Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Operation Ghost Click

 

 

First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


jeroen at mompl

Apr 26, 2012, 2:38 PM

Post #1 of 46 (2846 views)
Permalink
Operation Ghost Click

Excuse the horrible subject :-)

Anyone have anything insightful to say about it? Is it just lots of fuss
about nothing or is it an actual substantial problem?

http://www.fbi.gov/news/stories/2011/november/malware_110911

"Update on March 12, 2012: To assist victims affected by the DNSChanger
malicious software, the FBI obtained a court order authorizing the
Internet Systems Consortium (ISC) to deploy and maintain temporary clean
DNS servers. This solution is temporary, providing additional time for
victims to clean affected computers and restore their normal DNS
settings. The clean DNS servers will be turned off on July 9, 2012, and
computers still impacted by DNSChanger may lose Internet connectivity at
that time."

--
Earthquake Magnitude: 5.5
Date: Thursday, April 26, 2012 19:21:45 UTC
Location: off the west coast of northern Sumatra
Latitude: 2.6946; Longitude: 94.5307
Depth: 26.00 km


lathama at gmail

Apr 26, 2012, 2:44 PM

Post #2 of 46 (2789 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl> wrote:
> Excuse the horrible subject :-)
>
> Anyone have anything insightful to say about it? Is it just lots of fuss
> about nothing or is it an actual substantial problem?
>
> http://www.fbi.gov/news/stories/2011/november/malware_110911
>
> "Update on March 12, 2012: To assist victims affected by the DNSChanger
> malicious software, the FBI obtained a court order authorizing the Internet
> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers.
> This solution is temporary, providing additional time for victims to clean
> affected computers and restore their normal DNS settings. The clean DNS
> servers will be turned off on July 9, 2012, and computers still impacted by
> DNSChanger may lose Internet connectivity at that time."
>
> --
> Earthquake Magnitude: 5.5
> Date: Thursday, April 26, 2012 19:21:45 UTC
> Location: off the west coast of northern Sumatra
> Latitude: 2.6946; Longitude: 94.5307
> Depth: 26.00 km
>

Yes its a major problem for the users unknowingly infected. To them
it will look like their Internet connection is down. Expect ISPs to
field lots of support calls.


--
~ Andrew "lathama" Latham lathama [at] gmail http://lathama.net ~


paul at paulgraydon

Apr 26, 2012, 2:47 PM

Post #3 of 46 (2797 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 04/26/2012 11:44 AM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen [at] mompl> wrote:
>> Excuse the horrible subject :-)
>>
>> Anyone have anything insightful to say about it? Is it just lots of fuss
>> about nothing or is it an actual substantial problem?
>>
>> http://www.fbi.gov/news/stories/2011/november/malware_110911
>>
>> "Update on March 12, 2012: To assist victims affected by the DNSChanger
>> malicious software, the FBI obtained a court order authorizing the Internet
>> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers.
>> This solution is temporary, providing additional time for victims to clean
>> affected computers and restore their normal DNS settings. The clean DNS
>> servers will be turned off on July 9, 2012, and computers still impacted by
>> DNSChanger may lose Internet connectivity at that time."
>>
>> --
>> Earthquake Magnitude: 5.5
>> Date: Thursday, April 26, 2012 19:21:45 UTC
>> Location: off the west coast of northern Sumatra
>> Latitude: 2.6946; Longitude: 94.5307
>> Depth: 26.00 km
>>
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.
>
Based on conversations on this list a month or so ago, ISPs were
contacted with details of which of their IPs had compromised boxes
behind them, but it seems the consensus is that ISP were going to just
wait for users to phone support when it broke rather than be proactive
about it.

Paul


leigh.porter at ukbroadband

Apr 26, 2012, 2:50 PM

Post #4 of 46 (2788 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 26 Apr 2012, at 22:47, "Andrew Latham" <lathama [at] gmail<mailto:lathama [at] gmail>> wrote:

On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote:

Yes its a major problem for the users unknowingly infected. To them
it will look like their Internet connection is down. Expect ISPs to
field lots of support s

Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact?

--
Leigh


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


andrew.fried at gmail

Apr 26, 2012, 2:56 PM

Post #5 of 46 (2788 views)
Permalink
Re: Operation Ghost Click [In reply to]

I suggest you reach out to Shadowserver or Team Cymru if you're a
netblock owner. They can provide daily reports of infected IPs.

