DNS Integrity in the Real World

botnet example

Those who followed the SOPA and Protect IP copyright law debate in December and January will recall an argument raised by certain members of the tech sector to the effect that enlisting the Internet’s Domain Name System (DNS) in the fight against pirated goods would undermine Internet security. While the SOPA critics said that it’s OK to use DNS blacklists to prevent access to malware sites, sites that sell Hollywood movies without license have an entirely different character.

Critics also argued that beside all of that, DNS blacklisting would be completely ineffective because users would simply shift from legitimate DNS services provided by their ISPs to rogue services operating offshore and outside the reach of U. S. law. Some critics, such as former Bush Administration official Stewart Baker, argued that without any user intervention at all Secure DNS would magically go “casting about the Internet” looking for rogue DNS services to reach the pirate video sites of the user’s preference.

We pushed back on these arguments, pointing out that there’s extremely high overlap between the criminal sites that sell patent-protected and copyright goods without license and those that infect computers with malware; and that the typical user lacks the real technical skills necessary to change the DNS servers assigned by their ISP to their home router to some other specific pair of DNS servers.

A blog post on Circle ID about the DNS Changer botnet shows that we were right and our critics were wrong. The post chronicles the struggle to take down a botnet that changed the DNS servers in user computers and home routers to rogue DNS servers, which it then used to redirect users to bogus versions of financial web sites. That enabled the criminals to steal credit card numbers and banking logins.

But how did this malicious software get installed in user systems to begin with? According to the FBI indictment, the key was offering pirated video content:

Victims’ computers became infected with the Malware when they visited certain websites or downloaded certain software to view videos online. The Malware altered the DNS server settings on victims’ computers to route the infected computers to rogue DNS servers controlled and operated by the defendants and their co-conspirators.

That’s what we said was happening, and the DNS Changer botnet episode is one clear example.

And how easy has it been to change the DNS servers installed by the botnet to legitimate ones? Not easy at all:

Most Internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows. So, even when we could identify and notify a victim, we had a hard time “closing the deal”.

This is a far cry from the “one click of a mouse” story that SOPA critics told Congress and in a different reality than Stewart Baker’s “magically casting about the Internet” story.

The most shocking parts of this story are the timeline and the people involved. The takedown of DNS Changer took place in November, 2011, the month before the DNS security arguments were presented to Senate staffers and members of the House Judiciary Committee at the SOPA markup hearings.

So well-informed critics would have known about DNS Changer while they were arguing that SOPA represented a bigger threat to Internet security than rogue sites do themselves. The information about DNS Changer was not made public at the time, but the principal technologist working on the takedown, Paul Vixie, was vigorously lobbying against SOPA. In fact, Vixie is the man with DNS expertise who supplied the primary security arguments against the bill that were simply parroted by other critics with less DNS knowledge.

I fail to see how anyone with DNS knowledge could make the arguments that were made against the SOPA DNS blocking provision with a straight face, especially when the DNS Changer circumstances were staring into that very same face.

The takeaway from this sorry episode is that technologists have the same ability to edit the facts to suit their biases that every other human has, and while engineers need to be involved in tech policy debates, others need to take their opinions with the same skepticism that they apply to others, across the board.

It also appears that the DNS Changer botnet takedown was bungled, as the most efficient way to repair the damage it did to end user systems would have been to use the botnet itself to restore the proper condition.  That remedy may still be available, but it’s a story for another post.

