[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica
- Subject: Hackers hijack 300, 000-plus wireless routers, make malicious changes | Ars Technica
- From: diotonante at gmail.com (Davide Davini)
- Date: Tue, 04 Mar 2014 14:27:10 +0100
- In-reply-to: <CA+qj4S9C+sukX9Z=dcKHw4D5zK77YKPUQo_eYaS3owb=a-5iAQ@mail.gmail.com>
- References: <[email protected]> <op.xb64biiundossr@localhost> <CA+qj4S9C+sukX9Z=dcKHw4D5zK77YKPUQo_eYaS3owb=a-5iAQ@mail.gmail.com>
Andrew Latham wrote:
> On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan at fakmoymozg.ru> wrote:
>> On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra at baylink.com> wrote:
>>
>>>
>>> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
>>>
>>> Is there any valid reason not to black hole those /32s on the back bone?
>>
>>
>>
>>>> The telltale sign a router has been compromised is DNS settings that have
>>>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted
>>>> the provider that hosts those two IP addresses but have yet to receive a
>>>> response.
>>
>>
>> you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't
>> you?
>>
>
> Jay is right, it is just the /32s at the moment... Dropping the /22s
> could cause other sites to be blocked.
>
> inetnum: 5.45.72.0 - 5.45.75.255
> netname: INFERNO-NL-DE
I'm guessing that was said under the assumption the provider wouldn't
intervene, because if it does intervene there is no point in blackholig
anything.