On Fri, 30 Mar 2007, Gadi Evron wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were in vogue back in 2002 or so. These botnets use DNS as central registry. Yes, it'd be nice to hit the C&C using our control of DNS, and yes, it'd be nice if registrars/registries were cooperating. However, DNS isn't the root of the problem here - tomorrow, they'll use some p2p tracker[less]
Before the readers of the list think that the world is about to end, please read Gadi's previous predictions here: http://www.securityfocus.com/archive/1/354200/30/0/threaded Eventually, crying wolf will get tiring. protocol to distribute this information.
While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. I do not think that this reaches 'operational' just yet, unless you are operating a registry or registrar.
<snip>
This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. I dare to say, that's not the weakest link, and that's not the only mitigation route.
<snip>
We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. -alex