 

Image from Wikimedia Commons user Tom B

Print Friendly

About the author

Richard Bennett is an ITIF Senior Research Fellow specializing in broadband networking and Internet policy. He has a 30 year background in network engineering and standards. He was vice-chair of the IEEE 802.3 task group that devised the original Ethernet over Twisted Pair standard, and has contributed to Wi-Fi standards for fifteen years. He was active in OSI, the instigator of RFC 1001, and founder, along with Bob Metcalfe, of the Open Token Foundation, the first network industry alliance to operate an interoperability lab. He has worked for leading applied research labs, where portions of his work were underwritten by DARPA. Richard is also the inventor of four networking patents and a member of the BITAG Technical Working Group.
  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    I think the main argument against SOPA was the problems between DNS
    filtering and DNSSEC, but perhaps that will be discussed in another
    blogpost? Let’s focus on what you wrote with regards to DNS filtering
    circumvention:

    “This is a far cry from the “one click of a mouse” story that SOPA critics
    told Congress”

    The difference here is that in order to get around DNS blockage as proposed
    in SOPA (which an infringer really wants to do), all (s)he needs to do is
    install a browser plugin (which can indeed be as easy as a “one click of a
    mouse” action). I think it’s safe to say that anyone capable of and willing
    to install and configuring P2P software is also capable of and willing to
    install a browser plugin.

    With the DNS changer, a victim has to:
    1. Be made aware and convinced (s)he has a problem.
    2. Be capable and willing to reinstall Windows or purchase, install and run a
    malware remover.
    3. Be capable and willing to reconfigure their cable modem.
    That’s a far cry from having to install a browser plugin, something most web
    users are quite familiar with.

  • http://bennett.com/blog Richard Bennett

     You seriously don’t see the parallel? DNS Changer users went to the kind of sites that come up when a user does a Google search for “stream free movies.” They installed a P2P client like StreamTorrent by clicking OK on a dialog box and have no clue how to find a browser plugin like MafiaaFire. They apparently don’t even know how to purchase a third party malware removal tool or even how to install Microsoft’s free one.

    Your assumption is that technically astute people are eager to turn their credit cards over the Russian mafia so they can pay for Hollywood movies that come with a raft of malware, and having done so they suddenly develop amnesia.

    It’s hard to take that inconsistent series of assumptions seriously.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Of course there are similarities, but the differences are what matter here:

    Most of these DNC changer victims aren’t even aware that they had installed DNS changer, and as such it’s hard to convince them to fix it as well. There’s also not that many that know how to reconfigure their router either.

    Installing a browser plugin like mafiaaFire is as easy as a click of a button, and with the internet community working as it does (where do you think all these people learned how to install a P2P program to begin with?) it’s easy to add the plugin button to the rest of the information.

    There’s honestly no comparison as to the ease of routing around a DNS blockage, and getting rid of all the results of DNS changer, which is the basis of your blogpost.

    As to your statement: “Your assumption is that technically astute people are eager to turn their credit cards over the Russian mafia”:
    Why would they need to do that? All it requires to get around SOPA’s DNS proposal is a simple browser plugin, and they can get the infringing material as easy as they do now.

  • http://twitter.com/Jeff_Power Jeff Power

    If you can configure a torrent program, it’s much easier to go into your network settings and just choose a foreign DNS server.
    Unless for some reason this wouldn’t work, I’m baffled by the claim that DNS filtering would be at all effective

  • http://bennett.com/blog Richard Bennett

     I suggest you go through the process of enrolling at one or two the streaming sites that come up when you Google “free streaming movies” to understand what SOPA is about. Like many critics, you seem to have a very different idea of what kinds of sites it intends to block and what kinds of users it intends to block them for.

    You will have to supply a credit card number, but that’s the breaks.

    BTW, DNS Changer does not modify cable modem settings. None of the cable modems allow their settings to be user-modified. It apparently modifies DNS settings that can easily be modified back programmatically.

    I find it interesting that Vixie’s post doesn’t acknowledge how users got infected by DNS Changer. That’s vital information that bears on SOPA in a big way. The victimized population did not get infected by deliberately installing BitTorrent. Fortunately, the FBI indictment was clear about it.

  • http://bennett.com/blog Richard Bennett

     Consumers of content at the kinds of sites targetted by SOPA don’t install torrent programs, they simply go to a site they find in Google and follow the prompts. The fact that such people can’t remove malware from their own computers tells you how unsophisticated they are.

