The Server North
N

'blog

Home Main Site NOC/Info Site Twitter Stream Archives Login
Jul
07
Keeping Tabs & DNS Changer Privacy is important to us at Server North, we've actually got a pretty decent policy (posted on our Alpha website) that protects our customers rather well. In fact, we brandished it a few weeks ago in dealing with a court order.

But from time to time, we need to look at who's doing what on the network. Usually we're working with a customer to help debug a problem, or occasionally we need to diagnose or explain strange traffic on the network. We're an ISP, we really can't know what to expect on our network at all times so we do have to peek. A rough guesstimate would say that 98% of the time we're looking, it's at volumes or sources & destinations of traffic - it is exceedingly rare that we look at the contents of the network traffic.

Again, in just about every instance we do this, is while working with a customer. The only indiscriminate monitoring we do is volume or flow, which makes pretty graphs that allow us to keep an eye on usage across the network - and that looks like this:
Traffic Graph

Nothing terribly sensitive to the customer-base there. (On the other hand, we don't like sharing those graphs, that's an internal file server's network interface.)

Why are we going on about this?

It starts with the FBI shutting down some temporary name servers (DNS) that were formally used for nefarious purposes, as result, there's a lot of headline-grabbing occurring with media outlets screaming "Government turning off Internet for millions of innocent Internet users!" and whatnot. Without getting into a disseration about hyperbole and crying FIRE! in a crowded theatre, this isn't entirely true.

The short version is: hackers used viruses and malware to change settings on people's computers to use their evil DNS servers. The bad guys got shutdown but the FBI kept the servers running - but in a non-evil mode. Now they've decided they're going to shut them down and for the infected computers, their ability to convert names like "ServerNorth.net" to IP addresses (98.124.60.65) will go away. An affected machine will still be on the Internet, but the online "phonebook" will be gone, so it'll be rather difficult to use the Internet. Unless you enjoy surfing by IP: https://199.59.148.10 ;)

For more information about what's going on, check out the DCWG website, there's also a lot of resources there including links to testing tools.

Monday those servers are going down.

Now as you likely know, Server North is a small company, we have a few hundred customers and know almost all of you by name. We figured we could monitor our outgoing network traffic for DNS queries headed for the affected servers and pre-emptively contact the customer and help them get cleaned up. We fired up our packet watcher and waited to see who might need a hand...

Packet Dump


One DNS request. One.

... And that was me (Myke) testing that the filter rule was working. (If you look carefully, you'll see I looked up "foo")

Hmm, guess you guys don't need our help after all...

Have a nice weekend!




PS: Here's the command-line that'll watch eth0 on a Linux machine for nefarious traffic:
tcpdump -n -i eth0 "port 53 and net (85.255.112.0/20 or 67.210.0.0/20 or 93.188.160.0/21 or 77.67.83.0/24 or 213.109.64.0/20 or 64.28.176.0/20 )"

Posted by: Myke

Comments No comments yet Add Comment
This item is closed, it's not possible to add new comments to it or to vote on it
Powered by NucleusCMS | Ported by VinhBoy | Designed by DemusDesign