Skip to content


More ways malware damages internet infrastructure: DNS servers

Malware: spotted on NANOG — Six PCs caused BigPond problems:

Disconnecting six compromised personal computers on Tuesday evening eased the difficulties caused by bogus requests which clogged BigPond’s domain name servers (DNS), slowing customer e-mail and Web site access, Telstra said.

A Telstra spokesperson said the carrier had narrowed the list of malware that could have infected the computers to three, adding the problem could have been caused by a combination of those viruses or Trojans. He declined to name the suspects.

He said the PCs generated 95 percent of the bogus requests which caused the problems that evening.

The ‘problems’ in question are described here :

One forum participant (on Aussie forum Whirlpool), who claimed to be a BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost unusable all afternoon. I’m snowed under at the moment and it is really driving me crazy. Three out of four links fail to load first time and sometimes take eight or nine tries before it does.’

Another said: ‘I am having problems loading Web pages, I get the 404 error. I have to retry five to 10 times to get some places.’

Petri Helenius, in a post to NANOG, notes:

Consumer ISP’s who don’t proactively take care of security/abuse usually end up with harvesting-bots which consume significant amount of DNS resources, typically doing anything from a few dozen to a thousand queries a second. A few hundred of these will seriously hamper an usually provisioned recursive server.

Interesting. It’s been a long time since I’ve relied on an ISP’s recursive DNS servers; in my recent experience (Comcast, they’ve always been overloaded, and take aaaages to give me answers. Maybe this is why.

It makes sense; most Windows machines will indeed use the ISP’s NSes, because that’s what DHCP tells you to do; and setting up a BIND or djbdns instance locally to query the roots directly is still a UNIX-only trick, as far as I know.

The upshot?

  • 1. Yet another good reason why ISPs should proactively disconnect infected customers, as they deny service to other users of the ISP.
  • 2. A good demonstration of yet another way the techie community’s experience of web surfing and internet use differs from that of the unwashed masses in the hinternet — that ‘shanty-town of pop-ups and porn adware’, as Danny O’Brien puts it.
  • 3. Sometime soon, if it hasn’t happened already, someone’s going to bundle up an ‘Internet Accelerator’ lump of shareware that sets up a local recursive NS on Windows which queries the roots, and it’ll become the latest popular Windows download. Then the load on the root servers will really start rising.

(PS: top tip — ever wanted a publically-queriable recursive nameserver, or a good IP address for pinging, that’s easy to remember? is what you’re after.)