On-going Internet Emergency and Domain Names

Hank Nussbacher hank at efes.iucc.ac.il
Sat Mar 31 18:38:52 UTC 2007

On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:

> On Sat, 31 Mar 2007, Gadi Evron wrote:
>> In this case, we speak of a problem with DNS, not sendmail, and not bind.
> The argument can be made that you're trying to solve a windows-problem by 
> implementing blocking in DNS.
> Next step would be to ask all access providers to block outgoing UDP/53 so 
> people can't use open resolvers or machines set up to act as resolvers for 
> certain DNS information that the botnets need, as per the same analysis that 
> blocking TCP/25 stops spam.
> So what you're trying to do is a pure stop-gap measure that won't scale in 
> the long run. Fix the real problem instead of trying to bandaid the symptoms.

IMHO, Windows will always have some 0-day appearing every quarter - 
whether it be in XP or Vista.  Or it will be in Apache, or it will be in 
Sendmail or it will be in some other app.  So if taking a 10,000 foot 
view, apps will always have 0-day holes that are abused.  Nowadays, the 
latest vector is fast-flux.  I think that closing that vector via fast 
closure of a particular domain name is something we should tackle.  True, 
the baddies will find some other vector.  But that doesn't mean we should 
ignore this one.


> -- 
> Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the NANOG mailing list