To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
On Fri, Mar 30, 2007 at 09:20:10PM -0500, Gadi Evron wrote: > Every day we see two types of fast-flux attacks: > 1. Those that keep changing A records by using a very low TTL. > 2. Those that keep changing NS records, pretty much the same.
Can you describe this a bit more? Exactly what does this buy the opposition? How is it used? I suspect that what you mean is that botnets use domain names, and when people track down the IPs and thus machines and clean them up, they just hose new systems and change the IPs in DNS. Is this what you mean? Now, it seems to me that they could use any sort of mechanism for distributing IP addresses, and that DNS just happens to be a convenient one. It strikes me as imminently trackable though. What you're asking - the ability to stop a domain from functioning in a quick manner - sounds fairly dangerous in a couple of ways. I completely understand the desire to stop infections and compromises from spreading as quickly as possible. However, I also know that yanking a domain is a serious matter, and can easily bring an organization to a standstill. Virtually nothing except network security systems use bare IP addresses anymore. Everything else will fail. And that can certainly open the registrars to some serious financial liability should they start pulling them on short notice. I would want my registrar to make darn sure that they had exhausted all other options, and that they would be causing less "damage" (in terms of unavailability of network services) than they are preventing, before they did something like this. Looking at it from a "who owns it" perspective, although no registrar is obligated to serve my data, I pay for the service, not the clients. Looking at it another way, if you don't like the answers you get from my DNS, then stop asking questions. What seems to be in conflict here is that you and other white hats are essentially third parties to what is going on; you are not running the malware, and you are not feeding it data. Giving third parties the ability to stop or interfere with a network communication seems like it could lead to some undesirable consequences. Of course I am well aware that many if not all of the people doing this are more than capable of using DDoS techniques to neutralize the DNS server, but cannot legally do so. It seems to me, however, that by doing so you could achieve the same results, without introducing any new vulnerabilities in the system; black hats already are familiar with DDoS, and being unconstrained by legal/moral issues are free to use it at any time. In contrast, providing a system for a third party to deny DNS service to a domain in a short time frame, whatever the exact mechanism, may create more problems than it solves, and the opposition will just find another way to distribute IP addresses. There's nothing that DNS does that couldn't be accomplished by some other mechanism; the only real difference between that and something else a person might cook up is that the infrastructure is widely deployed, highly available, and can't be disabled without significantly disrupting legitimate business. Though that has obvious advantages for the opposition, none of those seem _critical_ to the application here as I understand it. They could just as easily query slashdot forums or google or use peer-to-peer overlay networks to distribute new IPs, right? -- Kill dash nine, and its no more CPU time, kill dash nine, and that process is mine. -><- <URL:http://www.subspacefield.org/~travis/> For a good time on my UBE blacklist, email [EMAIL PROTECTED]
pgp4h64jpiqhH.pgp
Description: PGP signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