  • http://twitter.com/Jeff_Power Jeff Power

    It takes very little sophistication to do, many people know just enough to be dangerous. 
    SOPA doesn’t target sites that lead to torrents? That’s an interesting position.

  • http://bennett.com/blog Richard Bennett

     Read carefully. SOPA doesn’t target technically sophisticated users who independently and deliberately install BitTorrent, fiddle with the settings, and alter their DNS settings for IPv4 and IPv6. It targets mainstream consumers who give their credit card numbers to pirate sites and all these sites to install software on their computers.

    In other words, SOPA targets the people whose computers are infected by the DNS Changer virus, not the kind of people who go to IETF meetings.

    See the difference?

  • Guest

    People REALLY don’t like censorship on the Internet. Check out what happened when they tried to censor a number that would allow for breaking HD-DVD DRM: http://en.wikipedia.org/wiki/AACS_encryption_key_controversy

    At this point it’s probably one of the easiest numbers to acquire. Ditto for “illegal” software like DeCSS. People will go out their way to offer illegal software to you because they are ideologically opposed to the idea of censorship.

    If it ever comes down to it, you bet nearly every single popular social media website on the Internet, popular software and web browsers will offer methods to get around any DNS filtering prominently on their website in protest. They can try to arrest and shut down the whole tech industry if they want.

  • http://bennett.com/blog Richard Bennett

    Free speech doesn’t mean a free ride. Take a look at Article 27 of the Universal Declaration of Human Rights:

    “Everyone has the right to the protection of the moral and material
    interests resulting from any scientific, literary or artistic production
    of which he is the author.”

    Those who promote and support piracy are violating human rights.

  • Guest

    Some people even apparently tattooed the number to themselves. This brings up some interesting legal implications, can a court force someone to mutilate their body to censor the existence of illegal information imprinted on it?

  • Guest

    Apparently this doesn’t apply to the authors of software like DeCSS.

  • Guest

    Also to what crazy extents can anti-circumvention laws be applied? CSS was an example of a very poor DRM scheme.

    I don’t see anything in the DMCA that says the DRM has to be anything special. If I ROT13 my music, can I now force all ROT13 tools to be illegal because they can be used to break my DRM?

    SOPA had it’s own anti-circumvention clauses of course, and it wasn’t even clear if changing your DNS resolver so you could somehow let you access no-no websites will illegal in all circumstances.

  • http://bennett.com/blog Richard Bennett

     Let’s take a more realistic example, “Guest.” Does Free Speech give me the right to share your credit card numbers with the entire Internet population?

  • Guest

    Even more implications. At what point can a number be considered illegal? There is apparently a lot of support for the idea that 128-bit number can be made illegal, but what about 64-bits? How about any number over 100,000,000? Or is it any number at all, eg the number 13 for ROT-13 (this just feels too absurd)? But where is the cutoff for when a number can be made illegal?

    Copyright laws, especially the newer ones like the DMCA and attempts like SOPA create all kinds of crazy conditions like this.

    I can not understand how anyone can support such imprecise laws with a straight face, even if they have some kind of financial reason for it.

  • Guest

     @BubbaDude:disqus
    I’ve never heard of anyone issuing C&D notices over a CC number. Normally they just get it changed if stolen.

  • http://bennett.com/blog Richard Bennett

     So you’re OK with Credit Card Sharing? Go ahead and give us your numbers, please, it’s for Free Speech.

  • http://bennett.com/blog Richard Bennett

     It also doesn’t apply to the authors of worms, viruses, and other attacks. Life is unfair.

  • Guest

    I’m sorry, I didn’t see that in the UN Charter of Human Rights. I guess if you read between the lines, you can see it clearly. I often also get UN declarations and Sharia law confused as well, since they are so similar.

  • Guest

     Not being okay with sharing my credit card is not the same as trying to issue hundreds of C&Ds to random websites to try to stop people from sharing it.  Simply call the CC company, report it stolen, problem solved. Unfortunately DRM authors seem to not have the same easy time. Life is unfair, I guess.

