without customer notification/consent...

Frankly, redirecting requests to malware sites, or IRC communication channels, to cleaner-sites sounds like a practical short term tactic to me.

Not surprisingly, this tactic has not found favor with everyone. Anthony Sanchez of irc.ablenet.org, the victim of this treatment by TimeWarner/Road Runner/AOL and then Cox, laments that:

These providers, while perhaps noble in their cause, are denying us our right to exist. If we were a large organization, this very likely would not be happening.

Do you have anything to add about the DNS hijacking methods that is being adopted?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Editor's Picks