In association with heise online

« previous | next »
25 July 2007, 11:27

ISP uses DNS to redirect from IRC to bot cleaner

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cox Communciations, one of the largest ISPs in the USA, has configured their DNS to redirect requests to IRC sites to one of their own servers that runs a bot removal script. DNS redirection is not a new phenomenon: it is widely used to manage parked domains, and in some cases to direct mistyped URLs to splash pages that carry adverts. Cox were already experimenting with redirection in May this year, but the present redirection is the first on record that has been aimed at cleaning out bots.

Andrew Matthews of Merit Network Inc, a US educational organisation, has reported that attempts to contact irc.mzima.net (IP address 216.193.223.223) using Cox DNS servers ns1.lv.cox.net, ns1.sd.cox.net and ns1.dc.cox.net were redirected to a Cox server (IP address 70.168.70.4) which ran a script producing the following dialog

#martian_
	[INFO]	Channel view for "#martian_" opened.
	-->|	YOU (andrew.m) have joined #martian_
	=-=	Mode #martian_ +nt by localhost.localdomain
	=-=	Topic for #martian_ is ".bot.remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is ".remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is ".uninstall"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!bot.remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!remove"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	=-=	Topic for #martian_ is "!uninstall"
	=-=	Topic for #martian_ was set by Marvin_ on Sunday, July 22, 2007 2:55:02 PM
	<Marvin_>	.bot.remove
	<Marvin_>	.remove
	<Marvin_>	.uninstall
	<Marvin_>	!bot.remove
	<Marvin_>	!remove

that clearly indicates shotgun attempts at bot cleaning.

Another anonymously authored report from exstatica confirms this behaviour, identifying additional irc sites, including irc.vel.net and irc.dks.ca, that had been redirected in this manner by Cox. However an update added today states that the irc.vel.net site entry has been restored. irc.mzima.net apparently remains redirected to ip70-168-70-4.at.at.cox.net on which the script resides. Another report, this time from Anthony Sanchez on Full Disclosure advises that Cox is not the only ISP using DNS redirect in this way: TimeWarner/Road Runner/AOL was apparently redirecting traffic from irc.ablenet.org to a similar bot cleaning script a couple of weeks ago.

(mba)

« previous | next »
Print Version | Send by email | Permalink: http://h-online.com/-733318

Also on The H:

 
The H Open Headlines
    • July's Community Calendar

            The H

            The H Open

            The H Security

            The H Developer

            The H Internet Toolkit