Malware: spotted on NANOG — Six
PCs caused BigPond problems:
Disconnecting six compromised personal computers on Tuesday evening
eased the difficulties caused by bogus requests which clogged BigPond’s
domain name servers (DNS), slowing customer e-mail and Web site access,
Telstra said.
A Telstra spokesperson said the carrier had narrowed the list of malware
that could have infected the computers to three, adding the problem
could have been caused by a combination of those viruses or Trojans. He
declined to name the suspects.
He said the PCs generated 95 percent of the bogus requests which caused
the problems that evening.
The ‘problems’ in question are described
here :
One forum participant (on Aussie forum Whirlpool), who claimed to be a
BigPond customer, said on Monday: ‘I’m in Canberra and it’s been almost
unusable all afternoon. I’m snowed under at the moment and it is really
driving me crazy. Three out of four links fail to load first time and
sometimes take eight or nine tries before it does.’
Another said: ‘I am having problems loading Web pages, I get the 404
error. I have to retry five to 10 times to get some places.’
Petri Helenius, in a post to NANOG, notes:
Consumer ISP’s who don’t proactively take care of security/abuse usually
end up with harvesting-bots which consume significant amount of DNS
resources, typically doing anything from a few dozen to a thousand
queries a second. A few hundred of these will seriously hamper an
usually provisioned recursive server.
Interesting. It’s been a long time since I’ve relied on an ISP’s
recursive DNS servers; in my recent experience (Comcast, Cox.net) they’ve
always been overloaded, and take aaaages to give me answers. Maybe this
is why.
It makes sense; most Windows machines will indeed use the ISP’s NSes,
because that’s what DHCP tells you to do; and setting up a BIND or djbdns
instance locally to query the roots directly is still a UNIX-only trick,
as far as I know.
The upshot?
- 1. Yet another good reason why ISPs should proactively disconnect infected
customers, as they deny service to other users of the ISP.
- 2. A good demonstration of yet another way the techie community’s
experience of web surfing and internet use differs from that of the
unwashed masses in the
hinternet — that ’shanty-town of pop-ups and porn adware’, as Danny
O’Brien puts it.
- 3. Sometime soon, if it hasn’t happened already, someone’s going to bundle
up an ‘Internet Accelerator’ lump of shareware that sets up a local
recursive NS on Windows which queries the roots, and it’ll become the
latest popular Windows download. Then the load on the root servers will
really start rising.
(PS: top tip — ever wanted a publically-queriable recursive nameserver,
or a good IP address for pinging, that’s easy to remember? 4.2.2.1
is what you’re after.)
Tags: bigpond, customer, dns, evening, forum, isp, malware, nanog, telstra, time, web
