More ways malware damages internet infrastructure: DNS servers

Malware: spotted on NANOG — Six PCs caused BigPond problems:

Disconnecting six compromised personal computers on Tuesday evening eased the difficulties caused by bogus requests which clogged BigPond’s domain name servers (DNS), slowing customer e-mail and Web site access, Telstra said.

A Telstra spokesperson said the carrier had narrowed the list of malware that could have infected the computers to three, adding the problem could have been caused by a combination of those viruses or Trojans. He declined to name the suspects.

He said the PCs generated 95 percent of the bogus requests which caused the problems that evening.

The ‘problems’ in question are described here :

One forum participant (on Aussie forum Whirlpool), who claimed to be a BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost unusable all afternoon. I’m snowed under at the moment and it is really driving me crazy. Three out of four links fail to load first time and sometimes take eight or nine tries before it does.’

Another said: ‘I am having problems loading Web pages, I get the 404 error. I have to retry five to 10 times to get some places.’

Petri Helenius, in a post to NANOG, notes:

Consumer ISP’s who don’t proactively take care of security/abuse usually end up with harvesting-bots which consume significant amount of DNS resources, typically doing anything from a few dozen to a thousand queries a second. A few hundred of these will seriously hamper an usually provisioned recursive server.

Interesting. It’s been a long time since I’ve relied on an ISP’s recursive DNS servers; in my recent experience (Comcast, they’ve always been overloaded, and take aaaages to give me answers. Maybe this is why.

It makes sense; most Windows machines will indeed use the ISP’s NSes, because that’s what DHCP tells you to do; and setting up a BIND or djbdns instance locally to query the roots directly is still a UNIX-only trick, as far as I know.

The upshot?

  • 1. Yet another good reason why ISPs should proactively disconnect infected customers, as they deny service to other users of the ISP.
  • 2. A good demonstration of yet another way the techie community’s experience of web surfing and internet use differs from that of the unwashed masses in the hinternet — that ‘shanty-town of pop-ups and porn adware’, as Danny O’Brien puts it.
  • 3. Sometime soon, if it hasn’t happened already, someone’s going to bundle up an ‘Internet Accelerator’ lump of shareware that sets up a local recursive NS on Windows which queries the roots, and it’ll become the latest popular Windows download. Then the load on the root servers will really start rising.

(PS: top tip — ever wanted a publically-queriable recursive nameserver, or a good IP address for pinging, that’s easy to remember? is what you’re after.)

This entry was posted in Uncategorized and tagged , , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

One Comment

  1. Almost all online p0rn is made using captives
    Posted December 28, 2008 at 22:55 | Permalink

    FBI reports that online crime is at an all time high. So why are we hearing so little about it? Cyber crime has been estimated by the US Treasury to be more valuable than the illegal drugs trade – worth more than $100 billion a year ( What you don’t see talked about much is that most large internet corporations are Mafia owned, and when a new successful company rises up, they buy it. Almost all online pornography is owned by mafia, usualy made from captive women & children in Russia or Eastern Europe. Large amounts of free spyware/antivirus software is created by mafia (, household names, & unsafe against their manufacturer, who create the kind of viruses etc. which you are trying to clean from your computer to begin with. About the only serious online non Mafia corporation is Microsoft, which is under continual attack from them, the reason you need continual security updates. You can read about how I came to know these things here: