A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending. The more you know... __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Jul 6, 2012, at 12:34 PM, Eric J Esslinger wrote:
A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me).
Works via IPv6. (I suspect all the media attention you referenced may be causing some load issues over "Classic IP - Version 4"). - Jared puck:~$ curl -v dns-ok.us * About to connect() to dns-ok.us port 80 (#0) * Trying 2606:700::2644:c160... connected * Connected to dns-ok.us (2606:700::2644:c160) port 80 (#0)
GET / HTTP/1.1 User-Agent: curl/7.21.0 (x86_64-redhat-linux-gnu) libcurl/7.21.0 NSS/3.12.10.0 zlib/1.2.5 libidn/1.18 libssh2/1.2.4 Host: dns-ok.us Accept: */*
< HTTP/1.1 200 OK < Date: Fri, 06 Jul 2012 16:38:50 GMT < Server: Apache/2.2.22 (Unix) PHP/5.4.4 < Last-Modified: Wed, 30 May 2012 20:51:40 GMT < ETag: "7f5c1-67e-4c1471e35bf2a" < Accept-Ranges: bytes < Content-Length: 1662 < Connection: close < Content-Type: text/html < <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
Jared Mauch wrote:
On Jul 6, 2012, at 12:34 PM, Eric J Esslinger wrote:
A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me).
Works via IPv6. (I suspect all the media attention you referenced may be causing some load issues over "Classic IP - Version 4").
Loaded via IPv4, albeit slowly. at least for me.
The dns-ok.us site is getting crushed from all the sudden media interest. We're trying to tweak it to handle the 50,000 or so simultaneous connections. Andy Andrew Fried andrew.fried@gmail.com On 7/6/12 12:34 PM, Eric J Esslinger wrote:
A) The DNS changer working group site http://www.dns-ok.us seems to be down for the clean people anyway. (Down for everyone agrees with me). B) Fox, CNN, and MSNBC have apparantly all run stories in the last couple of hours that essentially ended with 'Call your ISP if you have any questions' (gee thanks). And I'm told the ABC/CBS/NBC are running the same basic thing tonight, with the same basic ending.
The more you know...
__________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
On 7/6/12 10:44 AM, valdis.kletnieks@vt.edu wrote:
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive. ~Seth
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed" Seems that would have been a more graceful ramp down. CB
The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here) The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing. FUD with press and over sensationalism not helping. - merike On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
We verified one a while back, who had already had the problem fixed when the FBI sent us the physical mail. Concidering number of internet customers in the US vs our internet customers with known number of US subsribers affected at it's height, I figure if the percentages are good we've taken care of several times the number of likely cases on our network with that one customer. *wink* I'm told by various sources to expect similar stories on the nightly national news programs tonight, with a similar 'call your isp' ending. I've also heard the site IS reachable via ipv6 and they are dealing with the load issues as we speak (and some people are getting through, albiet slowly). I'm pretty comfortable about my network; I've been catching dns lookup destinations from my users for months (not contents, just destination ip's) and the list of outside addresses covers most of the well know public dns servers (open dns, google, etc...) with the exception of a handful that seem to be running their own full blown recursive caching servers, which go everywhere looking for authoritative lookups. (One I knew about, he complains because I won't allow his basic cable account act as an open server for his DNS when he's out of town. If he wants a static IP I can arrange opening the port, till then... He is always welcome to VPN into his home network as well.) Been having callers look up their IP, then checking the query logs to see if they hit our dns servers. So far I'm at 100% I thought of whipping up a script for my recursive DNS servers to setup a webpage to let them see if they were accessing those servers, but I just don't have time right now (fiscal year just started and everyone wants their projects done 'now'.) Addendum: Site appears up and fast now. So that's something anyway. __________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165
-----Original Message----- From: Merike Kaeo [mailto:kaeo@merike.com] Sent: Friday, July 06, 2012 1:06 PM To: Cameron Byrne Cc: nanog@nanog.org Subject: Re: DNS Changer items
The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here)
The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing.
FUD with press and over sensationalism not helping.
