A copy of Anthony Sanchez’s letter to Full-Disclosure.
by Anthony (IRCop) @ 00:44 AM, Jul 19 2007
I wrote the following e-mail to Full-Disclosure. I hope beyond hopes that someone can help…
Subject: Major ISPs arbitrarily blocking IRC and hijacking DNS entries
I am writing to this list because I no longer know where to turn. Over the course of the past 2 to three weeks I have watched my services on the internet become systematically blocked and redirected by no less than 3 major isps in their efforts to stop botnets from connecting to IRC. Allow me to provide a little background info.
My name is Anthony Sanchez and I have run a small irc network, for the past 6 years, along with a couple websites and my mail server (utilized by two people). Approximately 2 weeks ago, we discovered that TimeWarner/Road Runner/AOL was redirecting traffic from irc.ablenet.org port 6667 to their own dummy install of ircd along with commands to connecting users to “.remove” in the event that the connection was a bot. If the end user were to attempt to speak or issue a command, that user was banned from the ‘dummy’ network.
At about the same time, we noticed that verizon was restricting access to the IPs all together, apparently using some form of port restriction as the DNS still resolved on their name servers correctly. I have documented this informally, with screenshots, on my weblog, found at http://anthony.blogs.ablenet.org/ .
As of today, it now appears that Cox is also redirecting traffic apparently in an effort to disable botnets.
As you can see below, the correct resolution of irc.ablenet.org is as follows:
Contrary to the truth, cox.net resolves it as so:
Out of concern, I had emailed the irc-unity.org security discussion list (currently cc’d; I hope that is ok) and confirmed that while not everyone is experiencing this problem, it is not entirely new. That being said, I am not sure anyone has experienced it on this level. We have never harbored botnets; in fact, we have very strict connection policies and have flown under the radar for a good number of years.
I assure you all that we have never and will never contribute to the abuse of the internet. A cursory scan of the general blacklists does not appear to show any submission of my IPs or my URL. To make matters worse, we have no means of recourse or correction. No one has made an effort to contact me with regards to their plans and how I may have been able to prevent what amounts to a systematic crippling of services. I have no way to circumnavigate the domain hijacking, port blocking or traffic redirection being employed. Nor do I have any useful contact information that would put me in contact with any of their network security personnel. These providers, while perhaps noble in their cause, are denying us our right to exist. If we were a large organization, this very likely would not be happening.
I appeal to the members of this list and those that read it. If anyone can offer any form of assistance, knows anyone who can, or can help me get my story out… please do. Beyond the inability to exist, I am concerned for the communities that have
congregated with us and contributed to the greater good. Any and all assistance will be beyond appreciated, as our very existence is at stake and I no longer know what to do…
Anthony at AbleNET dot Org
This is ridiculous. These ISP’s are years behind the times. When I first started IRC’ing there were few bots available. Over the years it grew exponentially and was a threat to IRC networks. Now, most spyware/virus protection actually destroy the bot, if it even allows the installation. I would venture to guess that most bots now are installed via P2P programs like Limewire, etc and that’s what the ISP’s should be targeting.
Please contact your ISP and let them know you want to be able to IRC as you have for years.