Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Networking Security Worms News

OpenDNS To Block and Monitor Conficker Worm 175

Posted by Soulskill
from the no-phone-home dept.
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
This discussion has been archived. No new comments can be posted.

OpenDNS To Block and Monitor Conficker Worm

Comments Filter:
  • by Anonymous Coward on Sunday February 08, 2009 @08:29AM (#26771855)

    Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?

    • by Anonymous Coward on Sunday February 08, 2009 @08:36AM (#26771895)

      They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday? They sale your private info.

      OpenDNS redirects all your Google search queries though their servers.

      They redirect web browser users or scripts accessing nonexistent domains to a page containing sponsored search results, ads, and a search form. The DNS protocol requires that a query for a nonexistent domain must return the "NXDOMAIN" error response.

      • by fprintf (82740) on Sunday February 08, 2009 @09:28AM (#26772147) Journal

        You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.

        For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".

        I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passive safety, I know, but gives some peace of mind with a teenager who knows his way around computers. It blocks proxies too. If there is an alternative, I'd love to read about it.

        • Re: (Score:3, Informative)

          by moonbender (547943)

          You're relying on OpenDNS for content filtering? Cute. That might work in a home for the elderly, but I doubt it'll stop any teenager, much less one who is technologically inclined. Would have stopped me for all of 45 seconds. But if it gives you peace of mind, that's something I guess.

        • by julesh (229690)

          You can turn this feature off. http://www.opendns.com/support/article/244 [opendns.com] is their response to questions about privacy.

          For those that have OpenDNS running, you go to Settings, Advanced and then at the bottom there is the Network Shortcuts section. Uncheck the box "Enable OpenDNS Proxy".

          I have the service and I am quite happy to trade a little privacy for the content filtering done by someone else, without requiring any software installs or any maintenance of IPTables or anything else on my part. It is passi

      • Re: (Score:2, Informative)

        by X0563511 (793323)

        You are an idiot.

        This is no more shadowy than the NTP pool.

      • by Kent Recal (714863) on Sunday February 08, 2009 @09:37AM (#26772205)

        Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.

        Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".

        If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
        Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.

        • Re: (Score:3, Funny)

          by Anonymous Coward

          You consider bar of soap to be worthless?

          *sniff* Hmm... no wonder your hygene is questionable.

        • by raynet (51803)

          How are they scam operation?

          And if you are concerned with worm infections, why not run OpenDNS + IDS + Antivir? Who says that if you use OpenDNS you cannot use anything else to protect yourself.

        • by fluffy99 (870997)
          Regardless of the intent and drawbacks to OpenDNS, it is still a valid notion to black-hole the lookups for known malicious addresses. Monitoring for lookups to these addresses is also a godd idea as it's an indicator of a problem.
        • by kchrist (938224)

          Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.

          [weasel words] [citation needed]

      • Is there any evidence that major ISP's or DNS providers are not also selling customer behavior data?

        I'm a Time-Warner customer. When I use their nameservers, I see a Time-Warner error page when I try to access a nonexistent domain.

        The DNS protocol may require an "NXDOMAIN" repsonse on a bogus domain, but making that visible to the typical Internet user is pointless.

        • by Antique Geekmeister (740220) on Sunday February 08, 2009 @11:16AM (#26772911)
          It could be worse. Does anyone else here remember the 'Site Finder' chaos, when Verisign returned their own sales website domain for all nonexistent .com addresses? As the managers of .com, their behavior screwed up network monitoring tools worldwide, and misdirected huge amounts of misaddressed email to their servers, without warning. Patches were quickly released for every major DNS software package to block it, which is probably the real reason it got dropped: having every DNS server in the world used to the idea that 'I can block the behavior of idiots' is very, very bad for companies like Verisign that have repeatedly misused their position of trust against third parties.
        • by Ilgaz (86384)

          Not just that, DNS queries have "hostname" only so it is near worthless if they were a evil spyware operation. What matters to advertisers and behaviour watchers is the address after "/".

          Funnily, people have no problem with Google Analytics which is almost like a viral type threat, pyramid scheme. I said "almost".

      • Re: (Score:3, Informative)

        by Dreadneck (982170)

        They make money by monitoring your habits. Can any one tell me how they pay their CDN and caching servers bills for millions and millions queries everyday?

        From the site:

        "OpenDNS partners with hardware and service providers to deliver our award-winning security, infrastructure and navigation services."

        They sale your private info.

        There's nothing private about my public IP address. If they can manage to glean personal info from my IP address then, damn, they're good.