Andy

Andrew Fried
andrew.fried [at] gmail

On 4/26/12 5:50 PM, Leigh Porter wrote:
>
> On 26 Apr 2012, at 22:47, "Andrew Latham" <lathama [at] gmail<mailto:lathama [at] gmail>> wrote:
>
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote:
>
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support s
>
> Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact?
>
> --
> Leigh
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________


kyle.creyts at gmail

Apr 26, 2012, 2:57 PM

Post #6 of 46 (2791 views)
Permalink
Re: Operation Ghost Click [In reply to]

http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
On Apr 26, 2012 5:48 PM, "Leigh Porter" <leigh.porter [at] ukbroadband>
wrote:

>
> On 26 Apr 2012, at 22:47, "Andrew Latham" <lathama [at] gmail<mailto:
> lathama [at] gmail>> wrote:
>
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl<mailto:
> jeroen [at] mompl>> wrote:
>
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support s
>
> Is there a list of these temporary servers so I can see what customers are
> using them (indicating infection) and head off a support call with some
> contact?
>
> --
> Leigh
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>


lathama at gmail

Apr 26, 2012, 3:00 PM

Post #7 of 46 (2788 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts <kyle.creyts [at] gmail> wrote:
> http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
>
> On Apr 26, 2012 5:48 PM, "Leigh Porter" <leigh.porter [at] ukbroadband>
> wrote:
>>
>>
>> On 26 Apr 2012, at 22:47, "Andrew Latham"
>> <lathama [at] gmail<mailto:lathama [at] gmail>> wrote:
>>
>>
>> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
>> <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote:
>>
>> Yes its a major problem for the users unknowingly infected.  To them
>> it will look like their Internet connection is down.  Expect ISPs to
>> field lots of support s
>>
>> Is there a list of these temporary servers so I can see what customers are
>> using them (indicating infection) and head off a support call with some
>> contact?
>>
>> --
>> Leigh

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

--
~ Andrew "lathama" Latham lathama [at] gmail http://lathama.net ~


kyle.creyts at gmail

Apr 26, 2012, 4:58 PM

Post #8 of 46 (2790 views)
Permalink
Re: Operation Ghost Click [In reply to]

Thanks, Andrew. I was out and about, and couldn't remember the prefixes
off-hand. They should have been in that PDF, iirc
On Apr 26, 2012 6:01 PM, "Andrew Latham" <lathama [at] gmail> wrote:

> On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts <kyle.creyts [at] gmail>
> wrote:
> >
> http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
> >
> > On Apr 26, 2012 5:48 PM, "Leigh Porter" <leigh.porter [at] ukbroadband>
> > wrote:
> >>
> >>
> >> On 26 Apr 2012, at 22:47, "Andrew Latham"
> >> <lathama [at] gmail<mailto:lathama [at] gmail>> wrote:
> >>
> >>
> >> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
> >> <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote:
> >>
> >> Yes its a major problem for the users unknowingly infected. To them
> >> it will look like their Internet connection is down. Expect ISPs to
> >> field lots of support s
> >>
> >> Is there a list of these temporary servers so I can see what customers
> are
> >> using them (indicating infection) and head off a support call with some
> >> contact?
> >>
> >> --
> >> Leigh
>
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
> --
> ~ Andrew "lathama" Latham lathama [at] gmail http://lathama.net ~
>
>


frnkblk at iname

Apr 26, 2012, 5:38 PM

Post #9 of 46 (2783 views)
Permalink
RE: Operation Ghost Click [In reply to]

The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up. Not all ISPs are non-proactive.

