[95562] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (alex@pilosoft.com)
Sat Mar 31 10:26:43 2007
Date: Sat, 31 Mar 2007 10:24:04 -0400 (EDT)
From: alex@pilosoft.com
To: Gadi Evron <ge@linuxbox.org>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0703310915130.24495-100000@linuxbox.org>
Errors-To: owner-nanog@merit.edu
On Sat, 31 Mar 2007, Gadi Evron wrote:
> > domains listed on http://isc.sans.org/, is that an authoritative site
> > of botnet hunters? If so, there are couple of surprises for you.
> > baidu.com listed there is a chinese equivalent of google, who'd get
> > very upset if its domain name got "revoked". Similarly, alexa.com.
> >
> > There needs to be due process for these actions. And once we close
> > this vector, I'm sure that botnets will simply migrate away from DNS
> > to some other protocol.
>
> YOu shouldn't confuse TCP/IP for the control channel of the botnets
> which is IRC, HTTP, etc.
I'm not sure I understand your point. Intarweb Storm Center listed a
number of domain names "involved in these attacks", presumably so the
registrars/registries pull the DNS records. I am pointing out that at
least two of the ones listed are innocent.
What does TCP/IP or IRC or HTTP have to do with anything?
> DNS is not going anywhere, patch for the hosts file or not.
Glad you understand that.
