On-going Internet Emergency and Domain Names

Peter Dambier peter at peter-dambier.de
Sat Mar 31 11:45:33 UTC 2007


Port 25 is bad. It has been blocked.
Port 53 is bad. Some ISPs are already going to block it.

How about port 80?

I think port 80 should have been the first and only port to block.

Let the other ports stay alive.

And maby a test for port 42 would be nice.

If port 42 is answered by an IEN 116 nameserver then everything is
fine. If it is windows nameservice - then shot the guy. Chance is
75% that it is a bot already. If you dont shot him chance is 75%
that he will get infected anyhow.

Can somebody tell me how to delay this post until midnight your time?
I have unlocked the "mettre en voyage" lever already and the kettle is
boiling. I am shure we built staem enough :)


Cheers
Peter and Karin


Gadi Evron wrote:
> On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:
> 
>>On Sat, 31 Mar 2007, Gadi Evron wrote:
>>
>>
>>>In this case, we speak of a problem with DNS, not sendmail, and not bind.
>>
>>The argument can be made that you're trying to solve a windows-problem by 
>>implementing blocking in DNS.
>>
>>Next step would be to ask all access providers to block outgoing UDP/53 so 
>>people can't use open resolvers or machines set up to act as resolvers for 
>>certain DNS information that the botnets need, as per the same analysis 
>>that blocking TCP/25 stops spam.
>>
>>So what you're trying to do is a pure stop-gap measure that won't scale in 
>>the long run. Fix the real problem instead of trying to bandaid the 
>>symptoms.
> 
> 
> The real problem? Okay, I'd like your ideas than. :)
> 
> What we are referring to here is not just malware, phishing, DDoS (rings a
> bell, root servers?) and othr threats. It is about the DNS being
> manipulated and abused and causing instability across the board, only not
> in reachability and availability which is the infrastructure risk already
> being looked after.
> 
> Hijacking may be resolved by DNS-SEC, this isn't.
> 
> If an A record with a low TTL can be changed every 10 minutes, that means
> no matter what the problem is, we can't mitigate it. There are legitimate
> reasons to do that, though.
> 
> The C&C for a botnet would not disapear, as it would be half way across
> the world by the time we see it.
> The only constant is the malicious domain name.
> 
> If the NS keeps skipping around, that's just plain silly. :)
> 
> If we are able to take care of all the rest, and DNS becomes the one facet
> which can rewind the wheel, DNS is the problem. It HAS become an
> infrastructure for abuse, and it disturbs daily life on the Internet. We'd
> like solutions and we raised some ideas - we are willing to accept they
> are not good ones, please help us out with better ones?
> 
> Or we can look at it from a different perspective:
> Should bad guys be able to register thousands of domains with "amazon" and
> "paypal" in them every day? Should there be black hat malicious registrars
> around? Shouldn't there be an abuse route for domain names?
> 
> One problem at a time, please.
> 
> 	Gadi.


-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.arl.pirates
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
http://www.cesidianroot.com/




More information about the NANOG mailing list