Frank

-----Original Message-----
From: Paul Graydon [mailto:paul [at] paulgraydon]
Sent: Thursday, April 26, 2012 4:48 PM
To: nanog [at] nanog
Subject: Re: Operation Ghost Click

On 04/26/2012 11:44 AM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen [at] mompl> wrote:
>> Excuse the horrible subject :-)
>>
>> Anyone have anything insightful to say about it? Is it just lots of fuss
>> about nothing or is it an actual substantial problem?
>>
>> http://www.fbi.gov/news/stories/2011/november/malware_110911
>>
>> "Update on March 12, 2012: To assist victims affected by the DNSChanger
>> malicious software, the FBI obtained a court order authorizing the Internet
>> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers.
>> This solution is temporary, providing additional time for victims to clean
>> affected computers and restore their normal DNS settings. The clean DNS
>> servers will be turned off on July 9, 2012, and computers still impacted by
>> DNSChanger may lose Internet connectivity at that time."
>>
>> --
>> Earthquake Magnitude: 5.5
>> Date: Thursday, April 26, 2012 19:21:45 UTC
>> Location: off the west coast of northern Sumatra
>> Latitude: 2.6946; Longitude: 94.5307
>> Depth: 26.00 km
>>
> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.
>
Based on conversations on this list a month or so ago, ISPs were
contacted with details of which of their IPs had compromised boxes
behind them, but it seems the consensus is that ISP were going to just
wait for users to phone support when it broke rather than be proactive
about it.

Paul


jeff-kell at utc

Apr 26, 2012, 7:03 PM

Post #10 of 46 (2768 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 4/26/2012 5:44 PM, Andrew Latham wrote:

> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.

And what about the millions of users unknowingly infected with
"something else" ??

These people need help, at least the "Ghost Click" victims will have a
clue after July 9, unless we opt to extend our head-in-the-sand period.

(We have enough trouble isolating/remediating issues among our
relatively small user base, I'd hate to be facing a major ISP size
support/remediation effort...)

Does anyone have a plan?

Jeff


Michael_OReirdan at Cable

Apr 27, 2012, 3:41 AM

Post #11 of 46 (2766 views)
Permalink
RE: Operation Ghost Click [In reply to]

Please look at www.dcwg.org

Mike
________________________________________
From: Jeff Kell [jeff-kell [at] utc]
Sent: 26 April 2012 22:03
To: Andrew Latham
Cc: NANOG list
Subject: Re: Operation Ghost Click

On 4/26/2012 5:44 PM, Andrew Latham wrote:

> Yes its a major problem for the users unknowingly infected. To them
> it will look like their Internet connection is down. Expect ISPs to
> field lots of support calls.

And what about the millions of users unknowingly infected with
"something else" ??

These people need help, at least the "Ghost Click" victims will have a
clue after July 9, unless we opt to extend our head-in-the-sand period.

(We have enough trouble isolating/remediating issues among our
relatively small user base, I'd hate to be facing a major ISP size
support/remediation effort...)

Does anyone have a plan?

Jeff


tetherow at shwisp

Apr 27, 2012, 10:22 AM

Post #12 of 46 (2778 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 04/26/2012 05:00 PM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts<kyle.creyts [at] gmail> wrote:
>> http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
>>
>> On Apr 26, 2012 5:48 PM, "Leigh Porter"<leigh.porter [at] ukbroadband>
>> wrote:
>>>
>>> On 26 Apr 2012, at 22:47, "Andrew Latham"
>>> <lathama [at] gmail<mailto:lathama [at] gmail>> wrote:
>>>
>>>
>>> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
>>> <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote:
>>>
>>> Yes its a major problem for the users unknowingly infected. To them
>>> it will look like their Internet connection is down. Expect ISPs to
>>> field lots of support s
>>>
>>> Is there a list of these temporary servers so I can see what customers are
>>> using them (indicating infection) and head off a support call with some
>>> contact?
>>>
>>> --
>>> Leigh
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
>
Or for those that don't want to do the math, here they are in CIDR notation

85.255.112.0/20
67.210.0.0/20
93.188.160.0/21
77.67.83.0/24
213.109.64.0/20
64.28.176.0/20


jeroen at mompl

Apr 27, 2012, 4:50 PM

Post #13 of 46 (2757 views)
Permalink
Re: Operation Ghost Click [In reply to]

O'Reirdan, Michael wrote:
> Please look at www.dcwg.org

Thanks all for the information.

It looks like the practical upshot is that computers that have been
infected and not yet fixed may loose the ability to resolve names into
IP addresses starting sometime after July 9, which is when the
replacement nameservers are supposed to be stopped.

That in and of itself is quite a nuisance for the individual as well as
the ISP helldesks but it could have been worse. I would certainly not
call it "Internet doomsday".

