… but as they are secondary requests there is no obvious alert.
Last night the it looked lije all the CSS had disappeared on the BBC in my security laden default Firefox browser. Usually it would be some new change that I would need to white-list, but I couldn’tsee anything. Maybe the BBC are having a wobble? I leave it until this morning, but it did not recover so further digging was required. No CSS on any BBC site, for any user, in any browser – a network level issue then. Having a look in the web console all the CSS from static.bbci.co.uk was 404’ing. Is that site up? Ah-ha, it is only then we get a nice big splash screen telling me that OpenDNS has blocked that site for hosting malware or a botnet. My OpenDNS dashboard informs the following two doamins have been blocked as hosting botnets:
A quick look doesn’t reveal any reports or discussion on the net.
2 thoughts on “No CSS on the BBC as OpenDNS thinks they have a botnet!”
There are different categories of malicious domains that OpenDNS blocks and that can be independently enabled/disabled from the Dashboard.
One is called “botnet”. It actually blocks the domain names used by a specific Worm discovered in 2008, named Conficker.
Conficker tries to connect to domains automatically derived from the current date.
Every day, 50,000+ pseudorandom domains are possible candidates, and the worm randomly tries to connect to them.
There are 5 versions of Conficker, and OpenDNS “botnet” category blocks the domains generated by the first 3 versions.
This is an automatic process, scheduled every day.
The worm doesn’t check if a domain has already been registered by someone else. It’s just strings that are pseudorandomly generated.
The length of the Conficker domains is not constant. They can be very short. And the shorter they are, the higher the probably that a collision with a real, benign, existing domain is.
This is what happened with ibbc.co.uk