Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Major ISPs arbitrarily blocking IRC and hijacking DNS entries



Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded

anthony at ablenet

Jul 18, 2007, 9:05 PM

Post #1 of 1 (10570 views)
Major ISPs arbitrarily blocking IRC and hijacking DNS entries


I am writing to this list because I no longer know where to turn. Over
the course of the past 2 to three weeks I have watched my services on the
internet become systematically blocked and redirected by no less than 3
major isps in their efforts to stop botnets from connecting to IRC. Allow
me to provide a little background info.

My name is Anthony Sanchez and I have run a small irc network, for the
past 6 years, along with a couple websites and my mail server (utilized by
two people). Approximately 2 weeks ago, we discovered that
TimeWarner/Road Runner/AOL was redirecting traffic from irc.ablenet.org
port 6667 to their own dummy install of ircd along with commands to
connecting users to ".remove" in the event that the connection was a bot.
If the end user were to attempt to speak or issue a command, that user was
banned from the 'dummy' network.

At about the same time, we noticed that verizon was restricting access to
the IPs all together, apparently using some form of port restriction as
the DNS still resolved on their name servers correctly. I have documented
this informally, with screenshots, on my weblog, found at
http://anthony.blogs.ablenet.org/ .

As of today, it now appears that Cox is also redirecting traffic
apparently in an effort to disable botnets.

As you can see below, the correct resolution of irc.ablenet.org is as

Name: irc.ablenet.org
Name: irc.ablenet.org

Contrary to the truth, cox.net resolves it as so:

Server: ns1.dc.cox.net

Name: irc.ablenet.org

Out of concern, I had emailed the irc-unity.org security discussion list
(currently cc'd; I hope that is ok) and confirmed that while not everyone
is experiencing this problem, it is not entirely new. That being said, I
am not sure anyone has experienced it on this level. We have never
harbored botnets; in fact, we have very strict connection policies and
have flown under the radar for a good number of years.

I assure you all that we have never and will never contribute to the abuse
of the internet. A cursory scan of the general blacklists does not appear
to show any submission of my IPs or my URL. To make matters worse, we
have no means of recourse or correction. No one has made an effort to
contact me with regards to their plans and how I may have been able to
prevent what amounts to a systematic crippling of services. I have no way
to circumnavigate the domain hijacking, port blocking or traffic
redirection being employed. Nor do I have any useful contact information
that would put me in contact with any of their network security personnel.
These providers, while perhaps noble in their cause, are denying us our
right to exist. If we were a large organization, this very likely would
not be happening.

I appeal to the members of this list and those that read it. If anyone
can offer any form of assistance, knows anyone who can, or can help me get
my story out... please do. Beyond the inability to exist, I am concerned
for the communities that have congregated with us and contributed to the
greater good. Any and all assistance will be beyond appreciated, as our
very existence is at stake and I no longer know what to do...

Best Regards,
Anthony Sanchez
Anthony at AbleNET dot Org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.