If you have a look at http://vil.nai.com/vil/content/v_101083.htm There is a list of IP addresses that are nameservers which are hard-coded into the worm. It spreads by e-mail (currently) and thus it can be blocked using anti-virus filters. My concern is that these addrs are all for nameservers, which could be authoritative for other domains, and by blocking these servers any domains they host could be effectively put out of commission. I am not aware of an easy way to find out all the domains registered to a particular nameserver, and the trend of blocking addrs that appear in worm code is starting to concern me a bit. It is not indicated how blocking these servers will have an appreciable effect on the worm propagation (unless it gets a second stage from them), and I wonder if anyone else has similar concerns, or an opinion on whether these IP addresses should actually be blocked. Regards, -j -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
Jamie Reid writes:
If you have a look at
There is a list of IP addresses that are nameservers which are hard-coded into the worm. It spreads by e-mail (currently) and thus it can be blocked using anti-virus filters.
My concern is that these addrs are all for nameservers, which could be authoritative for other domains, and by blocking these servers any domains they host could be effectively put out of commission.
I think that (most of) the IP addresses in the list belong to *recursive* DNS servers of larger Internet access providers. There certainly are quite a few requests from these to authoritative name servers in our network. So if you have authoritative name servers in your network, blocking the IP addresses will result in some denial of service. The operators of these servers could probably do a useful thing or the other here: they could try to trace suspicious queries to help locate infected machines, and/or limit access to these name servers to only their customer address ranges. The latter may be operationally difficult depending on whether these name servers are also authoritative (perhaps a good argument for separating recursive and authoritative name servers) and how easy it is to map the "legitimate user of recursive name service" predicate to a range of IP addresses.
I am not aware of an easy way to find out all the domains registered to a particular nameserver, and the trend of blocking addrs that appear in worm code is starting to concern me a bit.
Rightly so.
It is not indicated how blocking these servers will have an appreciable effect on the worm propagation (unless it gets a second stage from them), and I wonder if anyone else has similar concerns, or an opinion on whether these IP addresses should actually be blocked.
I'd recommend against it, due to collateral damage and more general end-to-end arguments. -- Simon Leinen simon@babar.switch.ch SWITCH http://www.switch.ch/misc/leinen/ Computers hate being anthropomorphized.
participants (2)
-
Jamie Reid
-
Simon Leinen