[155543] in North American Network Operators' Group
Re: DNS Changer items
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Aug 15 13:24:48 2012
Date: Wed, 15 Aug 2012 10:24:07 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: NANOG <nanog@nanog.org>
Mail-Followup-To: NANOG <nanog@nanog.org>
In-Reply-To: <502BB9BB.4070106@bogus.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Aug 15, 2012 at 08:01:15AM -0700, joel jaeggli=
wrote:
> Remediation of whatever wrong with a given prefix is an active activity,=
=20
> it's not likely to go away unless the prefix is advertised.
Actually, that's not true on two fronts.
=46rom a business relationship front, if the problem is contacting
the right people when the "right people" have been arrested and now
some police agent now needs to generate the right paperwork, produce
court paperwork, see a judge, time will absolutely help. I can see
a scenario here where it might have been worked out to transfer the
block to the appropriate law enformcement agency for a year (with
them paying the usual fees) such that they could wind this down in
an orderly way.
If the problem is technical badness, the block has appeared on
blacklists or grey lists, or been placed in to temporary filters
to block DNS changer badness time will also help. Most (although
not all) of those activities are aged out. As ISP's stop seeing
hits on their DNS changed ACL's because the machines have been
cleaned up they will remove them. Greylists will age out.
Indeed both of these is why there is a "cooling off" period in place
now at all RIR's. They have been proven to work. Previously in
some cases they were 6-12 months though, and what the community has
said is that given that we're out of IPv4 those time periods should
be shorter. The question becomes how much shorter? Clearly holding
them back for 1 day isn't long enough to make any business or
technical difference. The community is saying 6-12 months is too
long.
I am saying 6 weeks sounds too short to me, but if it is appropriate
for "ordinary" blocks there needs to be an exception for extrodinary
ones. From time to time we hear about blocks like DNSChanger that
millions of boxes are configured to hit, or I remember the University
of Wisconsin DDOSed by NTP queries from some consumer routers. When
the box still has high levels of well known, active badness, perhaps
it should be held back longer.
> In the case of dns changer, I would think that if you don't have working=
=20
> DNS for long enough you're going to have your computer fixed or throw it=
=20
> out. if you were an operator using that prefix to prevent customer=20
> breakage you should be on notice that's not sustainable indefinitely or=
=20
> indeed for much longer.
The problem here isn't just the infected computers. Would you want to
receive a netblock from an RIR that came with tens or hundreds of
megabits of DDOS, I mean, background noise when you turned it on?
Whoever receives this block is in for a world of hurt.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBUCvbN7N3O8aJIdTMAQL3Xg//VcKssjWfGbnao+EUuDHNsS6bGBR/PFyt
0kI4k1Vd8ccB/ZG7OY+8q+7oLohOabPruSG6wUaFUxPR98CrC8oAIcJv5IabUikC
kb6kK7XBZEDuw1p/l96UKH4X+CHNVmun7RGXcVqwE1wtn2FYEqtDnmfDP//stT5e
rn7IRuOGEEBfo3NPeqUY+3XSlJh/ocOzWyyaQd0sk+OgS74EHOKF64XNAV46nJO7
5+y1w2xCJyF5mluKPAUcuvrnSoGKFSxSzJ3U0yenXj5HKd2Hb9KPMRzfdH3ac3vN
6L5sm7ozXFrIG3p3A0/Pij/tEfHbTcGLjYZOT+RQAqN+XcAHTkNigS9Nc00bDF5V
J3ivRUMD5IvjeqbkC1M/Mtg4ivho/B9XHUOJ5JjadjVs0AGKH3JVerDYAjV2lVOV
zAl9hQxmr2VjWEC+p7WrOooWVPSZZTnV0GnWw7xMzD9+fuyCPK9qJSbbFqUQxzmf
rZrGA1lXBtc7qcJGL403X+F7R5ssYC4RV0/UehC6WkpiBCD7k+vcByfHxqGU7D/0
OLdh3se+T84AtByRa5GniJuOzt6iDJPX04LHHxnYVUPoLtEa+emUTsh8xUfhtwvv
rdN6l7XPVe0m6FEjQFoeLBN6TvqFO4XrhvtbRuoHKFY/Pf5CHoR08hGlglUg+i5W
0zrD3mJHoIg=
=ysLa
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZSoM--