Greetings,
Jeroen

--
Earthquake Magnitude: 4.9
Date: Friday, April 27, 2012 21:51:23 UTC
Location: Prince Edward Islands region
Latitude: -41.1063; Longitude: 43.4278
Depth: 10.00 km


apishdadi at gmail

Apr 27, 2012, 5:35 PM

Post #14 of 46 (2754 views)
Permalink
Re: Operation Ghost Click [In reply to]

If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!!

Thanks,
Ameen Pishdadi


On Apr 27, 2012, at 6:50 PM, Jeroen van Aart <jeroen [at] mompl> wrote:

> O'Reirdan, Michael wrote:
>> Please look at www.dcwg.org
>
> Thanks all for the information.
>
> It looks like the practical upshot is that computers that have been infected and not yet fixed may loose the ability to resolve names into IP addresses starting sometime after July 9, which is when the replacement nameservers are supposed to be stopped.
>
> That in and of itself is quite a nuisance for the individual as well as the ISP helldesks but it could have been worse. I would certainly not call it "Internet doomsday".
>
> Greetings,
> Jeroen
>
> --
> Earthquake Magnitude: 4.9
> Date: Friday, April 27, 2012 21:51:23 UTC
> Location: Prince Edward Islands region
> Latitude: -41.1063; Longitude: 43.4278
> Depth: 10.00 km
>


ryan.landry at gmail

Apr 27, 2012, 6:15 PM

Post #15 of 46 (2758 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Fri, Apr 27, 2012 at 5:35 PM, Ameen Pishdadi <apishdadi [at] gmail> wrote:
> If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!!
>
> Thanks,
> Ameen Pishdadi

you're obviously lucky, and don't have "stupid" grandparents.


apishdadi at gmail

Apr 27, 2012, 6:29 PM

Post #16 of 46 (2760 views)
Permalink
Re: Operation Ghost Click [In reply to]

Nope there dead unfortunately but if they were alive I'd clean up there machines maybe give them chrome books something idiot proof

Thanks,
Ameen Pishdadi


On Apr 27, 2012, at 8:15 PM, ryanL <ryan.landry [at] gmail> wrote:

> On Fri, Apr 27, 2012 at 5:35 PM, Ameen Pishdadi <apishdadi [at] gmail> wrote:
>> If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!!
>>
>> Thanks,
>> Ameen Pishdadi
>
> you're obviously lucky, and don't have "stupid" grandparents.


Valdis.Kletnieks at vt

Apr 27, 2012, 7:17 PM

Post #17 of 46 (2749 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Fri, 27 Apr 2012 19:35:51 -0500, Ameen Pishdadi said:
> If the user is stupid enough to be infected for that long

And they'd know they were infected, how, exactly? (Think carefully
before answering that, and keep in mind that although *you* may
be the world's greatest IT specialist, the average Joe Sixpack wants to
surf the web and read his e-mail, and does *not* understand (or
even *want* to) very much about computer security).


apishdadi at gmail

Apr 27, 2012, 9:14 PM

Post #18 of 46 (2751 views)
Permalink
Re: Operation Ghost Click [In reply to]

At some point in like 10 years when all the computer illiterate people are
gone there will be no more excuses for not being educated on malware and
viruses. While I understand the ISP doesn't want to possibly cut into there
profit margins they could easily put in place monitoring tools that can
detect network traffic that is malware bound and reach out to the customer
by email, phone and if need be by person.

How much of tax payer money is spent to pay these FEDERAL (F.B.I.) agents
to sit here and baby sit these computer ignorant and illiterate people for
6 months? So for the big ISPs like comcast i should pay out of my tax money
because they cannot properly enforce a network policy that would require
them to actually give a crap what is coming out of there network?

There is always going to be viruses and malware, they will find ways to get
them through but for heavens sake why would we if identified leave millions
of compromised machines online with an attempt to do a cleanup? YOU as a
network operator have a responsiblity to the other 40,000 AUTONOMOUS
network to make sure your not polluting our private network infrastructure
with garbage coming from your users and network. Clean up your mess.

Like we will not tolerate spammers being housed on 'hosting' networks why
should tolerate malware and infections coming from ISP's??? How much money
is spent cleaning up hacked word press servers and udp.pl scripts...