- merike
On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
-----Original Message----- From: Eric J Esslinger [mailto:eesslinger@fpu-tn.com] Sent: Friday, July 06, 2012 11:10 AM To: 'nanog@nanog.org' Subject: RE: DNS Changer items
We verified one a while back, who had already had the problem fixed when the FBI sent us the physical mail. Concidering number of internet customers in the US vs our internet customers with known number of US subsribers affected at it's height, I figure if the percentages are good we've taken care of several times the number of likely cases on our network with that one customer. *wink* I'm told by various sources to expect similar stories on the nightly national news programs tonight, with a similar 'call your isp' ending. I've also heard the site IS reachable via ipv6 and they are dealing with the load issues as we speak (and some people are getting through, albiet slowly).
I'm pretty comfortable about my network; I've been catching dns lookup destinations from my users for months (not contents, just destination ip's) and the list of outside addresses covers most of the well know public dns servers (open dns, google, etc...) with the exception of a handful
to be running their own full blown recursive caching servers, which go everywhere looking for authoritative lookups. (One I knew about, he complains because I won't allow his basic cable account act as an open server for his DNS when he's out of town. If he wants a static IP I can arrange opening the port, till then... He is always welcome to VPN into his home network as well.)
Been having callers look up their IP, then checking the query logs to see if they hit our dns servers. So far I'm at 100%
I thought of whipping up a script for my recursive DNS servers to setup a webpage to let them see if they were accessing those servers, but I just don't have time right now (fiscal year just started and everyone wants
For anyone who wants to find any hosts behind their firewall that are still infected, you can post a firewall log into our public site, and we'll call out all attempts to contact the sinkhole servers (with the internal IPs), assuming you log outbound DNS or all connections. http://www.threatstop.com/dnschanger We've been doing this for subscribers (including free community ones) since we got the sinkhole IPs from Andrew @ SIE/MAAWG. that seem their
projects done 'now'.)
Addendum: Site appears up and fast now. So that's something anyway.
__________________________ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu- tn.com/ (931)433-1522 ext 165
-----Original Message----- From: Merike Kaeo [mailto:kaeo@merike.com] Sent: Friday, July 06, 2012 1:06 PM To: Cameron Byrne Cc: nanog@nanog.org Subject: Re: DNS Changer items
The ISPs who have been proactive in mitigating and redirecting have been/are doing this. (global reach here)
The court ordered DNS servers have been up since Nov 9th and lots of outreach done....the intent was a graceful ramp down. Sadly, the state of folks helping with overall malware cleanup is still lots of finger pointing.
FUD with press and over sensationalism not helping.
- merike
On Jul 6, 2012, at 10:52 AM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
We've been doing this for subscribers (including free community ones) since we got the sinkhole IPs from Andrew @ SIE/MAAWG.
At least now, the the ranges are publicly outlined in http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-mal... 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 These also return the "RED" dnschanger page: $ dig +short @64.28.180.1 dns-ok.us 38.68.193.97 - Nick -- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis http://web.mit.edu/semenko/
On 7/6/2012 11:06 AM, valdis.kletnieks@vt.edu wrote:
On Fri, 06 Jul 2012 10:52:56 -0700, Cameron Byrne said:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse Not all DNS lookups are for HTTP.
If you turn the servers off, then everything fails. The user sits there bewildered and calls his/her ISP to report the Internet is down. If HTTP was pointed to a server that had a page that said what the problem is and what to do, it would be a lot better. Any tech support these users call can diagnose the problem in a few seconds.
-----Original Message----- From: valdis.kletnieks@vt.edu [mailto:valdis.kletnieks@vt.edu] Sent: Friday, July 06, 2012 11:07 AM To: Cameron Byrne Cc: nanog@nanog.org Subject: Re: DNS Changer items
On Fri, 06 Jul 2012 10:52:56 -0700, Cameron Byrne said:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse
Not all DNS lookups are for HTTP. [Tomas L. Byrnes] It's still better to do this than simply turn off all resolution.
