FBI tells the public to call their ISP for help
Patrick W. Gilmore
patrick at ianai.net
Thu Jun 14 18:54:54 UTC 2007
On Jun 14, 2007, at 2:45 PM, Chris Adams wrote:
> Once upon a time, John Levine <johnl at iecc.com> said:
>> I realize it's not a technical problem, although I suspect there are
>> some technical twiddles that could help, e.g., persuading
>> Microsoft to
>> put the update servers in their own ASN to make it easier to put them
>> in a sandbox. And I realize that Microsoft's combination of
>> arrogance
>> and naivete can make them painful to deal with.
>
> $ dig download.windowsupdate.com
> ;download.windowsupdate.com. IN A
> download.windowsupdate.com. 3411 IN CNAME main.dl.wu.akadns.net.
> main.dl.wu.akadns.net. 111 IN CNAME dom.dl.wu.akadns.net.
> dom.dl.wu.akadns.net. 111 IN CNAME dl.wu.ms.edgesuite.net.
> dl.wu.ms.edgesuite.net. 8080 IN CNAME a26.ms.akamai.net.
> a26.ms.akamai.net. 20 IN A 216.180.86.39
> a26.ms.akamai.net. 20 IN A 216.180.86.37
> $
>
> If you have Akamai servers, the IPs will be on your network (and of
> course shared with many other sites). You'd have to limit access
> with a
> limited DNS server (since few will use or even know IPs to visit) that
> only gives out DNS for certain hosts/domains.
Unfortunately, this is not always true.
MS does not single-source. Users going to Windows Updates can and
will be directed to a number of places, including Akamai, and
Microsoft itself, depending on time of day, phase of moon, and whim
of the content owner.
In general, creating a sandbox where a computer can only reach
$UPDATE_SERVER is very, very difficult. And, as much as I hate to
admit it, MS OSes are not the only ones that can be compromised (he
types on his black MacBook).
That said, the majority of compromised computers do run some flavor
of Redmond-Ware. (One can argue about the underlying cause - market
share, quality of software, virus writer's preference, whatever - but
the fact still stands that most compromised computers run Windows.)
So getting a "windows update sandbox" would be very useful.
--
TTFN,
patrick
More information about the NANOG
mailing list