This is much bigger issue then at any cost making sure a user can get on to
facebook to upload a picture of there cat sleeping upside down. If we
enforced a proper policy and held network activity to certain standards the
ISP's would fix the issue of ignorant users themselves by #1 educating
there users , #2 implementing network monitoring on there outbound traffic
to identify sources of infected and compromised machines, #3 implementing a
cleanup policy, #4 letting the end user know they have a responsibility to
make sure the machines they access the network from are clean and to do
checks and to do there antivirus updates and os updates.

Oh yah, and if we got all these 'supporting' DNS servers up why not just
direct ALL users of it, who are clearly infected to a temporary page that
will enlighten the customer that they are infected and give them
instructions on clean up and give them a deadline of when there service
will stop......... How hard is that?




On Fri, Apr 27, 2012 at 10:55 PM, <Valdis.Kletnieks [at] vt> wrote:

> On Fri, 27 Apr 2012 21:39:20 -0500, you said:
>
> > Is it not detected by the common anti-virus software vendors? If the
>
> This assumes that the computer hasn't been hit by something *else* that
> disables the user's AV software. Remember, multiple infections are
> *common*.
>
> > internet stopped working on my computer i would reach out to someone who
> > knew how to fix it, keeping these people online and spreading the malware
> > helps how??
>
> The point is that the internet *didn't* stop working, so they have no
> reason to
> reach out yet.
>
> And no, you can't just blindly cut the users off and make them call the
> ISP for
> several reasons:
>
> 1) At that point, the ISP incurs an expense to fix a problem they didn't
> cause.
> Remember that margins on most consumer-grade Internet accounts are pretty
> thin,
> and one long support call can wipe out the profit. So explain why the ISP
> wants to cut off a user who makes them $10/year profit, and spend $30 or
> more
> handling the support call, when they aren't in the business of providing
> security services to end users?
>
> 2) If the user has no POTS, cutting them off may have just cut off their
> 911
> service. You want to take that risk?
>
> 3) Many times, there are multiple customer computers behind a NAT. Do you
> really want the hassle of an irate user calling in because you just broke
> the
> dad's VPN to work, because one of their kids has some cruft on their
> computer?
> (And no, don't try to tell them they should have bought business class
> service
> or similar crap, that *will* lose you a customer).
>
> So explain why the ISP wants to cut off the user, when it will cost them
> money, and possibly a customer?
>


apishdadi at gmail

Apr 27, 2012, 9:33 PM

Post #19 of 46 (2752 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Fri, Apr 27, 2012 at 10:55 PM, <Valdis.Kletnieks [at] vt> wrote:

> On Fri, 27 Apr 2012 21:39:20 -0500, you said:
>
>
> 3) Many times, there are multiple customer computers behind a NAT. Do you
> really want the hassle of an irate user calling in because you just broke
> the
> dad's VPN to work, because one of their kids has some cruft on their
> computer?
> (And no, don't try to tell them they should have bought business class
> service
> or similar crap, that *will* lose you a customer).
>
>
> The malware isn't infecting the end-uses router therefore if there is
multiple users behind that NAT'd router as long as there not infected they
won't be shut off when those DNS servers go dark.

And if daddy is dumb enough to let his 8 year old son use his PC or laptop
w/o proper monitoring and gets infected thats his fault. I know I dont let
my 10 year old use my work computers , and he knows how to code , but he is
still a child and clicks stupid things.

Your basically telling me the ISPs should not take any responsibility, well
then how can we get pissed off when a host lets a spammer spam for a week
straight and is aware and doesn't shut them off, or notices a DDOS attack
is stemming from there network, a customer has 5-6 servers he pays for with
unmetered gigabit ports and is clearly blasting someone to hell and back
with spoofed packets , but because there margins are so thin they shouldn't
turn him off and cancel him so they do not have to cut into there
'margins'...

In the network world your either on the content side or the eyeball side,
and the eyeball networks seem to have double standards when it comes to
network abuse. Until this ends and the double standards stop the amount of
malware and attacks will never go decrease.

I say to your 'it costs the isp money' to do cleanup, that it costs content
providers money to do cleanup of constantly being scanned and probed and
hacked by what is mostly hacked end-user machines who got owned browsing
the internet because they went to a website that had a virus installed by
another end-users machine who was compromised the same way, its a vicious
circle and as an operator of a content provider im tired of the other half
of the internet not taking there share of the responsibility.

