Welcome!

Please read this important information about MX sources lists.
News
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17 beta 1 release info here
  • MX-16.1 release info here
  • antiX-17 release info here
    New users
    • Please read this first, and don't forget to add system and hardware information to posts!
    • Read Forum Rules

I need some help from someone who understands the internet

Here users can ask questions about security and tutorials about security can be posted to help others, too.
Message
Author
User avatar
Topher
Forum Regular
Forum Regular
Posts: 792
Joined: Sun Feb 10, 2008 5:37 pm

I need some help from someone who understands the internet

#1 Postby Topher » Wed Sep 17, 2014 6:45 pm

I am running MX-14 with KDE and Iceweasel and I received this message that seems to be from Charter.
Dear Charter Internet Customer,

Charter Communications has been notified that the home networking device connected to your modem participated in a large-scale network impacting distributed denial-of-service (DDoS) attack. The device is acting as a “DNS Open Resolver” and requires configuration changes.

Issue Description – An Open Resolver can allow an entry point for hackers to send out a large flood of network traffic, sometimes called “DDoS or amplification attacks” that cause network congestion and/or disruption to the services in your area. Hackers often share with others the IPs of devices that are known to have open resolver settings thus allowing the device to be used for multiple attacks.

For more information on DNS Open Resolvers, please reference:
US-CERT: US-CERT: http://www.us-cert.gov/ncas/alerts/TA13-088A

We are asking that you take immediate action to remediate this issue.

REMEDIATION STEPS:

1) Go to www.whatismyip.com and verify that the IP address assigned to your modem matches the IP address in the subject line of this notification.
2) Go to http://openresolver.com/ and check the IP to see if an “open-resolver” is detected.
3) Once confirmed, we are requesting that you disable the DNS Proxy setting on your router.
Note – If the IP address assigned to your modem has changed, please use the current IP address when checking for the open resolver vulnerability.

4) Once you believe that you have resolved this issue, please verify via http://openresolver.com/ and then reply to this email providing confirmation that you have completed the recommended remediation steps.

Please be advised, the Charter Acceptable Use Policy, available at https://www.charter.com/browse/content/res_hsi, explicitly prohibits actions, whether intentional or unintentional, that disrupt Charter’s network. Specifically, paragraph 8 states:

8. NO SYSTEM DISRUPTION

Customer will not use, or allow others to use, the Service to disrupt Charter's network or computer equipment owned by Charter or other Charter customers. This includes, but is not limited to, improperly interfering with, inhibiting, degrading, or restricting the use and operation of the Service by others, sending or receiving excessive data transfers (as determined in Charter's reasonable discretion) for the package or tier of service to which Customer subscribes or modifying or altering in any manner any modem or modem configuration so as to allow its use beyond the parameters outlined by the specific level of service to which Customer subscribes. Any static or dynamic IP address must be specifically authorized and provisioned by Charter. Altering any IP address provisioned by Charter or otherwise cloning another user's IP address is prohibited. Customer also agrees that Customer will not use, or allow others to use, the Service to disrupt other Internet Service Providers ("ISPs") or services, including, but not limited to, e-mail bombing or the use of mass mailing programs. Customer may not use bandwidth in excess of that associated with the package or tier of service to which Customer subscribes.

In addition, Customer will not, or allow others to, alter, modify, service, or tamper with the Charter Equipment or Service or permit any other person to do the same who is not authorized by Charter.

We will continue to monitor the network for events of this nature. Repeated events and/or complaints pertaining to this network abuse issue may result in an interruption of your service.

Additional tools to assist you in resolving this vulnerability may be found at:
http://dns.measurement-factory.com
http://www.kloth.net/services/dig.php

Please note that none of the provided links above are directly supported by Charter but are provided solely as a reference to assist the investigation and remediation of the current issue.


If you have any questions, please contact the Subscriber Services Security Team at 1-866-357-8086. Our Subscriber Services Security Team is available to provide assistance from 8am – 8pm CST, Monday through Friday and from 8am – 5pm CST, Saturday and Sunday.

Sincerely,
Charter Communications


--- The following material was provided to us as evidence ---


Received On: 2014-09-15 19:51:00

Created By:
Complainant: colton.mabb@charter.com
Subject: Shadow Open DNS Outreach 20140909
IP: 97.82.49.125
Abuse Date: 2014-09-13 03:00:00

Open DNS Issue: Port 53

Could it be true or could it be fake?
If true, do I follow their advice? If false, it sure got my attention and raised the pucker factor. :eek:
MX15 MoBo ASUS M4A88TD-V EVO/USB3 CPU AMD Phenom II X4 945 PSU CORSAIR CX500 (CMPSU-500CX) RAM Crucial CT2KIT25664BA1339 HD WD5000AAKX Wireless EDIMAX EW 7128g

User avatar
joany
Forum Veteran
Forum Veteran
Posts: 5919
Joined: Mon Feb 12, 2007 1:45 pm

Re: I need some help from someone who understands the intern

#2 Postby joany » Wed Sep 17, 2014 7:12 pm

Topher wrote:Could it be true or could it be fake?
If true, do I follow their advice? If false, it sure got my attention and raised the pucker factor. :eek:

I get some "notices" from my "ISP" (hackers) informing me of this or that problem with my network, and advising me to click on this or that link (which I never do). These "notices" usually contain bad grammar and spelling errors, which are dead give aways. Sometimes the hacker's email address looks like it might have come from my ISP, meaning that hacker did a pretty good job of spoofing. When that happens, I give my ISP a phone call. So far 100% of these emails have been frauds attempting to infect my computer.

