North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On-going Internet Emergency and Domain Names

  • From: Valdis . Kletnieks
  • Date: Sat Mar 31 09:42:45 2007

On Sat, 31 Mar 2007 08:49:27 EDT, [email protected] said:

> OK, so, do you officially declare the emergency? Should we all block the
> domains listed on, is that an authoritative site of
> botnet hunters? If so, there are couple of surprises for you. 
> listed there is a chinese equivalent of google, who'd get very 
> upset if its domain name got "revoked". Similarly,
> There needs to be due process for these actions. And once we close this
> vector, I'm sure that botnets will simply migrate away from DNS to some
> other protocol.

The real problem is that the bad guys are able to deploy new DNS entries
in timespams on the order of 10s of minutes, and we can't manage anything
resembling due process in that timeframe. (And yes, one could easily
imagine a botnet that switches to an entirely new name for the C&C host
every 10 minutes - the herder just needs a function that's fed a time-of-day,
and generate a hash.  Run it for 144 values for tomorrow, register those
domains, and distribute the values to your botnet (assuming 10-byte hashes,
you'd need all of one 1500 byte packet per day) - or let the bots do the
hash themselves if you trust their clocks to be somewhere near accurate.

If you want to be *really* obscure, consider the fact that rfc3490 IDN's
provide a very good way to hide the fact that it's a hash...

Attachment: pgp00012.pgp
Description: PGP signature