On-going Internet Emergency and Domain Names

• Previous message (by thread): On-going Internet Emergency and Domain Names
• Next message (by thread): On-going Internet Emergency and Domain Names
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: dlr at bungi.com (Dave Rand)
> 
> ...
> 
> We are not fighting technology.  We are dealing with very well organized,
> smart, and well-funded people.
> 
> We need to focus on solutions that we can deploy, which will address the
> problems at hand, as we discover them.  That means we will deploy things
> that do not solve underlying prolems, but address the symptoms as best we
> can, to prevent the entire mess from falling down.
> 
> That means that we must look at short-range solutions to address things in
> near-real-time, ...
> 
> There is no "one true solution" to this.  That means you, as network
> operators, need to look at what makes sense *today*, and *DEPLOY IT*.
> 
> ...

As Dave is certainly aware (as CTO of Trend Micro, which bought MAPS/Kelkea),
his daytime employer has a product (called ICSS, and which I had a hand in
building) that proposes to let enterprises or ISP's use recursive DNS as a
delivery mechanism for security policy (like, "poison this malware domain").

I've got no heartburn about deploying these technologies at a customer level,
but my experience with both BIND's "check-names" facilty and VeriSign's
sitefinder wildcard (*.COM) have taught me that it's best to creatively
rulebreak at the edge, and keep the core pristine.  I helped Dave build ICSS
and I know that customers of that technology could easily white-out domains
used for Gadi's 0-day and that it would be a good thing for them to do so.

But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features
like this.  Or if they do come, I'd like them to come as a result of consensus
driven protocol engineering (like inside the IETF) and take longer than "this
week" to be defined.  I hope this clarifies the incompatibility between me
helping dave build ICSS (an edge solution) and me saying that whiting out
malware domain names as a way to stop malware isn't a real (core) solution.

Some references to ICSS, in case you all missed it.  (Note that I am not an
employee, shareholder, representative, or agent of Trend Micro and I have no
financial stake in ICSS at this point.)

http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm
http://www.eweek.com/article2/0,1895,2020286,00.asp
http://www.vnunet.com/itweek/news/2164897/trend-appliance-sniffs-bot-nets
http://www.computerwire.com/industries/research/?pid=2E16BA11-5976-42B0-9C13-EC19B10DB2F3
http://www.computing.co.uk/itweek/news/2164897/trend-appliance-sniffs-bot-nets

• Previous message (by thread): On-going Internet Emergency and Domain Names
• Next message (by thread): On-going Internet Emergency and Domain Names
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]