  • http://bennett.com/blog Richard Bennett

    Who does Dr. Frank of the Mr. T Experience call when the key to his income is posted on the Internet?

  • http://bennett.com/blog Richard Bennett

     When you’re out of arguments that make sense, it’s best to remain silent.

  • Guest

     If only SOPA proponents heeded that warning. Honestly I don’t even know why we are debating, you already lost.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Then why is it that when SOPA proponents were asked for sites SOPA should stop, they always mentioned bittorrent sites and file lockers?

    Also: Why is it that even you cannot give me the names of 5 big infringing sites that SOPA would cover?

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    If SOPA was to be focused on streaming sites, then why not adjust the language accordingly? According to my knowledge, the larger part of infringement still comes from P2P, newsgroups and file lockers; not from streaming sites, so I seriously doubt that that was to be the focus.

    As far as I read the article, DNS changer ALSO changed the DNS settings of modems/routers. Honestly, that’s not such a hard thing to do really, considering that most of them are completely unprotected from inside attacks.

  • http://bennett.com/blog Richard Bennett

     When SOPA supporters were asked about the number and nature of the sites the bill targets by the House committee, they said there were 400 or so. In addition to the top 400, all reachable by Google search, some people mention The Pirate Bay and some large locker sites. There is not aware of any Big Five list.

    As I’ve told you before, Google “free streaming movies” if you want to see the sites of interest.

  • http://bennett.com/blog Richard Bennett

     Cable modems are not routers, Pieter, they’re layer two devices that are not user configurable. The fact that there are articles on the Internet confusing cable modems with NAT devices is not surprising; there are also articles on the Internet about Big Foot.

    Why should an anti-piracy bill be focused on piracy committed by very specific technical means? It doesn’t matter to law and policy whether the means is streaming, Usenet, or P2P, the relevant issue is whether the transfer of content without a license is a valid commercial activity.

  • http://www.isc.org/ Paul Vixie

    richard, this is another nonsequitur. users who want
    to change their dns settings, for example if they can no longer access
    their favourite web sites because of something like SOPA, can change
    their dns with one click of the mouse. i demonstrated this at the
    Internet Caucus Tech Demo Day a couple months ago; it’s a compelling and
    obvious demo. you should not mix the victims of dns changer (who are not
    necessarily motivated to understand or reconfigure their DNS settings)
    with the potential victims of something like SOPA (who will be quite
    motivated to get back whatever SOPA tries to take away from them.)

    i’m expecting your next nonsequitur to be some form of retread on The
    Myth of the Uninteded Infringer. so let me pre-answer with a blog reference:

    http://www.circleid.com/posts/20111219_myth_of_the_unintended_infringer_in_sopa_and_pipa/
    cheerfully,
    paul

  • http://bennett.com/blog Richard Bennett

    It’s hardly a non-sequitur. The FBI’s indictment – which you failed to mention in your CircleID post – is very clear about the nexus between piracy and malware in the incident they hired you to correct. The indictment says:

    “Victims’ computers became infected with the Malware when they visited
    certain websites or downloaded certain software to view videos online.
    The Malware altered the DNS server settings on victims’ computers to
    route the infected computers to rogue DNS servers controlled and
    operated by the defendants and their co-conspirators.”

    So what you have is a population of technically clueless users who Googled “free movie streaming” and went to sites that infected their computers and took their credit card numbers, changing their DNS settings in the process. They did not deliberately join their computers to a botnet, but they did deliberately consent to download software that would enable them to view movies, probably “StreamTorrent” or a variation on it. Having installed this software, they don’t know how to get rid of it and in fact it will take someone with Windows skills to figure that out.

    It’s easy to construct a system of categories consisting of “deliberate infringer, inadvertent infringer, polka-dotted infringer” that excludes the people who have been infected by malware in the this incident, but any such system that excludes the very people you’re trying to help is not very comprehensive.

