From: dlr@bungi.com (Dave Rand)
...
We are not fighting technology. We are dealing with very well organized, smart, and well-funded people.
We need to focus on solutions that we can deploy, which will address the problems at hand, as we discover them. That means we will deploy things that do not solve underlying prolems, but address the symptoms as best we can, to prevent the entire mess from falling down.
That means that we must look at short-range solutions to address things in near-real-time, ...
There is no "one true solution" to this. That means you, as network operators, need to look at what makes sense *today*, and *DEPLOY IT*.
...
As Dave is certainly aware (as CTO of Trend Micro, which bought MAPS/Kelkea), his daytime employer has a product (called ICSS, and which I had a hand in building) that proposes to let enterprises or ISP's use recursive DNS as a delivery mechanism for security policy (like, "poison this malware domain"). I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's "check-names" facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so. But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution. Some references to ICSS, in case you all missed it. (Note that I am not an employee, shareholder, representative, or agent of Trend Micro and I have no financial stake in ICSS at this point.) http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm http://www.eweek.com/article2/0,1895,2020286,00.asp http://www.vnunet.com/itweek/news/2164897/trend-appliance-sniffs-bot-nets http://www.computerwire.com/industries/research/?pid=2E16BA11-5976-42B0-9C13... http://www.computing.co.uk/itweek/news/2164897/trend-appliance-sniffs-bot-ne...