The DNS redirection began on November 8, 2011. The servers were instrumented to capture a very small portion of the dns data (source ip and port only) so that reports of infected users could be sent to the ISPs via reporting organizations like Shadowserver. Some ISPs did create walled gardens. Some merely redirected affected customers to their own internal DNS servers. Some ISPs did aggressive notifications to their users. And some ISPs did nothing. Sites were set up to allow users to check their systems (dns-ok.us, etc). The DCWG set up an information site to provide information on how to detect the DNSchanger infection and how to fix it. AV companies provided tools to help clean up systems, and the tools were published on the DCWG.org website. The FBI went to great lengths to get press coverage to get the word out. This operation has been ongoing for 7 months, 27 days and 14 hours. How much more of a graceful ramp down could there have been? Andy Andrew Fried andrew.fried@gmail.com On 7/6/12 1:52 PM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
I think having the ISC DNS changer sinkhole servers return the DCWG check page IP for all queries would be a good final act.
-----Original Message----- From: Andrew Fried [mailto:andrew.fried@gmail.com] Sent: Friday, July 06, 2012 11:16 AM To: Cameron Byrne Cc: nanog@nanog.org Subject: Re: DNS Changer items
The DNS redirection began on November 8, 2011. The servers were instrumented to capture a very small portion of the dns data (source ip and port only) so that reports of infected users could be sent to the ISPs via reporting organizations like Shadowserver.
Some ISPs did create walled gardens. Some merely redirected affected customers to their own internal DNS servers. Some ISPs did aggressive notifications to their users. And some ISPs did nothing.
Sites were set up to allow users to check their systems (dns-ok.us, etc). The DCWG set up an information site to provide information on how to detect the DNSchanger infection and how to fix it. AV companies provided tools to help clean up systems, and the tools were published on the DCWG.org website.
The FBI went to great lengths to get press coverage to get the word out.
This operation has been ongoing for 7 months, 27 days and 14 hours.
How much more of a graceful ramp down could there have been?
Andy
Andrew Fried andrew.fried@gmail.com
On 7/6/12 1:52 PM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
Cameron, That idea had been brought up. Also discussed was short durations of random blackouts of dns resolution to impress upon the infected users that they needed to take action. Unfortunately, taking either of those actions would have exceeded the authorization of the court order. We're coming up with a pretty detailed list of "lesson's learned" from this operation and being able to implement ideas like yours will hopefully be considered in advance "next time". Andy Andrew Fried andrew.fried@gmail.com On 7/6/12 3:58 PM, Tomas L. Byrnes wrote:
I think having the ISC DNS changer sinkhole servers return the DCWG check page IP for all queries would be a good final act.
-----Original Message----- From: Andrew Fried [mailto:andrew.fried@gmail.com] Sent: Friday, July 06, 2012 11:16 AM To: Cameron Byrne Cc: nanog@nanog.org Subject: Re: DNS Changer items
The DNS redirection began on November 8, 2011. The servers were instrumented to capture a very small portion of the dns data (source ip and port only) so that reports of infected users could be sent to the ISPs via reporting organizations like Shadowserver.
Some ISPs did create walled gardens. Some merely redirected affected customers to their own internal DNS servers. Some ISPs did aggressive notifications to their users. And some ISPs did nothing.
Sites were set up to allow users to check their systems (dns-ok.us, etc). The DCWG set up an information site to provide information on how to detect the DNSchanger infection and how to fix it. AV companies provided tools to help clean up systems, and the tools were published on the DCWG.org website.
The FBI went to great lengths to get press coverage to get the word out.
This operation has been ongoing for 7 months, 27 days and 14 hours.
How much more of a graceful ramp down could there have been?
Andy
Andrew Fried andrew.fried@gmail.com
On 7/6/12 1:52 PM, Cameron Byrne wrote:
So insteading of turning the servers off, would it not have been helpful to have the servers return a "captive portal" type of reponse saying "hey, since you use this server, you are broken, go here to get fixed"
Seems that would have been a more graceful ramp down.
CB
On 7/6/2012 1:15 PM, Andrew Fried wrote:
Cameron,
That idea had been brought up. Also discussed was short durations of random blackouts of dns resolution to impress upon the infected users that they needed to take action. Unfortunately, taking either of those actions would have exceeded the authorization of the court order.
We're coming up with a pretty detailed list of "lesson's learned" from this operation and being able to implement ideas like yours will hopefully be considered in advance "next time".
Andy
Andrew Fried andrew.fried@gmail.com
Doesn't the court order expire as of Monday? What happens to those IP ranges then?
