One is that I've been meaning to mention this for a couple weeks because this is a few weeks old now. Many people have noted this; and I finally, when I was putting this together, I said, okay, I'm not going to forget again. This was via a Twitter DM. A listener said: "Hi, Steve. Just got an email from Cox." He said, "Seems to be from them, based on the header." So he was skeptical. Good. He says: "As I write this, it might be your DNS Benchmark triggered this." And in fact I'm sure of it. Cox has an email they're sending out to people who have used GRC's DNS Benchmark. It reads: "Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan bot, also known as Zbot." And it goes on, but that's the headline.
So he says: "My first question is how can Cox see what's behind our modem? We're running NAT routers. Second, the only thing that changed over the past day is that I replaced our previous routers with Linksys running dd-wrt," and he says, "a.k.a. Tomato. Could dnsmasq be causing this false positive?" And he says, "Oh. I also ran your DNS Nameserver Benchmark the other night and rebuilt our list of nameservers. Perhaps that unusual traffic was it. Third, when did Cox start caring if a key logger is installed on one of our computers? Again, how could Cox know? Is Cox seeing a bunch of data coming out of our router all of a sudden?" And then he ends saying, parens, "(DNS Benchmark would do that.)" And he's absolutely right.
A number of people have reported that they've received such an email from Cox. Clearly there is a one-to-one correspondence between using the DNS Benchmark and receiving this note. So what has apparently happened is about a month ago, just judging, or maybe at the beginning of the year - no, it's longer than that, I think I got some at the end of 2016 - Cox decided to get proactive, which is a good thing, in looking at their subscribers' traffic. And again, I just think that's all for the better, that we wish more ISPs would be more proactive.
Unfortunately, running the Benchmark does look like, if you didn't look too carefully, like you are generating a DNS reflection attack because a DNS reflection attack sends a bunch of little queries off to a whole bunch of different DNS servers, and with a spoofed source IP. Now, of course the source IP is not spoofed. So they could be a little smarter about this and see that in fact what's actually happening is a bunch of valid DNS queries spewing out from a given client. So the only one they would ever be DoSing would be themselves. And of course the Benchmark is very careful about metering those so that you don't saturate your own bandwidth because one of the things that the Benchmark does is check the reliability of the DNS servers. So I wouldn't want to saturate the connection, or we'd cause packets to be dropped and get false positives on low reliability, that I was careful not to do.
So anyway, for anybody else who has received this letter from Cox and has shot me a note, but I never responded, I'm absolutely sure that there is a correlation. And it doesn't seem that anything goes further. Nobody's had their traffic cut off. Cox is just providing them with a warning. And that does demonstrate that, on a per-subscriber basis, Cox has deployed technology to notice if the behavior of their subscribers indicates that they may be infected. So although it's a false positive that occurs when you run the DNS Benchmark, it does say that we're seeing some positive movement in this direction from a major Internet connectivity provider.
Facebook
Twitter