mailing list archives
Re: DNS Attacks
From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Sat, 18 Feb 2012 16:29:17 -0600 (CST)
Joel M Snyder <Joel.Snyder () Opus1 COM> wrote;
Quoting the FBI:
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
220.127.116.11 through 18.104.22.168
22.214.171.124 through 126.96.36.199
188.8.131.52 through 184.108.40.206
220.127.116.11 through 18.104.22.168
Solve said problem easily by destination NATing those IPs on 53/UDP/TCP
to your own recursive servers, or dump them on Google at 22.214.171.124 if
you're so inclined. Extra bonus result: NAT logs will show who needs a
pleasant email from customer service.
Even better, nat to a 'bogon' DNS server -- one that -- regardless of the
query -- returns the address of a dedicated machine on your network set up
especially for this purpose. This special-purpose machine returns a
customized 'error message' for any/all 'standard' protocols -- one that
states that they are infected with the particular malware, that none of
their attempts at intnernet access will work until they get that malware
removed, that they need to contact a 'computer repair' business ("See the
Yellow pages") to get the problem dealt with, -and- that assistance with
such malware removal is -not- part your 'support' services. Lastly, add
a statement that any calls to -your- support staff will cause the customer's
account a fee of $xx -- just for repeating the above. Th special-purpose
machine logs all inbound connection attempts -- timestamp, source IP, and
protocol -- for matching against customer accounts, providing a provable
audit trail to support the 'penalty' charge, when users -do- call 'support'.
Optionally, you refer them to a 'paid consulting' division of your operation,
which provides additional services on a time-and-materials basis.
This approach is -not- particularly 'customer-friendly' in the short term,
but it -will- have long-term benefits for the customer -- they _will_ have
learned something about the risks of not 'practicing safe hex', and their
machine(s) will (well, _probably_) be safer/more secure in the future. Thus
reducing future problems for both the customer and the provider support desk.
Or you could just let 'em suffer, BoFH-style.
 "'em" in this case is "your customer service reps" who will see a
'higher than normal call volume' should the FBI's warning mean anything.