Re: On-going Internet Emergency and Domain Names

[Valdis.Kletnieks () vt edu]

On Sat, 31 Mar 2007 08:49:27 EDT, alex () pilosoft com said:

> OK, so, do you officially declare the emergency? Should we all block the
> domains listed on http://isc.sans.org/, is that an authoritative site of
> botnet hunters? If so, there are couple of surprises for you. 
> baidu.com listed there is a chinese equivalent of google, who'd get very 
> upset if its domain name got "revoked". Similarly, alexa.com.
>
> There needs to be due process for these actions. And once we close this
> vector, I'm sure that botnets will simply migrate away from DNS to some
> other protocol.

The real problem is that the bad guys are able to deploy new DNS entries
in timespams on the order of 10s of minutes, and we can't manage anything
resembling due process in that timeframe. (And yes, one could easily
imagine a botnet that switches to an entirely new name for the C&C host
every 10 minutes - the herder just needs a function that's fed a time-of-day,
and generate a hash.  Run it for 144 values for tomorrow, register those
domains, and distribute the values to your botnet (assuming 10-byte hashes,
you'd need all of one 1500 byte packet per day) - or let the bots do the
hash themselves if you trust their clocks to be somewhere near accurate.

If you want to be *really* obscure, consider the fact that rfc3490 IDN's
provide a very good way to hide the fact that it's a hash...

Attachment: _bin
Description: