The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up. Not all ISPs are non-proactive. Frank -----Original Message----- From: Paul Graydon [mailto:paul@paulgraydon.co.uk] Sent: Thursday, April 26, 2012 4:48 PM To: nanog@nanog.org Subject: Re: Operation Ghost Click On 04/26/2012 11:44 AM, Andrew Latham wrote:
On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen@mompl.net> wrote:
Excuse the horrible subject :-)
Anyone have anything insightful to say about it? Is it just lots of fuss about nothing or is it an actual substantial problem?
http://www.fbi.gov/news/stories/2011/november/malware_110911
"Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time."
-- Earthquake Magnitude: 5.5 Date: Thursday, April 26, 2012 19:21:45 UTC Location: off the west coast of northern Sumatra Latitude: 2.6946; Longitude: 94.5307 Depth: 26.00 km
Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support calls.
Based on conversations on this list a month or so ago, ISPs were contacted with details of which of their IPs had compromised boxes behind them, but it seems the consensus is that ISP were going to just wait for users to phone support when it broke rather than be proactive about it. Paul