North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FBI tells the public to call their ISP for help

  • From: Patrick W. Gilmore
  • Date: Thu Jun 14 14:56:22 2007

On Jun 14, 2007, at 2:45 PM, Chris Adams wrote:
Once upon a time, John Levine <[email protected]> said:
I realize it's not a technical problem, although I suspect there are
some technical twiddles that could help, e.g., persuading Microsoft to
put the update servers in their own ASN to make it easier to put them
in a sandbox. And I realize that Microsoft's combination of arrogance
and naivete can make them painful to deal with.

$ dig ; IN A 3411 IN CNAME 111 IN CNAME 111 IN CNAME 8080 IN CNAME 20 IN A 20 IN A $

If you have Akamai servers, the IPs will be on your network (and of
course shared with many other sites). You'd have to limit access with a
limited DNS server (since few will use or even know IPs to visit) that
only gives out DNS for certain hosts/domains.

Unfortunately, this is not always true.

MS does not single-source. Users going to Windows Updates can and will be directed to a number of places, including Akamai, and Microsoft itself, depending on time of day, phase of moon, and whim of the content owner.

In general, creating a sandbox where a computer can only reach $UPDATE_SERVER is very, very difficult. And, as much as I hate to admit it, MS OSes are not the only ones that can be compromised (he types on his black MacBook).

That said, the majority of compromised computers do run some flavor of Redmond-Ware. (One can argue about the underlying cause - market share, quality of software, virus writer's preference, whatever - but the fact still stands that most compromised computers run Windows.) So getting a "windows update sandbox" would be very useful.