On Sat, 31 Mar 2007 08:49:27 EDT, alex@pilosoft.com said:
OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
The real problem is that the bad guys are able to deploy new DNS entries in timespams on the order of 10s of minutes, and we can't manage anything resembling due process in that timeframe. (And yes, one could easily imagine a botnet that switches to an entirely new name for the C&C host every 10 minutes - the herder just needs a function that's fed a time-of-day, and generate a hash. Run it for 144 values for tomorrow, register those domains, and distribute the values to your botnet (assuming 10-byte hashes, you'd need all of one 1500 byte packet per day) - or let the bots do the hash themselves if you trust their clocks to be somewhere near accurate. If you want to be *really* obscure, consider the fact that rfc3490 IDN's provide a very good way to hide the fact that it's a hash...