    Given that you’re unable to remove the malware from these people’s computers, it should be apparent that the only way to deal with such outbreaks is to prevent them from happening in the first place, and that requires blocking access to the sites that infect their computers. The draw is clearly cheap or free Hollywood movies, and I think there’s a lesson in that. I believe it’s dishonest not to admit that SOPA would have made these kinds of incidents less common.

  • http://bennett.com/blog Richard Bennett

     Time will tell.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Once again: most of the sites you (and others) mention fall outside the scope of SOPA as written. That includes TPB and most file lockers. So far I haven’t had anyone (including you) give me the names of 5 (or even 3) sites that WOULD fall within the scope of SOPA, at least none of any significant size.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Modems these days generally have router functionality built in. No worries about confusing me; I’m a chip designer in the (wired) telecom industry, so I know my way around layer 2/3 standards. :)

    If the law is not focused, then the distribution of infringing activities over different kinds of sites is important to determine the chance of an infringer having the technical capabilities of clicking on a button to install a browser plugin to circumvent the SOPA blockage.

  • http://bennett.com/blog Richard Bennett

    Acually, the Pirate Bay and lockers such as Megaupload fall very much within the scope of SOPA, as do the sites that come up on the Google search term I gave you. There’s no principle of law that I’m aware of that says the only crimes worthy of prosecution are those that involve five big offenders in any case.

  • http://bennett.com/blog Richard Bennett

    Cable modems generally do *not* have built-in router functionality. I’ve had several and none of them did, and I’ve worked for home router companies that refuse to integrate cable modems because of the relative complexity and certification expense. It’s the same thing with FTTH, Verizon stops the fiber in an ONT that connects to the home router over copper Ethernet.

    The only WAN technology that’s routinely built-in to home routers is DSL. It’s typical of Internet people to be clueless about the real networking at layer two and below that does all the heavy lifting.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Perhaps your ISP is still a bit old-fashioned? I’ve switched away from cable internet myself, but colleagues of mine that use it all have modems with router functionality inside. Just a few examples:
    - Motorola SB5120
    - Motorola SB6120
    - Linksys BEFCMU10
    - D-Link DCM-202
    - Zoom DOCSIS 5350-00-03
    - Cisco 1805As for my layer 2 knowledge: check my profession. :)

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Under Section 101 of SOPA, sites like thepiratebay.org and http://www.megaupload.com are classified as “domestic internet sites”, and as such fall outside the scope of SOPA, which only deals with “foreign infringing sites”.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Your statement, though correct in itself, still doesn’t answer Paul’s charge that the SOPA DNS blockage would be easily circumvented by a “click-of-the-mouse” action, which someone motivated (which these people obviously are, considering the risks they expose themselves to) easily can and will do.

    Btw, I find it interesting how you question the knowledge of layer 2 protocols of the people you’re debating here, yet have no issue claiming expertise over a layer 7 protocol against one of the world’s experts on DNS.

  • http://twitter.com/Jeff_Power Jeff Power

    I currently have an Arris DOCSIS 3.0 Residential Gateway  4-port Gigabit Router with an 802.11n wireless access point
    http://www.arrisi.com/product_catalog/_docs/_specsheet/DG950_PF_05JAN11.pdf

  • http://bennett.com/blog Richard Bennett

    Pirate Bay is now thepiratebay.se. Try again.

  • http://bennett.com/blog Richard Bennett

     I’m happy for you.

  • http://bennett.com/blog Richard Bennett

     So now you’re claiming that DNS is a layer two protocol?

  • http://bennett.com/blog Richard Bennett

     Let’s let Paul speak for himself, Pieter. You’ve shared your viewpoint already.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    It was not when the SOPA debate was taking place. Still, even then: that gives you 1 site. Are we honestly creating legislation like this to stop 1 site, that’s located in the EU of all places?

