nanog mailing list archives
Re: On-going Internet Emergency and Domain Names
From: Valdis.Kletnieks () vt edu
Date: Sat, 31 Mar 2007 09:40:38 -0400
On Sat, 31 Mar 2007 08:49:27 EDT, alex () pilosoft com said:
OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
The real problem is that the bad guys are able to deploy new DNS entries in timespams on the order of 10s of minutes, and we can't manage anything resembling due process in that timeframe. (And yes, one could easily imagine a botnet that switches to an entirely new name for the C&C host every 10 minutes - the herder just needs a function that's fed a time-of-day, and generate a hash. Run it for 144 values for tomorrow, register those domains, and distribute the values to your botnet (assuming 10-byte hashes, you'd need all of one 1500 byte packet per day) - or let the bots do the hash themselves if you trust their clocks to be somewhere near accurate. If you want to be *really* obscure, consider the fact that rfc3490 IDN's provide a very good way to hide the fact that it's a hash...
Attachment:
_bin
Description:
Current thread:
- On-going Internet Emergency and Domain Names Gadi Evron (Mar 30)
- Re: On-going Internet Emergency and Domain Names alex (Mar 31)
- Re: On-going Internet Emergency and Domain Names Valdis . Kletnieks (Mar 31)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names alex (Mar 31)
- Re: On-going Internet Emergency and Domain Names Adrian Chadd (Mar 31)
- Re: On-going Internet Emergency and Domain Names Allen Parker (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Patrick Giagnocavo (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Gadi Evron (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Steve Atkins (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) william(at)elan.net (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Roland Dobbins (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Patrick Giagnocavo (Mar 31)
- Re: On-going Internet Emergency and Domain Names (kill this thread) Patrick Giagnocavo (Mar 31)
- Re: On-going Internet Emergency and Domain Names alex (Mar 31)