[68329] in North American Network Operators' Group
netsky issue.
daemon@ATHENA.MIT.EDU (Jamie Reid)
Mon Mar 8 21:14:30 2004
Date: Mon, 08 Mar 2004 21:12:55 -0500
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_0F2E0F42.D7B7EDEA
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
If you have a look at=20
http://vil.nai.com/vil/content/v_101083.htm=20
There is a list of IP addresses that are nameservers which=20
are hard-coded into the worm. It spreads by e-mail (currently)
and thus it can be blocked using anti-virus filters.=20
My concern is that these addrs are all for nameservers, which could=20
be authoritative for other domains, and by blocking these servers
any domains they host could be effectively put out of commission.=20
I am not aware of an easy way to find out all the domains registered
to a particular nameserver, and the trend of blocking addrs that appear
in worm code is starting to concern me a bit.=20
It is not indicated how blocking these servers will have an appreciable
effect on the worm propagation (unless it gets a second stage from =
them),=20
and I wonder if anyone else has similar concerns, or an opinion on whether
these IP addresses should actually be blocked.=20
Regards,=20
-j
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
--=_0F2E0F42.D7B7EDEA
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>If you have a look at </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><A href="http://vil.nai.com/vil/content/v_101083.htm"><FONT
size=2>http://vil.nai.com/vil/content/v_101083.htm</FONT></A><FONT
size=2> </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>There is a list of IP addresses that are nameservers which
</FONT></DIV>
<DIV><FONT size=2>are hard-coded into the worm. It spreads by e-mail
(currently)</FONT></DIV>
<DIV><FONT size=2>and thus it can be blocked using anti-virus filters.
</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>My concern is that these addrs are all for nameservers, which
could </FONT></DIV>
<DIV><FONT size=2>be authoritative for other domains, and by blocking these
servers</FONT></DIV>
<DIV><FONT size=2>any domains they host could be effectively put out of
commission. </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>I am not aware of an easy way to find out all the domains
registered</FONT></DIV>
<DIV><FONT size=2>to a particular nameserver, and the trend of blocking addrs
that appear</FONT></DIV>
<DIV><FONT size=2>in worm code is starting to concern me a bit.
</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>It is not indicated how blocking these servers will have an
appreciable</FONT></DIV>
<DIV><FONT size=2>effect on the worm propagation (unless it gets a second stage
from them), </FONT></DIV>
<DIV><FONT size=2>and I wonder if anyone else has similar concerns, or an
opinion on whether</FONT></DIV>
<DIV><FONT size=2>these IP addresses should actually be blocked. </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Regards, </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>-j</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 </DIV></BODY></HTML>
--=_0F2E0F42.D7B7EDEA--