The subnets will probably be held until the conclusion of the criminal trials. After that, the addresses may be held back from assignment for a while (e.g. a year), but eventually they'll get reassigned. Andrew Fried andrew.fried@gmail.com On 7/6/12 4:45 PM, Roy wrote:
On 7/6/2012 1:15 PM, Andrew Fried wrote:
Cameron,
That idea had been brought up. Also discussed was short durations of random blackouts of dns resolution to impress upon the infected users that they needed to take action. Unfortunately, taking either of those actions would have exceeded the authorization of the court order.
We're coming up with a pretty detailed list of "lesson's learned" from this operation and being able to implement ideas like yours will hopefully be considered in advance "next time".
Andy
Andrew Fried andrew.fried@gmail.com
Doesn't the court order expire as of Monday? What happens to those IP ranges then?
----- Original Message -----
From: "Seth Mattinen" <sethm@rollernet.us>
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive.
It's easier to justify *not* being smart enough to deal with the problem when it doesn't cause a major disruption? Have we venerated stupidity *that deeply* in the US? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Jul 7, 2012, at 10:31 AM, Jay Ashworth wrote:
----- Original Message -----
From: "Seth Mattinen" <sethm@rollernet.us>
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive.
It's easier to justify *not* being smart enough to deal with the problem when it doesn't cause a major disruption?
When it isn't causing a major problem, the powers that be have a harder time understanding the need to act. Once it is causing a major disruption, the powers that be have no trouble understanding the need to act. This is not veneration of stupidity, it is human nature. Often summarized in the colloquialism "The squeaky wheel gets the grease." Owen
FYI RIPE reallocated these blocks. Whilst I understand they didn't want the court order, this seems a bit silly, doesn't that now make the machines residing in these blocks special - even if the owners arent miscreants, it makes them a viable target. https://www.ripe.net/internet-coordination/news/clarification-on-reallocated... inetnum: 93.188.160.0 - 93.188.167.255 netname: LT-HOSTING-20120810 descr: Aurimas Rapalis trading as "II Hosting Media" country: US inetnum: 85.255.112.0 - 85.255.127.255 netname: INEVO-NET descr: Inevo Labs SRL country: RO On 13 July 2012 19:48, Owen DeLong <owen@delong.com> wrote:
On Jul 7, 2012, at 10:31 AM, Jay Ashworth wrote:
----- Original Message -----
From: "Seth Mattinen" <sethm@rollernet.us>
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive.
It's easier to justify *not* being smart enough to deal with the problem when it doesn't cause a major disruption?
When it isn't causing a major problem, the powers that be have a harder time understanding the need to act.
Once it is causing a major disruption, the powers that be have no trouble understanding the need to act.
This is not veneration of stupidity, it is human nature. Often summarized in the colloquialism "The squeaky wheel gets the grease."
Owen
-- Director / Founder IX Reach Ltd E: steve.wilcox@ixreach.com M: +44 7966 048633 Tempus Court, Bellfield Road, High Wycombe, HP13 5HA, UK.
From the little blurb on the RIPE site, it sounds like the Dutch police are making threats (taking over administration) that they can't legally keep. It also sounds like RIPE did a big screw you to the Dutch police for trying to interfere.
-Grant On Wed, Aug 15, 2012 at 4:46 AM, Stephen Wilcox <steve.wilcox@ixreach.com>wrote:
FYI RIPE reallocated these blocks. Whilst I understand they didn't want the court order, this seems a bit silly, doesn't that now make the machines residing in these blocks special - even if the owners arent miscreants, it makes them a viable target.
https://www.ripe.net/internet-coordination/news/clarification-on-reallocated...
inetnum: 93.188.160.0 - 93.188.167.255 netname: LT-HOSTING-20120810 descr: Aurimas Rapalis trading as "II Hosting Media" country: US
inetnum: 85.255.112.0 - 85.255.127.255 netname: INEVO-NET descr: Inevo Labs SRL country: RO
On 13 July 2012 19:48, Owen DeLong <owen@delong.com> wrote:
On Jul 7, 2012, at 10:31 AM, Jay Ashworth wrote:
----- Original Message -----
From: "Seth Mattinen" <sethm@rollernet.us>
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest.
One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc...
Reactive is easier to justify to the powers that be than proactive.