However, the "notice" you posted looks much more detailed and intricate than most spoofs I've received, so it *might* be legit. On the other hand, I don't think an ISP would throw all that jargon at their users, since 99.99% of the US population would have absolutely no idea what they are talking about (I sure don't).

Why not just call your ISP and ask them?
MX-14; 3.12-0.bpo.1-686-pae kernel using 4GB RAM
2.4GHz AMD Athlon 4600+
NVidia GeForce 6150 LE; 304.121 Display Driver
You didn't slow down because you're old; you're old because you slowed down.

User avatar
Jerry3904
Forum Veteran
Forum Veteran
Posts: 19608
Joined: Wed Jul 19, 2006 6:13 am

Re: I need some help from someone who understands the intern

#3 Postby Jerry3904 » Wed Sep 17, 2014 7:21 pm

All the links seem to be legit too.
Production: 4.7.0-0.bpo.1-amd64, MX-15 RC1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, Kingston SSD 120 GB and WesternDigital 1TB
Testing: AAO 722: 3.16-0-4-686-pae. MX-15, AMD C-60 APU, 4 GB

User avatar
uncle mark
Forum Veteran
Forum Veteran
Posts: 4871
Age: 2016
Joined: Sat Nov 11, 2006 10:42 pm

Re: I need some help from someone who understands the intern

#4 Postby uncle mark » Wed Sep 17, 2014 7:23 pm

We will continue to monitor the network for events of this nature. Repeated events and/or complaints pertaining to this network abuse issue may result in an interruption of your service.


I think it's a false positive on their part. No harm in following the directions and seeing what you find.

We had a situation at my workplace a while back where we switched credit card processors, and they did a security scan of some sort from outside the network and we flunked -- they claimed we were running some kind of WAN server, which were weren't. I built our network myself from scratch. No amount of protests on my part would convince them, nor would they supply me with any evidence beyond a very brief and cryptic "security failure notice" generated by their automated scanner.

I took that notice and Googled my azz off for two days until I ran across a couple obscure hits that referenced the model of router we were using and the failure code that had been generated. So I took a chance and replaced the router with a different brand and model.

We passed, and I got an attaboy. Of course, I then had to reconfigure the LAN. Pizzed me off that we had to spend money and I had to spend a bunch of time and effort to satisfy them, even though they were totally full of it.
Desktop: Custom build Asus/AMD/nVidia -- MEPIS 11
Laptop: Acer Aspire 5250 -- MX-15
Assorted junk: assorted Linuxes

User avatar
joany
Forum Veteran
Forum Veteran
Posts: 5919
Joined: Mon Feb 12, 2007 1:45 pm

Re: I need some help from someone who understands the intern

#5 Postby joany » Wed Sep 17, 2014 7:28 pm

Jerry3904 wrote:All the links seems to be legit too.

Even so, do you think the average Joe or Jane would have any idea what do do with them?
MX-14; 3.12-0.bpo.1-686-pae kernel using 4GB RAM
2.4GHz AMD Athlon 4600+
NVidia GeForce 6150 LE; 304.121 Display Driver
You didn't slow down because you're old; you're old because you slowed down.

User avatar
Adrian
Forum Veteran
Forum Veteran
Posts: 7565
Age: 42
Joined: Wed Jul 12, 2006 1:42 am

Re: I need some help from someone who understands the intern

#6 Postby Adrian » Wed Sep 17, 2014 7:29 pm

I think you need to go ahead and try this:
1) Go to http://www.whatismyip.com and verify that the IP address assigned to your modem matches the IP address in the subject line of this notification.
2) Go to http://openresolver.com/ and check the IP to see if an “open-resolver” is detected.
3) Once confirmed, we are requesting that you disable the DNS Proxy setting on your router.
Note – If the IP address assigned to your modem has changed, please use the current IP address when checking for the open resolver vulnerability.



More info here: http://openresolverproject.org/ and a direct link where you can check your IP.

User avatar
Jerry3904
Forum Veteran
Forum Veteran
Posts: 19608
Joined: Wed Jul 19, 2006 6:13 am

Re: I need some help from someone who understands the intern

#7 Postby Jerry3904 » Wed Sep 17, 2014 7:52 pm

joany wrote:
Jerry3904 wrote:All the links seems to be legit too.