/End of rant..


fw at deneb

Apr 28, 2012, 3:01 AM

Post #20 of 46 (2744 views)
Permalink
Re: Operation Ghost Click [In reply to]

* Jeff Kell:

> And what about the millions of users unknowingly infected with
> "something else" ??

You have to start somewhere. I received a warning letter, and four or
five very organizations had to cooperate in new ways to make this
happen. This is certainly a welcome development, and hopefully, this
experience can be used for other mitigation efforts.


rsk at gsp

Apr 28, 2012, 4:44 AM

Post #21 of 46 (2749 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Thu, Apr 26, 2012 at 10:03:44PM -0400, Jeff Kell wrote:
> And what about the millions of users unknowingly infected with
> "something else" ??

s/millions/hundreds of millions/

We passed the 100M zombie/bot mark years ago and nothing has happened
in the interim that should/would cause the trend to reverse. (Based on
what I've seen, the curve continues to monotonically increase.) Worse,
even the most sophisticated measurement techniques we have are guaranteed
to miss some unknown/unknowable fraction of the total population, since
botmasters are known to keep reserves. And worse yet, we're now seeing
infestations of portable devices/phones, systems running MacOS, etc.,
so while it's been, to this point, a Windows problem to about five to
seven 9's, it's not anymore, and it's not going to be.

> Does anyone have a plan?

No. Well, that's a bit unfair: lots of people have ideas, proposals,
and such, but until/unless there's a massive, coordinated, focused effort
-- which will cost a LOT of money -- those ideas and proposals can have
(at best) temporary, localized effects. I would like to think that the
software vendors whose products are involved would step up, but if that
was going to happen, it probably would have happened by now.

The most likely outcomes are: (1) that the status quo will continue:
massive amounts of attention, effort, and money will be focused on
mitigating the consequences (e.g., anti-spam, anti-phish, anti-DDoS,
anti-malware, anti-anti-anti defenses) and almost none will be focused
on addressing the root causes. (2) Those running networks which are
infested on a systemic and chronic basis will continue to do so and
will not be held accountable (by anyone) for their incompetence.
(3) More sophisticated bot-creating software will be developed and thoroughly
tested against anti-malware products before being deployed.
(4) Botnet command and control mechanisms will become more resilient in the
face of attacks. (5) Every now and then, some vendor and/or some government
agency will have a press conference and engage in self-congratulatory
chest-beating about how they've taken down a 5-million member botnet,
while botmasters are busy recruiting all 5 million still-compromised
systems into new botnets. (6) Once in a while, some poor unsuspecting
person sitting in front of one of these systems will be stuck holding the
bag when clueless prosecutors, assisted by thoroughly ignorant judges and
stunningly inept "experts", decide to score some election-year points by
destroying an innocent person's life: see "Julie Amero" for a canonical
example. (7) Data harvested from all these systems will continue to be
collated and sold to spammers, phishers, identity thieves, blackmailers,
and anyone else with a passing interest in the usable contents of large
numbers of systems. (8) Legislators and politicians who cannot even
use computers will propose and likely pass bill after bill after bill
which not only makes the situation worse, but uses it as an excuse to
destroy the few remaining protections that citizens have against wholesale
government snooping into their private lives. As a bonus, they'll
ensure that much of this information is passed along to any private
contractors who've made sufficient campaign contributions, and they
in turn will be hacked by the first bored 17-year-old with an attitude
that takes note of their existence.

Oh. Almost forgot. At each step, the favorite phrases of people who've
failed to learn from history, failed to heed warnings, failed to educate
themselves, failed to listen to experts and now wish to distance themselves
as far as they possibly can from the direct consequences of their own
choices and actions will be used:

"nobody could have predicted"
and
"we take this matter seriously"

---rsk


Jason_Livingood at cable

May 1, 2012, 5:26 AM

Post #22 of 46 (2720 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 4/26/12 5:47 PM, "Paul Graydon" <paul [at] paulgraydon> wrote:

>Based on conversations on this list a month or so ago, ISPs were
>contacted with details of which of their IPs had compromised boxes
>behind them, but it seems the consensus is that ISP were going to just
>wait for users to phone support when it broke rather than be proactive
>about it.