It's easier to justify *not* being smart enough to deal with the
problem
when it doesn't cause a major disruption?
When it isn't causing a major problem, the powers that be have a harder time understanding the need to act.
Once it is causing a major disruption, the powers that be have no trouble understanding the need to act.
This is not veneration of stupidity, it is human nature. Often summarized in the colloquialism "The squeaky wheel gets the grease."
Owen
-- Director / Founder IX Reach Ltd E: steve.wilcox@ixreach.com M: +44 7966 048633 Tempus Court, Bellfield Road, High Wycombe, HP13 5HA, UK.
Caved? How so? It looks like RIPE is ignoring the court order to keep the blocks locked. Unless i am misunderstanding it. On Wed, Aug 15, 2012 at 3:52 PM, Randy Bush <randy@psg.com> wrote:
It also sounds like RIPE did a big screw you to the Dutch police for trying to interfere.
no, they caved.
On 15/08/2012 22:34, Randy Bush wrote:
at the time, ripe caved to the court order. took some weeks before they woke up. now a lot of noise, lawyers, and whitewash.
whoa, wait up there, you cocky youngster. It wasn't a court order; it was a police order consequent to a request for international judicial assistance request, consequent to a court order issued by US federal district judge who felt that the DNSchanger IP addresses ought to be locked down (this was much the same order which ARIN was obliged to comply with). The judicial assistance request asked that the RIR registration objects be locked from the time of delivery of the order until March 22, 2012 in order to prohibit any changes from being made to them. It turns out that both the Netherlands and the USA are parties to the Hague Service Convention which allows requests to be made if one intends to apply for judicial assistance in country B pursuant to a court order in country A. This is a well-established procedure under international law. This request for judicial assistance was handled by the dutch police, who invoked article 2 of the 1993 Police Act, which provides a general framework for issuing orders in the absence of a specific laws covering the situation that they are attempting to deal with. In the absence of relevant case law covering this situation, the RIPE NCC obliged and locked the objects. A week later, they initiated a case against the dutch public prosecutor so that the issue could come before the dutch courts and they'd get useful case law out of the situation. Looks like the public prosecutor threatened to "seize" the "RIPE NCC administration" if they didn't comply. Approx 2 months later after taking legal advice, the NCC formed the view that the police and the prosecutor had no legal basis for making the request and they consequently unlocked the objects. The reasons for this decision are summarised here:
http://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/summo...
So yes, lots of noise and lawyers. Not so much whitewash, and depending on the propaganda volume you've turned the dial up to, "caved in" could easily be replaced by "complied under duress with the express intention of fighting the corner", but I'll admit that sometimes it's a whole pile of fun to fling a bit of poo around even if it's not really justified. ianal, and this analysis may well be totally wrong, Nick
ripe caved at the time. yes it was a yank court order propagated as a dutch police order. in ljubljana, ncc staff said that they regretted caving, had not really needed to do so, it was a mistake that they would not repeat. present company excluded, we all make mistakes. randy
On 16/08/2012 01:07, Randy Bush wrote:
ripe caved at the time. yes it was a yank court order propagated as a dutch police order. in ljubljana, ncc staff said that they regretted caving, had not really needed to do so, it was a mistake that they would not repeat. present company excluded, we all make mistakes.
Much easier to be brave after the dust has settled + good that lessons were learned. Nick
On Aug 15, 2012, at 5:59 PM, Nick Hilliard <nick@foobar.org> wrote:
Approx 2 months later after taking legal advice, the NCC formed the view that the police and the prosecutor had no legal basis for making the request and they consequently unlocked the objects.
With the end result that someone gets some really nicely tainted/blocked address space. Hopefully whoever it is wears a white hat and doesn't respond to unsuspecting people's DNS queries with 'interesting' values. "Legal basis": IANAL so no comment. However, for network sanitation purposes, I'll admit some surprise that the DNSchanger blocks have been reused so quickly. Regards, -drc
However, for network sanitation purposes, I'll admit some surprise that the DNSchanger blocks have been reused so quickly.
i conject sets a precedent for quick grab and sell, well rent. those dnschanger folk were bad guys, so no one should have sympathy for them. first they came for ... [http://en.wikipedia.org/wiki/First_they_came%E2%80%A6] second, well, let's throw some really bad stuff in the pot and see what happens. we're used to the vendors doing testing on operators, so why not rirs doing the same. actually, i am surprised that geoff and ggm have not asked for some so they can measure. randy
On Aug 15, 2012, at 1:52 PM, Randy Bush <randy@psg.com> wrote:
It also sounds like RIPE did a big screw you to the Dutch police for trying to interfere.
no, they caved.
