North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Interesting new dns failures

  • From: Roger Marquis
  • Date: Mon May 21 14:38:29 2007

On Mon, 21 May 2007, Chris L. Morrow wrote: 
ok, so 'today' you can't think of a reason (nor can I really easily) but
it's not clear that this may remain the case tomorrow.


Not a good justification for doing nothing while this sort of trojan
propagates.  As analogy, it is also true we cannot see how email-based
trojans may be desirable tomorrow, but that doesn't stop us from
protecting ourselves against their detrimental effects today.

It's possible that as a way to 'better loadshare' traffic akamai
(just to make an example) could start doing this as well.

Actually not. There is no legitimate purpose for this dns hack.

So, I think that what we (security folks) want is probably not
to auto-squish domains in the TLD because of NS's moving about
at some rate other than 'normal'


Except that there's a lot more to this pattern than simply changing NS
at a rate other than normal, enough that it can be easily identified
for what it is.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/