DNS Changer IPs Available Again, New Servers Risk Post-Mortem Hammering
In a surprising move, European IP regulator RIPE NCC has made available two of the IP blocks seized by the FBI and the Internet Systems Consortium during the DNS Changer incident last month.
From November, 2011 until July 2012, these IP ranges used by DNS Changer were controlled by the FBI as per the US court order to prevent a blackout for the infected PCs. After the expiration of the court order, they have been quarantined, but they’re now back in business with new owners.
According to the piece of news published on the RIPE web page, the two network blocks (18.104.22.168/21 and 85.255.112/20) have been reallocated despite concerns expressed by the industry.
“The address space was quarantined for six weeks before being returned to the RIPE NCC’s available pool of IPv4 address space. It was then randomly reallocated to a new resource holder according to normal allocation procedures,” reads the note on the RIPE NCC page.
The random allocation of the resources landed the two network blocks to computer consultancy firm Inevo (85.255.112/20) in Romania and webhosting provider Aurimas Rapalis / II Hosting Media (22.214.171.124/21) in Lithuania. The re-introduction of these IP ranges six weeks after they got quarantined can hardly be regarded as “standard procedure” and might carry risks for the new owners.
For instance, all the computers that are still infected with DNS changer will attempt to call back these IPs, which will likely result in servers getting hammered with millions of requests on port 53 that they were not designed to serve.
This isn’t the only problem the new owners will have to face: most networks have been instructed to disregard (“drop”) traffic originating from these IP blocks because it was known to be malicious. This will lead to routing issues, as some peer networks will still drop the traffic, even if it is now legit.