No, they did not "cave." Court orders through the Dutch courts are integrated in their processes. It was coordinated with RIPE before Law Enforcement requested the court orders. RIPE's problem was with the broad language. See all the details here: https://www.ripe.net/internet-coordination/news/about-ripe-ncc-and-ripe/summ... The bigger problem is written here: http://www.senki.org/archives/948 Barry
In a message written on Wed, Aug 15, 2012 at 10:46:52AM +0100, Stephen Wilcox wrote:
https://www.ripe.net/internet-coordination/news/clarification-on-reallocated...
From the article: ] The address space was quarantined for six weeks before being returned to ] the RIPE NCC's available pool of IPv4 address space. It was then ] randomly reallocated to a new resource holder according to normal ] allocation procedures. ] ] As the RIPE NCC nears IPv4 exhaustion, it will reduce the quarantine ] period of returned address space accordingly to ensure that there is no ] more IPv4 address space available before the last /8 is reached. The ] RIPE NCC recognises that this shortened quarantine could lead to ] routability problems and offers its members assistance to reduce this. While I understand that in the face of IPv4 exhaustion long quarantine periods are probably no longer a good idea, I think 6 weeks is shockingly short. I also think to blanket apply the quarantine is a little short sighted, there are cases that need a longer cooling off period, and this may be one of them. I think the RIPE membership, and indeed the policy making bodies of all RIR's should look at their re-allocation policies with this case in mind and see if a corner case like this doesn't present a surprising result. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 8/15/12 6:55 AM, Leo Bicknell wrote:
While I understand that in the face of IPv4 exhaustion long quarantine periods are probably no longer a good idea, I think 6 weeks is shockingly short. I also think to blanket apply the quarantine is a little short sighted, there are cases that need a longer cooling off period, and this may be one of them. I guess the question I'd pose is it going to get dramatically better if it were longer? 12 weeks? 52?
Remediation of whatever wrong with a given prefix is an active activity, it's not likely to go away unless the prefix is advertised. In the case of dns changer, I would think that if you don't have working DNS for long enough you're going to have your computer fixed or throw it out. if you were an operator using that prefix to prevent customer breakage you should be on notice that's not sustainable indefinitely or indeed for much longer.
I think the RIPE membership, and indeed the policy making bodies of all RIR's should look at their re-allocation policies with this case in mind and see if a corner case like this doesn't present a surprising result.
In a message written on Wed, Aug 15, 2012 at 08:01:15AM -0700, joel jaeggli wrote:
Remediation of whatever wrong with a given prefix is an active activity, it's not likely to go away unless the prefix is advertised.
Actually, that's not true on two fronts. From a business relationship front, if the problem is contacting the right people when the "right people" have been arrested and now some police agent now needs to generate the right paperwork, produce court paperwork, see a judge, time will absolutely help. I can see a scenario here where it might have been worked out to transfer the block to the appropriate law enformcement agency for a year (with them paying the usual fees) such that they could wind this down in an orderly way. If the problem is technical badness, the block has appeared on blacklists or grey lists, or been placed in to temporary filters to block DNS changer badness time will also help. Most (although not all) of those activities are aged out. As ISP's stop seeing hits on their DNS changed ACL's because the machines have been cleaned up they will remove them. Greylists will age out. Indeed both of these is why there is a "cooling off" period in place now at all RIR's. They have been proven to work. Previously in some cases they were 6-12 months though, and what the community has said is that given that we're out of IPv4 those time periods should be shorter. The question becomes how much shorter? Clearly holding them back for 1 day isn't long enough to make any business or technical difference. The community is saying 6-12 months is too long. I am saying 6 weeks sounds too short to me, but if it is appropriate for "ordinary" blocks there needs to be an exception for extrodinary ones. From time to time we hear about blocks like DNSChanger that millions of boxes are configured to hit, or I remember the University of Wisconsin DDOSed by NTP queries from some consumer routers. When the box still has high levels of well known, active badness, perhaps it should be held back longer.
In the case of dns changer, I would think that if you don't have working DNS for long enough you're going to have your computer fixed or throw it out. if you were an operator using that prefix to prevent customer breakage you should be on notice that's not sustainable indefinitely or indeed for much longer.
The problem here isn't just the infected computers. Would you want to receive a netblock from an RIR that came with tens or hundreds of megabits of DDOS, I mean, background noise when you turned it on? Whoever receives this block is in for a world of hurt. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 8/15/12 10:24 AM, Leo Bicknell wrote:
In a message written on Wed, Aug 15, 2012 at 08:01:15AM -0700, joel jaeggli wrote:
Remediation of whatever wrong with a given prefix is an active activity, it's not likely to go away unless the prefix is advertised. Actually, that's not true on two fronts.
From a business relationship front, if the problem is contacting the right people when the "right people" have been arrested and now some police agent now needs to generate the right paperwork, produce court paperwork, see a judge, time will absolutely help. The right people in this case are the one's with the broken PC's. The misbehavior associated with the prefix was dealt with some time ago. I can see a scenario here where it might have been worked out to transfer the block to the appropriate law enformcement agency for a year (with them paying the usual fees) such that they could wind this down in an orderly way. Courts already did that, name-servers with that prefix range were operated by ISC from november 9th 2011 to July 9th 2012 at the request of the FBI. If the problem is technical badness, the block has appeared on blacklists or grey lists, or been placed in to temporary filters to block DNS changer badness time will also help. Most (although not all) of those activities are aged out. As ISP's stop seeing hits on their DNS changed ACL's because the machines have been cleaned up they will remove them. Greylists will age out.
Indeed both of these is why there is a "cooling off" period in place now at all RIR's. They have been proven to work. Previously in some cases they were 6-12 months though, and what the community has said is that given that we're out of IPv4 those time periods should be shorter. The question becomes how much shorter? Clearly holding them back for 1 day isn't long enough to make any business or technical difference. The community is saying 6-12 months is too long.
I am saying 6 weeks sounds too short to me, but if it is appropriate for "ordinary" blocks there needs to be an exception for extrodinary ones. From time to time we hear about blocks like DNSChanger that millions of boxes are configured to hit, Were configured to hit, if they still are they've been broken for a while, or are being kept on life support by ISPs.
in any event they're aren't millions anymore there are perhaps low thousands of broken computers.
or I remember the University of Wisconsin DDOSed by NTP queries from some consumer routers. When the box still has high levels of well known, active badness, perhaps it should be held back longer. The university of Wisconsin seems like an unlikely candidate to give up it's prefix over that.
http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC39
In the case of dns changer, I would think that if you don't have working DNS for long enough you're going to have your computer fixed or throw it out. if you were an operator using that prefix to prevent customer breakage you should be on notice that's not sustainable indefinitely or indeed for much longer. The problem here isn't just the infected computers. Would you want to receive a netblock from an RIR that came with tens or hundreds of megabits of DDOS, I mean, background noise when you turned it on? It is unlikely in the extreme that what remains when that prefix is advertised is 100s of megabits of DOS. that said as a potential recipient of such a prefix, I'd probably be willing to accept a fair amount of garbage if the alternative is not having one. I fully expect quality of ipv4 prefixes available for re-assignment to continue to drop. Whoever receives this block is in for a world of hurt.
On Wed, Aug 15, 2012 at 9:55 AM, Leo Bicknell <bicknell@ufp.org> wrote:
In a message written on Wed, Aug 15, 2012 at 10:46:52AM +0100, Stephen Wilcox wrote:
https://www.ripe.net/internet-coordination/news/clarification-on-reallocated...
From the article:
] The address space was quarantined for six weeks before being returned to ] the RIPE NCC's available pool of IPv4 address space. It was then ] randomly reallocated to a new resource holder according to normal ] allocation procedures. ] ] As the RIPE NCC nears IPv4 exhaustion, it will reduce the quarantine ] period of returned address space accordingly to ensure that there is no ] more IPv4 address space available before the last /8 is reached. The ] RIPE NCC recognises that this shortened quarantine could lead to ] routability problems and offers its members assistance to reduce this.
