[95575] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Sat Mar 31 14:39:54 2007
Date: Sat, 31 Mar 2007 21:38:52 +0300 (IDT)
From: Hank Nussbacher <hank@efes.iucc.ac.il>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.64.0703311249160.13914@uplift.swm.pp.se>
Errors-To: owner-nanog@merit.edu
On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:
>
> On Sat, 31 Mar 2007, Gadi Evron wrote:
>
>> In this case, we speak of a problem with DNS, not sendmail, and not bind.
>
> The argument can be made that you're trying to solve a windows-problem by
> implementing blocking in DNS.
>
> Next step would be to ask all access providers to block outgoing UDP/53 so
> people can't use open resolvers or machines set up to act as resolvers for
> certain DNS information that the botnets need, as per the same analysis that
> blocking TCP/25 stops spam.
>
> So what you're trying to do is a pure stop-gap measure that won't scale in
> the long run. Fix the real problem instead of trying to bandaid the symptoms.
IMHO, Windows will always have some 0-day appearing every quarter -
whether it be in XP or Vista. Or it will be in Apache, or it will be in
Sendmail or it will be in some other app. So if taking a 10,000 foot
view, apps will always have 0-day holes that are abused. Nowadays, the
latest vector is fast-flux. I think that closing that vector via fast
closure of a particular domain name is something we should tackle. True,
the baddies will find some other vector. But that doesn't mean we should
ignore this one.
-Hank
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
>
