On-going Internet Emergency and Domain Names

Sat Mar 31 12:49:27 UTC 2007

On Fri, 30 Mar 2007, Gadi Evron wrote:

> 
> There is a current on-going Internet emergency: a critical 0day
> vulnerability currently exploited in the wild threatens numerous desktop
> systems which are being compromised and turned into bots, and the domain
> names hosting it are a significant part of the reason why this attack has
> not yet been mitigated.
Before the readers of the list think that the world is about to end,
please read Gadi's previous predictions here:
http://www.securityfocus.com/archive/1/354200/30/0/threaded

Eventually, crying wolf will get tiring.

> This past February, I sent an email to the Reg-Ops (Registrar
> Operations) mailing list. The email, which is quoted below, states how
> DNS abuse (not the DNS infrastructure) is the biggest unmitigated
> current vulnerability in day-to-day Internet security operations, not to
> mention abuse.
This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were
in vogue back in 2002 or so. These botnets use DNS as central registry.  
Yes, it'd be nice to hit the C&C using our control of DNS, and yes, it'd
be nice if registrars/registries were cooperating. However, DNS isn't the
root of the problem here - tomorrow, they'll use some p2p tracker[less]
protocol to distribute this information.

> While we argue about this or that TLD, there are operational issues of
> the highest importance that are not being addressed.
I do not think that this reaches 'operational' just yet, unless you are 
operating a registry or registrar.

<snip>
> This is the weakest link online today in Internet security, which we in
> most cases can't mitigate, and the only mitigation route is the domain
> name.
I dare to say, that's not the weakest link, and that's not the only 
mitigation route.

<snip>

> We need to be able to get rid of domain names, at the very least during
> real emergencies. I am aware how it isn't always easy to distinguish
> what is good and what is bad. Still, we need to find a way.
OK, so, do you officially declare the emergency? Should we all block the
domains listed on http://isc.sans.org/, is that an authoritative site of
botnet hunters? If so, there are couple of surprises for you. 
baidu.com listed there is a chinese equivalent of google, who'd get very 
upset if its domain name got "revoked". Similarly, alexa.com.

There needs to be due process for these actions. And once we close this
vector, I'm sure that botnets will simply migrate away from DNS to some
other protocol.

-alex