netsky issue.

• Previous message (by thread): TELUS contact?
• Next message (by thread): netsky issue.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you have a look at 

http://vil.nai.com/vil/content/v_101083.htm 

There is a list of IP addresses that are nameservers which 
are hard-coded into the worm. It spreads by e-mail (currently)
and thus it can be blocked using anti-virus filters. 

My concern is that these addrs are all for nameservers, which could 
be authoritative for other domains, and by blocking these servers
any domains they host could be effectively put out of commission. 

I am not aware of an easy way to find out all the domains registered
to a particular nameserver, and the trend of blocking addrs that appear
in worm code is starting to concern me a bit. 

It is not indicated how blocking these servers will have an appreciable
effect on the worm propagation (unless it gets a second stage from them), 
and I wonder if anyone else has similar concerns, or an opinion on whether
these IP addresses should actually be blocked. 

Regards, 

-j


--
Jamie.Reid, CISSP, jamie.reid at mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TEXT.htm
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040308/ad6b6fae/attachment.ksh>

• Previous message (by thread): TELUS contact?
• Next message (by thread): netsky issue.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]