        OpenDNS redirects all your Google search queries though their servers.

        From the site:

        "Is OpenDNS running a proxy?

        Yes. Some software, including your (and our) beloved Google Toolbar, intercepts requests made via the address bar so that DNS requests never occur. This creates some usability issues,

      • by davidu (18) on Sunday February 08, 2009 @03:51PM (#26775735) Homepage Journal
        I'm the founder of OpenDNS. I've decided to reply even though these comments are heinously wrong, and probably just me feeding the trolls...

        We have never sold user data, ever. We also have no CDN bills, we don't even use a CDN. We've built a global BGP-speaking network with hundreds of peers around the world. I know, because I built it. We peer at LoNAP, LINX, PAIX, SeattleIX and on a few of the Equinix peering fabrics around the US.

        The idea that we would build our business based on monitoring user data is preposterous. I wouldn't stand for it, nor would our employees. I'm confident that all our engineers are just as vocal or more vocal about doing the right thing than you are. We make it very clear how we make money, and it's all over our website. Go to http://guide.opendns.com [opendns.com] and do a search. The sponsored results are ads where we get paid, the organic results are regular search results. That's how we make money. We might offer an enterprise for-pay service down the road as some of our customers begin to demand tighter integration with their network but for now, we're happy with our business. And I'm happy to report that we're profitable and stable, even in this economy.

        And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably. Two important things here: First, we peer with Google at every datacenter, so we aren't adding to your latency or anything else. Second, we don't log and store any data and we certainly don't care about it. We prefer to be able to confidently say we aren't keeping data on it. Of course, you are welcome to disable it by going into your settings and disabling the OpenDNS proxy. That's it. Do that and we don't ever see the request. Pretty easy. End of story.

        David Ulevitch
        Founder, OpenDNS
        • by ConceptJunkie (24823) on Sunday February 08, 2009 @04:04PM (#26775903) Homepage Journal

          This guy has a 2-digit UID, how could he possibly not be on the level? ;-)

          Seriously, I've been using OpenDNS for a year or so, and based on what I know and everything I've read here minus David Ulevitch's description I don't really see a problem, just a lot of people overreacting. After reading what he had to say, I am confident that my gut feeling was accurate... unless of course he's lying, which I have no reason to believe.

        • Re: (Score:3, Interesting)

          And as to the OpenDNS proxy. It's true, we do redirect certain Google requests through a proxy so that we can make our OpenDNS shortcuts and some other features work more reliably.

          Some questions, then:

          1. Certain requests, or all? If 'certain', which are, and which aren't?
          2. Shortcuts, sure. You need to be able to redirect 'g blah blah' to 'http://www.google.com/search?q=blah+blah&ie=utf-8&oe=utf-8' or whatever. What other features require 'certain' requests to be run through your servers? Why not simple
  • OpenDNS (Score:5, Informative)

    by Anonymous Coward on Sunday February 08, 2009 @08:35AM (#26771893)

    OpenDNS redirects www.google.com to OpenDNS servers.

    • Re:OpenDNS (Score:5, Informative)

      by ratbag (65209) on Sunday February 08, 2009 @09:31AM (#26772159)

      http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]

      Don't know if it's a good enough justification by itself, but at least it's a logical explanation.

      • Re: (Score:3, Interesting)

        by julesh (229690)

        Don't know if it's a good enough justification by itself, but at least it's a logical explanation.

        Breaking DNS in order to help people whose computers are set up to provide a poor search system when an unknown URL is added. No, that's not a good enough justification. If I attempt to access www.google.com, I should access www.google.com, not have my searches proxied through OpenDNS's servers. I've found google searches to be slower and less reliable when using OpenDNS, with the home page sometimes taking 1

        • by ratbag (65209)

          Without OpenDNS, I get almost instant access to the home page, almost every time.

          I would recommend you switch off OpenDNS' proxying then.

          • by julesh (229690)

            I would recommend you switch off OpenDNS' proxying then.

            Switching it off doesn't work. When my dynamic DNS changes, it takes about 5 minutes for their server settings to update. By that time I usually have a google.com address in my local cache, which lasts for a further 10 minutes.

    • Re: (Score:3, Informative)

      by fprintf (82740)

      By default, yes it does. Since your post is right on top at the moment, I'll post something I shared earlier: Here is OpenDNS response to the privacy concerns: http://www.opendns.com/support/article/244 [opendns.com]

      You can easily turn off the proxy by changing your settings, under the Advanced section at the bottom.

  • Censorship advocates (Score:2, Interesting)

    by Anonymous Coward

    I'd like to see a response on this from the censorship advocates. Because that's what this is, isn't it? Censorship?

    I thought the whole idea of using OpenDNS is that it wouldn't be doing this type of blocking. Who's to say they don't just accidentally prevent PCs from contacting other servers?

    This smells bad.

    • by Jezza (39441) on Sunday February 08, 2009 @09:23AM (#26772111)

      Well if this is censorship (and that's debatable) then it's "opt-in". Personally I have no problem with that, as long as you know and have opted FOR it, then that seems fine.

      The biggest problem with censorship is it distorts your ability to know the truth - if you say: "Don't show me this or that" you still have the ability to know the truth, you're just choosing what you see and what you don't. But we do this everyday, we read one newspaper over another, we listen to particular commentators over others - we all self-censor.

    • by calmofthestorm (1344385) on Sunday February 08, 2009 @09:23AM (#26772117)

      Freedom of speech is very important, but there are exceptions. For example, we don't have the right to watch child porn in a crowded theatre, because that would harm children.

      We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.

      I fully support OpenDNS's sensible actions, or "sens-orship", as I like to call it. Surely we can trust any corporation with "open" in the title to control our minds in a way we will soon be programmed to approve of.

      • by mangu (126918)

        We don't have the right to hijack music vessels on the high seas because it would harm the corporate interests that sheltered us when we were still huddled around dark fires, marveling at shadows on the cave wall.

        Shhhh, don't give them ideas! Keep saying that and how long until someone [disney.com] will claim the copyright on the pictures [google.com]?

    • by Ilgaz (86384)

      I got an open wireless network and it has damn good censorship, P2P, porn, crack and even gambling sites are "censored" thanks to OpenDNS.

      The other option would be watching people (via Squid for example), asking them their ID cards (already happens in Europe) and give them access.

      If guy just wants to check his mail or browse ordinary web? It is fine but our service isn't a tool for others who doesn't respect the ones on network.

      It is the "best of the worst". I don't want to watch people habits (via squid or

    • by jopsen (885607)
      All of OpenDNS filters are optional... I use OpenDNS to circumvent the Danish internet censorship...
    • by Blain (264390)

      I think it's time to free your head from the idea that censorship is necessarily and always bad. If somebody wants to publish information about me that I'd rather not have shared, I'm tickled pink if someone can censor that expression. My problem with censorship is when it's done by the government in the form of prior restraint based on arbitrary standards which are, for the most part, unconstitutional. With a few other similar exceptions, a bit of well thought out censorship is a very good idea when use

  • The IP Adresses. (Score:3, Informative)

    by bhima (46039) * <Bhima@Pandava.gmail@com> on Sunday February 08, 2009 @09:18AM (#26772079) Journal

    Would it be so hard to add the OpenDNS IP addresses to the story... It's not all that hard for home users to change their DNS server addresses.

    Addresses: 208.67.222.222 and 208.67.220.220

    Or if you need more help, look here: https://www.opendns.com/smb/start [opendns.com]

  • cat and mouse. (Score:4, Interesting)

    by Cmdr-Absurd (780125) on Sunday February 08, 2009 @09:20AM (#26772095)

    Nice idea, but what do you do when a worm alters your dns settings?
    OpenDNS can't block access if the queries go to a server controlled by the bad guys.
    You can firewall off access to dns ports to all but known servers, but then the worms just tunnel through a port 80 proxy.
    Cat and mouse forever. Plus a false sense of security.

    • "Nice idea, but what do you do when a worm alters your dns settings?"

      Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy, especially since Windows can also check program hashes and thus prevent tampering (in theory; I guess "mitigate" is a better way to describe it).
      • Re:cat and mouse. (Score:4, Interesting)

        by Cmdr-Absurd (780125) on Sunday February 08, 2009 @10:24AM (#26772487)

        Use an OS with security policies that only allow specific software that shipped with the OS to modify those settings? Honestly, I do not understand why Microsoft does not at least ship that as a default policy

        Well, yes, but admins have to support what their organizations use/demand.

        A couple of years ago, there was a Macintosh Trojan that altered DNS settings and added a crontab to re-alter every minute if the user tried to fix the change.

        Social engineering works at least some of the time. There are zero-day exploits.
        If you think that *nix is a panacea against malware, you will eventually be disappointed. Better than Win, but not perfect.

  • Maybe good in theory (Score:4, Interesting)

    by jafiwam (310805) on Sunday February 08, 2009 @09:32AM (#26772171) Homepage Journal

    Except, OpenDNS is not a budding geek or regular office wank type tool.