I doubt most big ISPs would be so reactive (those calls cost real money
after all, and customer satisfaction suffers), but I guess you never know.
At Comcast we have done the following:
- Sent emails
- Send postal mail
- Left voicemail
- Used automated outbound calling
- Used increasingly persistent web browser notifications

We've measured the effectiveness of some of these notification methods,
which we'd not employed previously in our Constant Guard bot notification
program. We're considering writing up a paper about this after the July
date passes.

Jason


Jason_Livingood at cable

May 1, 2012, 5:26 AM

Post #23 of 46 (2712 views)
Permalink
Re: Operation Ghost Click [In reply to]

On 4/26/12 10:03 PM, "Jeff Kell" <jeff-kell [at] utc> wrote:

>And what about the millions of users unknowingly infected with
>"something else" ??
>
>(We have enough trouble isolating/remediating issues among our
>relatively small user base, I'd hate to be facing a major ISP size
>support/remediation effort...)
>
>Does anyone have a plan?

Well, there's the new botnet code of conduct think (Mike O'Reirdan can
chime in with more info here). Plus ISPs like the one I work at (Comcast)
have been doing bot notification and remediation for some time now. I know
other ISPs have different approaches, and so different bot programs, but
the majority of them are doing something (with a few exceptions).

Jason


richard.barnes at gmail

May 1, 2012, 7:25 AM

Post #24 of 46 (2709 views)
Permalink
Re: Operation Ghost Click [In reply to]

ISPs in the Netherlands have had a "botnet treaty" in effect since
2009, which calls for blocking, user notification, and inter-ISP
information sharing.
<http://ripe59.ripe.net/presentations/huijbregts-botnet-convenant.pdf>
<http://www.darkreading.com/blog/227700601/dutch-isps-sign-anti-botnet-treaty.html>

I don't have any data about how effective it's been, though.



On Tue, May 1, 2012 at 8:26 AM, Livingood, Jason
<Jason_Livingood [at] cable> wrote:
> On 4/26/12 10:03 PM, "Jeff Kell" <jeff-kell [at] utc> wrote:
>
>>And what about the millions of users unknowingly infected with
>>"something else" ??
>>
>>(We have enough trouble isolating/remediating issues among our
>>relatively small user base, I'd hate to be facing a major ISP size
>>support/remediation effort...)
>>
>>Does anyone have a plan?
>
> Well, there's the new botnet code of conduct think (Mike O'Reirdan can
> chime in with more info here). Plus ISPs like the one I work at (Comcast)
> have been doing bot notification and remediation for some time now. I know
> other ISPs have different approaches, and so different bot programs, but
> the majority of them are doing something (with a few exceptions).
>
> Jason
>
>


rsk at gsp

May 1, 2012, 7:40 AM

Post #25 of 46 (2713 views)
Permalink
Re: Operation Ghost Click [In reply to]

On Tue, May 01, 2012 at 12:26:20PM +0000, Livingood, Jason wrote:
> At Comcast we have done the following:
> - Sent emails
> - Send postal mail
> - Left voicemail
> - Used automated outbound calling
> - Used increasingly persistent web browser notifications

This is a reply to you, but it's intended to be directed at everyone
who runs a consumer network, since zombies are everywhere.

Why haven't you cut these obviously-infected systems off entirely?
They no longer belong to their putative owners in any meaningful sense:
oh, they might be in their homes, sitting on their desktops, but they're
owned, operationally, by parties unknown -- botmasters and anyone that
they're renting them out to. The only use your customers are making of
them is that which they are *permitted* to do by the largesse of their
new owners, who of course find it convenient to maintain the illusion
because it encourages the former owners to keep them switched on and
plugged into your network.

(And given that your customer is not using their own system any more,
there's no reason to believe that its new owners will permit them to see
any email you send or any web browser notifications you emit. I'm sure if
these become prevalent, not just at Comcast but among other major ISPs,
the botmasters will pay someone to do the coding necessary to suppress
them, and then propagate that code to all their bots.)

This isn't to say that what you're doing isn't well-intentioned: it is.
And it's a lot more than many others are doing. But if it was going to
work, it would have worked by now.

---rsk

First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.