While I understand that in the face of IPv4 exhaustion long quarantine periods are probably no longer a good idea, I think 6 weeks is shockingly short. I also think to blanket apply the quarantine is a little short sighted, there are cases that need a longer cooling off period, and this may be one of them.
I think the RIPE membership, and indeed the policy making bodies of all RIR's should look at their re-allocation policies with this case in mind and see if a corner case like this doesn't present a surprising result.
Correct me if I am wrong, but with RIPE's pool nearing exhaustion (in as little as 3 weeks, depending upon who you ask and how you count) isn't this sort of a moot point? I suppose this block could have been moved to the back of the list instead of randomly re-allocated, but would a few more weeks really have helped? /TJ
On 8/15/2012 11:36 AM, TJ wrote:
On Wed, Aug 15, 2012 at 9:55 AM, Leo Bicknell <bicknell@ufp.org> wrote:
In a message written on Wed, Aug 15, 2012 at 10:46:52AM +0100, Stephen Wilcox wrote:
https://www.ripe.net/internet-coordination/news/clarification-on-reallocated...
From the article:
] The address space was quarantined for six weeks before being returned to ] the RIPE NCC's available pool of IPv4 address space. It was then ] randomly reallocated to a new resource holder according to normal ] allocation procedures. ] ] As the RIPE NCC nears IPv4 exhaustion, it will reduce the quarantine ] period of returned address space accordingly to ensure that there is no ] more IPv4 address space available before the last /8 is reached. The ] RIPE NCC recognises that this shortened quarantine could lead to ] routability problems and offers its members assistance to reduce this.
While I understand that in the face of IPv4 exhaustion long quarantine periods are probably no longer a good idea, I think 6 weeks is shockingly short. I also think to blanket apply the quarantine is a little short sighted, there are cases that need a longer cooling off period, and this may be one of them.
I think the RIPE membership, and indeed the policy making bodies of all RIR's should look at their re-allocation policies with this case in mind and see if a corner case like this doesn't present a surprising result.
Correct me if I am wrong, but with RIPE's pool nearing exhaustion (in as little as 3 weeks, depending upon who you ask and how you count) isn't this sort of a moot point? I suppose this block could have been moved to the back of the list instead of randomly re-allocated, but would a few more weeks really have helped?
/TJ
Perhaps it should not have been re-allocated at all, rather than cause the unsuspecting allocatee trouble they would not have seen from clean(er) space. -- Randy.
On Wed, 15 Aug 2012 11:51:32 -0400, Randy Whitney said:
Perhaps it should not have been re-allocated at all, rather than cause the unsuspecting allocatee trouble they would not have seen from clean(er) space.
"unsuspecting"??!? You want a clean prefix, get some IPv6 space instead. Anybody who is getting IPv4 space in 2012 and doesn't realize that they're getting "scraping the bottom of the barrel" quality prefixes will get what they deserve for not doing their due diligence (i.e. paying attention the last decade or so).
On 7/6/2012 10:44 AM, valdis.kletnieks@vt.edu wrote:
On Fri, 06 Jul 2012 13:20:55 -0400, Andrew Fried said:
The dns-ok.us site is getting crushed from all the sudden media interest. One wonders why it's so hard to get the media interested when it would be *helpful*. DNS Changer gets traction like 3 days before the drop dead date, IPv6 gets on the radar *after* we run out of v4 /8's to give to regionals, etc... Where you been? Its been in and out of the news for months. Examples: ABC covered it on April 11th, CBS on Feb 21st
participants (23)
-
Andrew Fried -
Barry Greene -
Cameron Byrne -
David Conrad -
Eric J Esslinger -
Grant Ridder -
Jared Mauch -
Jay Ashworth -
joel jaeggli -
Leo Bicknell -
Merike Kaeo -
Nick Hilliard -
Nick Semenkovich -
Owen DeLong -
Randy Bush -
Randy Whitney -
Robert Bonomi -
Roy -
Seth Mattinen -
Stephen Wilcox -
TJ -
Tomas L. Byrnes -
valdis.kletnieks@vt.edu