-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
While I agree with you, there are many of us who know that these fast-flux hosts are malicious due to malware & malicious traffic analysis...
Oh, so we switched from 'the domain is bad because..' to 'the hosts using the domain are bad because...' I wasn't assuming some piece of intel at the TLD that told the TLD that 'hostX that was just named NS for domain foo.bar is also compromised'. I was assuming a s'simple' system of 'changing NS's X times in Y period == bad'. I admit that's a might naive, but given the number, breadth, content, operators of lists of 'bad things' on the internet today I'm not sure I'd rely on them for a global decision making process, especially if I were a TLD operator potentially liable for removal of a domain used to process real business :(
Well, I don't think I ever implied that, but let's say that there are certainly some fast-flux behavior (fluxing across multiple administratively managed prefix blocks, NS fast-flux) which should immediately raise a red flag. Decisions based on those flags are policy issues -- whether or not someone decides to take action upon only on that information or do further research, is something that has to be determined by the person(s) who detect the behavior, etc. Having said that, most people don't even realize that fast-flux exists... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUeNhq1pz9mNUZTMRAgC5AJ98cW092rV7ghrlIzjLP89qjiurDACdEFaV qUxEcKgfr42Mh9IQAOmaKr0= =Hrk0 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/