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    No, but you were complaining about the general lack of knowledge of level 2 protocols by internet people. I’m merely stating that due to my work, my knowledge of layer 2 protocols probably is not that far removed from your own.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    I’m sorry. I wasn’t aware that we were only having 1 on 1 debates here in these threads, so I felt that I could participate in all discussions, not just the ones I started. Just because Paul and I agree on this partial topic does not mean that we agree on everything after all.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Admitting that cable modems with router functionality may be more common than you thought, in light of all the examples we’ve given (and I’ll happily provide you with more), doesn’t diminish your other arguments, Richard. It’s ok to be incompletely informed at times; it happens to all of us.

  • http://www.isc.org/ Paul Vixie

    i am +1 to pieter’s comment. your response to my complaint that you’d spake a nonsequitur was itself another nonsequitur. i’ll rejoin the debate if it moves forward in a serious way.

  • http://bennett.com/blog Richard Bennett

     Let’s look at it this way. Your DNS Changer victims got their computers infected by choosing to go to video sites and expressing their high motivation by clicking on a button that downloaded malware into their computers.

    These people are now unwilling to click another button to download a malware removal tool despite a presumed high level of motivation.

    This suggests that motivation alone isn’t enough to make people click that magic button. What’s lacking is knowledge and trust, two things that are in short supply on the rough-and-tumble Internet. What can we learn from that?

  • http://bennett.com/blog Richard Bennett

    There’s no point in repeating yourself.

  • http://bennett.com/blog Richard Bennett

     There is more than one site, and the EU is not within the US.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    There is if you add (a) new argument(s) to the table, as I did. It’s sometimes good to reiterate the conclusions after that.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Assuming you’ve found some magical way to inform and convince DNS changer victims that they have a problem (people around the world would be grateful for that; might even make you a fifth patent), can you please point me to the location where I can find the 1 click solution to remove the damage DNS changer inflicted?

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    I’m starting a new thread, since the depth of this forum creates some problems…

    When SOPA was introduced, it was claimed there was a huge list of sites that could be handled by this legislation. So far, in all my conversations with proponents, they’ve managed to find exactly 1 (TPB), and that was only _after_ SOPA had failed (during the SOPA debate, even that site would not have fallen within its scope). I find that highly disturbing. It shows me that those proponents have no clue as to why they were enacting this legislation, while happily ignoring all the collateral damage it would cause to innocent companies around the world (including the US), and to the use of DNSSEC. It’s a good thing this legislation never made it.

  • http://twitter.com/Jeff_Power Jeff Power

    Thanks, you’re a sweet man

  • http://bennett.com/blog Richard Bennett

    This is a dishonest comment, Pieter. The supporters of SOPA have presented a number of lists of rogue sites to Congress. Google “rogue sites list” and you’ll find the MPAA’s list of notorious infringers, or if you’re too lazy to do that, read the Torrent Freak article on the MPAA’s list: http://torrentfreak.com/mpaa-lists-notorious-pirate-sites-to-u-s-government-111028/

  • http://bennett.com/blog Richard Bennett

    Vixie controls the DNS server that the DNS Changer victims use to surf the Internet. Do you need for me to explain how a DNS server can direct a user to a web site?

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    I’m familiar with the list, Richard, but if you look carefully, you’ll note that with a few exceptions (and ones I’ve never heard of either to be honest), they are all websites that would have fallen outside the scope of SOPA. That’s exactly the point I was making in my comment.

  • http://twitter.com/PieterHulshoff Pieter Hulshoff

    Fair enough; I’ll leave that for Paul to answer as to why that path wasn’t taken (yet). I’m not familiar with the details of the situation.

    In the mean time: where’s that 1 click solution to remove the damage DNS changer inflicted?

  • http://chartertv.webnode.com/ Patrick Hudson

    I do believe that use of changing DNS with the click of the mouse is really not going to help the users. They pose more risk to them by preventing them form entering a site and redirecting them to another site.