[96678] in North American Network Operators' Group
Re: Interesting new dns failures
daemon@ATHENA.MIT.EDU (Fergie)
Mon May 21 14:28:26 2007
From: "Fergie" <fergdawg@netzero.net>
Date: Mon, 21 May 2007 18:22:29 GMT
To: christopher.morrow@verizonbusiness.com
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- "Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
>>
>> While I agree with you, there are many of us who know that these
>> fast-flux hosts are malicious due to malware & malicious traffic
>> analysis...
>
>Oh, so we switched from 'the domain is bad because..' to 'the hosts usi=
ng
>the domain are bad because...' I wasn't assuming some piece of intel at=
>the TLD that told the TLD that 'hostX that was just named NS for domain=
>foo.bar is also compromised'. I was assuming a s'simple' system of
>'changing NS's X times in Y period =3D=3D bad'. I admit that's a might =
naive,
>but given the number, breadth, content, operators of lists of 'bad thin=
gs'
>on the internet today I'm not sure I'd rely on them for a global decisi=
on
>making process, especially if I were a TLD operator potentially liable =
for
>removal of a domain used to process real business :(
Well, I don't think I ever implied that, but let's say that there
are certainly some fast-flux behavior (fluxing across multiple
administratively managed prefix blocks, NS fast-flux) which should
immediately raise a red flag.
Decisions based on those flags are policy issues -- whether or not
someone decides to take action upon only on that information or do
further research, is something that has to be determined by the
person(s) who detect the behavior, etc.
Having said that, most people don't even realize that fast-flux
exists...
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)
wj8DBQFGUeNhq1pz9mNUZTMRAgC5AJ98cW092rV7ghrlIzjLP89qjiurDACdEFaV
qUxEcKgfr42Mh9IQAOmaKr0=3D
=3DHrk0
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