Even so, do you think the average Joe or Jane would have any idea what do do with them?
I just meant that there is no phishing going on.
Production: 4.7.0-0.bpo.1-amd64, MX-15 RC1, AMD FX-4130 Quad-Core, GeForce GT 630/PCIe/SSE2, 8 GB, Kingston SSD 120 GB and WesternDigital 1TB
Testing: AAO 722: 3.16-0-4-686-pae. MX-15, AMD C-60 APU, 4 GB

User avatar
jdmeaux1952
Forum Regular
Forum Regular
Posts: 404
Age: 64
Joined: Wed Jan 08, 2014 11:55 pm

Re: I need some help from someone who understands the intern

#8 Postby jdmeaux1952 » Wed Sep 17, 2014 8:39 pm

Simply put, Charter doesn't like the idea that you are not using THEIR DNS so they turned you in for "possible hacking". Hey, the NSA is doing more hacking than the average Joe Hacker or Jane Hacket. If you don't follow their rules, they panic.

"you don't use Windows??? You must be a hacker."
MSI S6000 i5-460M 4Gb mem
I am not CrAzY. And I have a paper from the doctors to prove it!
LRU# 563815
Phear the Penguin

User avatar
Topher
Forum Regular
Forum Regular
Posts: 792
Joined: Sun Feb 10, 2008 5:37 pm

Re: I need some help from someone who understands the intern

#9 Postby Topher » Wed Sep 17, 2014 9:08 pm

I did the check they asked me to do and I got the message that my IP address that I was using is not vulnerable to DNS Amplification attacks. After calling Charter they also did their test and said they showed no problem on my end and apologized.
jdmeaux1952
Simply put, Charter doesn't like the idea that you are not using THEIR DNS so they turned you in for "possible hacking". Hey, the NSA is doing more hacking than the average Joe Hacker or Jane Hacket. If you don't follow their rules, they panic.

What do you mean by not using their DNS? I am using my own cable modem and router not the junk they give you.
MX15 MoBo ASUS M4A88TD-V EVO/USB3 CPU AMD Phenom II X4 945 PSU CORSAIR CX500 (CMPSU-500CX) RAM Crucial CT2KIT25664BA1339 HD WD5000AAKX Wireless EDIMAX EW 7128g

User avatar
jdmeaux1952
Forum Regular
Forum Regular
Posts: 404
Age: 64
Joined: Wed Jan 08, 2014 11:55 pm

Re: I need some help from someone who understands the intern

#10 Postby jdmeaux1952 » Thu Sep 18, 2014 2:31 am

DNS (or Dynamic Name Servers) are databases that resolve Domain Names and give them a number for the IP Address (sort of like dirrections to a website). Say you are looking for "www.howstuffworks.com" and enter that URL in your browser. The DNS server getting the request may or may not have that information in its databse. If it doesn't, the first server makes a request to a second DNS server for the number. If the second server had the IP Address (70.42.251.42), it tells the first server this information which in turn tells your computer, which then sends out the requested IP Address onto the Cloud to go to the Address. And then you get connected to the website you requested.

Now in your Router when you set it up you can make a Global DNS Request (something similar to what you may do when you setup your Network Conncetions in MX-14), say for Google (which is 8.8.8.8 and 8.8.4.4). All requests your computer makes for any website will now bypass the ISP server to go to the Google DNS server for the requests. Since your computer is only asking the ISP Server to provide the information for the Google DNS Server, some ISPs frown on this, and attempt to trace your request. (Thank the NSA from 1978 for doing this one.) Your request may go all around the world trying to find the IP Address for an obscure website. Since it appears you are trying to "hide" your searches, the local ISP (in your case Charter) gets suspicious.

Now when you use something like Tor to really hide your activity, they have a cow. The request is now sent from your computer through the local ISP to one server, where your IP Adress of YOUR computer is now changed and goes out all over the world, making it harder for them to trace back the original ISP Address of your computer. The location of your computer can be found, but it takes them longer to trace it back. And if one of the servers your request goes through is a server with known malware, viruses, and other nasty stuff on it, whoever is trying to trace your request really gets concerned. The same concerns happen when you use Bit Torrent.

See, Google DNS Servers are not just one or two, but thousands of servers located all over the world. The same with OpenDNS. And most of these DNS Servers are quicker and bigger than what a local ISP would have. And the local ISP may also be censoring some of the content (like adult sites). But usually if you explain (and only if you have to) that you prefer to use Google or OpenDNS because of their speed compared to the local server, they will leave you alone. Offer is not valid in China, Tibet, North Korea, or Malaysia.
MSI S6000 i5-460M 4Gb mem
I am not CrAzY. And I have a paper from the doctors to prove it!
LRU# 563815
Phear the Penguin


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest