North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: netsky issue.

  • From: Simon Leinen
  • Date: Tue Mar 09 13:09:26 2004

Jamie Reid writes:
> If you have a look at 

> http://vil.nai.com/vil/content/v_101083.htm 

> There is a list of IP addresses that are nameservers which are
> hard-coded into the worm. It spreads by e-mail (currently) and thus
> it can be blocked using anti-virus filters.

> My concern is that these addrs are all for nameservers, which could
> be authoritative for other domains, and by blocking these servers
> any domains they host could be effectively put out of commission.

I think that (most of) the IP addresses in the list belong to
*recursive* DNS servers of larger Internet access providers.  There
certainly are quite a few requests from these to authoritative name
servers in our network.  So if you have authoritative name servers in
your network, blocking the IP addresses will result in some denial of
service.

The operators of these servers could probably do a useful thing or the
other here: they could try to trace suspicious queries to help locate
infected machines, and/or limit access to these name servers to only
their customer address ranges.

The latter may be operationally difficult depending on whether these
name servers are also authoritative (perhaps a good argument for
separating recursive and authoritative name servers) and how easy it
is to map the "legitimate user of recursive name service" predicate to
a range of IP addresses.

> I am not aware of an easy way to find out all the domains registered
> to a particular nameserver, and the trend of blocking addrs that
> appear in worm code is starting to concern me a bit.

Rightly so.

> It is not indicated how blocking these servers will have an
> appreciable effect on the worm propagation (unless it gets a second
> stage from them), and I wonder if anyone else has similar concerns,
> or an opinion on whether these IP addresses should actually be
> blocked.

I'd recommend against it, due to collateral damage and more general
end-to-end arguments.
-- 
Simon Leinen				       [email protected]
SWITCH				   http://www.switch.ch/misc/leinen/

	       Computers hate being anthropomorphized.