Port 25 is bad. It has been blocked. Port 53 is bad. Some ISPs are already going to block it. How about port 80? I think port 80 should have been the first and only port to block. Let the other ports stay alive. And maby a test for port 42 would be nice. If port 42 is answered by an IEN 116 nameserver then everything is fine. If it is windows nameservice - then shot the guy. Chance is 75% that it is a bot already. If you dont shot him chance is 75% that he will get infected anyhow. Can somebody tell me how to delay this post until midnight your time? I have unlocked the "mettre en voyage" lever already and the kettle is boiling. I am shure we built staem enough :) Cheers Peter and Karin Gadi Evron wrote:
On Sat, 31 Mar 2007, Mikael Abrahamsson wrote:
On Sat, 31 Mar 2007, Gadi Evron wrote:
In this case, we speak of a problem with DNS, not sendmail, and not bind.
The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS.
Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam.
So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms.
The real problem? Okay, I'd like your ideas than. :)
What we are referring to here is not just malware, phishing, DDoS (rings a bell, root servers?) and othr threats. It is about the DNS being manipulated and abused and causing instability across the board, only not in reachability and availability which is the infrastructure risk already being looked after.
Hijacking may be resolved by DNS-SEC, this isn't.
If an A record with a low TTL can be changed every 10 minutes, that means no matter what the problem is, we can't mitigate it. There are legitimate reasons to do that, though.
The C&C for a botnet would not disapear, as it would be half way across the world by the time we see it. The only constant is the malicious domain name.
If the NS keeps skipping around, that's just plain silly. :)
If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. It HAS become an infrastructure for abuse, and it disturbs daily life on the Internet. We'd like solutions and we raised some ideas - we are willing to accept they are not good ones, please help us out with better ones?
Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with "amazon" and "paypal" in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names?
One problem at a time, please.
Gadi.
-- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.arl.pirates http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/