Re: DNS Changer items

[joel jaeggli <joelja () bogus com>]

On 8/15/12 10:24 AM, Leo Bicknell wrote:
> In a message written on Wed, Aug 15, 2012 at 08:01:15AM -0700, joel jaeggli wrote:
> > Remediation of whatever wrong with a given prefix is an active activity,
> > it's not likely to go away unless the prefix is advertised.
> Actually, that's not true on two fronts.
>
>  From a business relationship front, if the problem is contacting
> the right people when the "right people" have been arrested and now
> some police agent now needs to generate the right paperwork, produce
> court paperwork, see a judge, time will absolutely help.
The right people in this case are the one's with the broken PC's. The 
misbehavior associated with the prefix was dealt with some time ago.
>    I can see
> a scenario here where it might have been worked out to transfer the
> block to the appropriate law enformcement agency for a year (with
> them paying the usual fees) such that they could wind this down in
> an orderly way.
Courts already did that, name-servers with that prefix range were 
operated by ISC from november 9th 2011 to July 9th 2012 at the request 
of the FBI.
> If the problem is technical badness, the block has appeared on
> blacklists or grey lists, or been placed in to temporary filters
> to block DNS changer badness time will also help.  Most (although
> not all) of those activities are aged out.  As ISP's stop seeing
> hits on their DNS changed ACL's because the machines have been
> cleaned up they will remove them.  Greylists will age out.
>
> Indeed both of these is why there is a "cooling off" period in place
> now at all RIR's.  They have been proven to work.  Previously in
> some cases they were 6-12 months though, and what the community has
> said is that given that we're out of IPv4 those time periods should
> be shorter.  The question becomes how much shorter?  Clearly holding
> them back for 1 day isn't long enough to make any business or
> technical difference.  The community is saying 6-12 months is too
> long.
>
> I am saying 6 weeks sounds too short to me, but if it is appropriate
> for "ordinary" blocks there needs to be an exception for extrodinary
> ones.  From time to time we hear about blocks like DNSChanger that
> millions of boxes are configured to hit,
Were configured to hit, if they still are they've been broken for a 
while, or are being kept on life support by ISPs.

in any event they're aren't millions anymore there are perhaps low 
thousands of broken computers.
>   or I remember the University
> of Wisconsin DDOSed by NTP queries from some consumer routers.  When
> the box still has high levels of well known, active badness, perhaps
> it should be held back longer.
The university of Wisconsin seems like an unlikely candidate to give up 
it's prefix over that.

http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC39
> > In the case of dns changer, I would think that if you don't have working
> > DNS for long enough you're going to have your computer fixed or throw it
> > out. if you were an operator using that prefix to prevent customer
> > breakage you should be on notice that's not sustainable indefinitely or
> > indeed for much longer.
> The problem here isn't just the infected computers.  Would you want to
> receive a netblock from an RIR that came with tens or hundreds of
> megabits of DDOS, I mean, background noise when you turned it on?
It is unlikely in the extreme that what remains when that prefix is 
advertised is 100s of megabits of DOS. that said as a potential 
recipient of such a prefix, I'd probably be willing to accept a fair 
amount of garbage  if the alternative is not having one. I fully expect 
quality of ipv4 prefixes available for re-assignment to continue to drop.
> Whoever receives this block is in for a world of hurt.