[96677] in North American Network Operators' Group
Re: Interesting new dns failures
daemon@ATHENA.MIT.EDU (Chris L. Morrow)
Mon May 21 14:22:46 2007
Date: Mon, 21 May 2007 18:14:39 +0000 (GMT)
From: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to: <20070521.110810.8794.3165872@webmail03.lax.untd.com>
To: Fergie <fergdawg@netzero.net>
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Mon, 21 May 2007, Fergie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- "Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
>
> >So, I think that what we (security folks) want is probably not to
> >auto-squish domains in the TLD because of NS's moving about at some rate
> >other than 'normal' but to be able to ask for a quick takedown of said
> >domain, yes? I don't think we'll be able to reduce false positive rates
> >low enough to be acceptable with an 'auto-squish' method :(
>
> Hi Chris,
>
> While I agree with you, there are many of us who know that these
> fast-flux hosts are malicious due to malware & malicious traffic
> analysis...
Oh, so we switched from 'the domain is bad because..' to 'the hosts using
the domain are bad because...' I wasn't assuming some piece of intel at
the TLD that told the TLD that 'hostX that was just named NS for domain
foo.bar is also compromised'. I was assuming a s'simple' system of
'changing NS's X times in Y period == bad'. I admit that's a might naive,
but given the number, breadth, content, operators of lists of 'bad things'
on the internet today I'm not sure I'd rely on them for a global decision
making process, especially if I were a TLD operator potentially liable for
removal of a domain used to process real business :(
>
> I completely agree with you, however, on the issue of making
> assumptions that it will always be malicious -- of course, that
> will not always be the case. :-)
>
agreed.
