North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On-going Internet Emergency and Domain Names

  • From: Hank Nussbacher
  • Date: Sat Mar 31 14:41:38 2007

On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:


On Sat, 31 Mar 2007, Gadi Evron wrote:

In this case, we speak of a problem with DNS, not sendmail, and not bind.

The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS.

Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam.

So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms.

IMHO, Windows will always have some 0-day appearing every quarter - whether it be in XP or Vista. Or it will be in Apache, or it will be in Sendmail or it will be in some other app. So if taking a 10,000 foot view, apps will always have 0-day holes that are abused. Nowadays, the latest vector is fast-flux. I think that closing that vector via fast closure of a particular domain name is something we should tackle. True, the baddies will find some other vector. But that doesn't mean we should ignore this one.

-Hank



--
Mikael Abrahamsson    email: [email protected]