Re: On-going Internet Emergency and Domain Names

North American Network Operators Group

Re: On-going Internet Emergency and Domain Names

From: Peter Dambier
Date: Sat Mar 31 07:48:40 2007


Port 25 is bad. It has been blocked.
Port 53 is bad. Some ISPs are already going to block it.

How about port 80?

I think port 80 should have been the first and only port to block.

Let the other ports stay alive.

And maby a test for port 42 would be nice.

If port 42 is answered by an IEN 116 nameserver then everything is
fine. If it is windows nameservice - then shot the guy. Chance is
75% that it is a bot already. If you dont shot him chance is 75%
that he will get infected anyhow.

Can somebody tell me how to delay this post until midnight your time?
I have unlocked the "mettre en voyage" lever already and the kettle is
boiling. I am shure we built staem enough :)


Cheers
Peter and Karin

Gadi Evron wrote:

On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:

On Sat, 31 Mar 2007, Gadi Evron wrote:

In this case, we speak of a problem with DNS, not sendmail, and not bind.
The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS.

Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam.

So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms.

The real problem? Okay, I'd like your ideas than. :)
What we are referring to here is not just malware, phishing, DDoS (rings a
bell, root servers?) and othr threats. It is about the DNS being
manipulated and abused and causing instability across the board, only not
in reachability and availability which is the infrastructure risk already
being looked after.
Hijacking may be resolved by DNS-SEC, this isn't.
If an A record with a low TTL can be changed every 10 minutes, that means
no matter what the problem is, we can't mitigate it. There are legitimate
reasons to do that, though.
The C&C for a botnet would not disapear, as it would be half way across
the world by the time we see it.
The only constant is the malicious domain name.
If the NS keeps skipping around, that's just plain silly. :)
If we are able to take care of all the rest, and DNS becomes the one facet
which can rewind the wheel, DNS is the problem. It HAS become an
infrastructure for abuse, and it disturbs daily life on the Internet. We'd
like solutions and we raised some ideas - we are willing to accept they
are not good ones, please help us out with better ones?
Or we can look at it from a different perspective:
Should bad guys be able to register thousands of domains with "amazon" and
"paypal" in them every day? Should there be black hat malicious registrars
around? Shouldn't there be an abuse route for domain names?
One problem at a time, please.

Gadi.

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: [email protected]
mail: [email protected]
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/

Follow-Ups:
- Re: On-going Internet Emergency and Domain Names Kradorex Xeron

References:
- Re: On-going Internet Emergency and Domain Names Gadi Evron

Prev by Date: Re: On-going Internet Emergency and Domain Names
Next by Date: Re: On-going Internet Emergency and Domain Names
Date Index
Thread Index
Author Index
Historical