    It's a tool that requires you to know what you are doing. There are all sorts of subtle problems that can crop up, so I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS. Amazingly, a good 50% of the certificate and "cant find web site" errors go away after that. Imagine!

    OpenDNS has the right idea, but it's not ready for the "everyday internet user" crowd yet.

    This is without really considering the massive privacy problems with using it.

    • by tom1974 (413939) on Sunday February 08, 2009 @10:50AM (#26772669)

      Could you elaborate on this massive privacy problem you talk about? Like you don't have this massive privacy problem by using your ISP's DNS servers who can actually match DNS queries to user account?

      And who asked if OpenDNS is about "Everyday internet user" crowd? It's A DNS service! Do you want a CSI type frontend with it?

  • by BuhDuh (1102769) on Sunday February 08, 2009 @09:38AM (#26772207)
    FTFA:

    .....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.

    Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?

    • by causality (777677) on Sunday February 08, 2009 @10:47AM (#26772633)

      FTFA:

      .....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.

      Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?

      That would address a symptom and would do nothing about the actual problem. We keep doing that because we don't want to admit that addressing only symptoms is a failed idea; trying harder and harder to find new ways to implement this idea won't change the fact that it's a failed idea.

      The root problem is the vulnerability of Windows to these types of worms. Yes I am selectively speaking about Microsoft Windows; if I ever start seeing widespread (keyword) worms in the wild (keyword) for *nix operating systems then on that day I'll include them too. Anti-virus seeks to remove or contain an external object to which Windows is vulnerable, so it too addresses only the symptom and not the vulnerability. The reason why *nix operating systems don't generally need anti-virus (unless of course you ask an anti-virus vendor) is because they have a security model that is able to prevent infections from occurring in the first place. This is much simpler and more practical (but creates fewer cottage industries) than sophisticated scanners and high-maintainence databases of tens of thousands of signatures that must be applied to every file or every file operation. It's a lot simpler than pretending that DNS is the correct tool for host security as well.

      If OpenDNS maintains a highly effective, well-maintained blocklist and if many people start using it, what happens next is rather predictable. A worm/virus that can compromise the machine can also alter that machine's DNS settings. It could make the machine stop using OpenDNS or worse (as another poster has pointed out) it could make it use a hostile DNS server. You can expect this to be a standard malware feature if OpenDNS's efforts are successful. That's the downside of participating in an arms race. The best way to avoid an arms race is to realize that mitigation techniques, while not completely useless, have extremely limited utility and that prevention is the only actual cure.

    • by JamesD_UK (721413)
      One problems is that many of the domains appear to point towards servers running virtual hosts and hosting legitimate sites on the same IP address. We've been looking at data on our network and tracking down these infections based on IP address brings a lot of false positives. You really do need either proxy logs, or logs of DNS queries to find out the domain that's being contacted.
  • I'll probably get "OMG what are you doing?" comments for this, but my internal DNS forwarders look to OpenDNS for my small business network and I'm very satisfied.

    Typo correction (yahoo.cmo) and shortcuts are very handy. I only use the categories try and block some malware/phishing and while it's definitely not the solution, every little bit of protection helps.

    My machines that actually need to know whether a domain is valid or not simply use other DNS, redirects are not a big deal and don't many cable

  • Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).
    • Besides everything (scary) that is involved on using OpenDNS as your resolver, it's true that it can block the Conficker Worm. However, Conficker worm might be the last one that OpenDNS can stop. Once the evil minds realize the power of OpenDNS, they'll start using IP addresses instead of names within their worms (period).

      You know I didn't even think of that. I did speculate that malware which can compromise the system can also alter DNS settings, either removing OpenDNS or (worse) replacing it with a hostile DNS server operated by the attacker. Your prediction is even simpler than that and sounds more likely.

      That's really the problem with all of these blocklist solutions. None of them actually harden the host or address any of the widespread security problems that make these worms possible in the first place. The way

    • by Coopjust (872796)
      The benefit of the domain approach is that they know what domains to buy and can point them at any IP- if the IP of the server gets blocked, it connects to a different domain- which they can point to a different server. The worm generates (up to) 250 domains per day.

      By using IPs, you make it easier to block it on a firewall level- just block the IPs. And if they can have the worm algorithmically generate IP addresses- that they can be sure to have each day- that would be damn impressive. That's pretty mu

"Why should we subsidize intellectual curiosity?" -Ronald Reagan

Working...