Cc Bcc: Subject: Re: Avalanche botnet takedown Reply-To: In-Reply-To: <32993.1480633310@segfault.tristatelogic.com> On Thu, Dec 01, 2016 at 03:01:50PM -0800, Ronald F. Guilmette wrote:
As you probably know Rich, that's not exactly a novel observation. Vixie was already saying it a full six years ago, and things have only gotten worse since then.
Yep. I remember reading that. The only change I would make is that Paul wrote: Most new domain names are malicious. and I think a more accurate/updated/refined statement in 2016 would be: Almost all new domain names are malicious. We are busy trying to support a domain name system that is two to three orders of magnitude larger (as measured by domains) than it should be or needs to be. And nearly all of what we're supporting is malicious. ---rsk
On Fri, Dec 2, 2016 at 6:08 AM, Rich Kulawiec <rsk@gsp.org> wrote:
We are busy trying to support a domain name system that is two to three orders of magnitude larger (as measured by domains) than it should be or needs to be.
that statement seems ... hard to prove. also, what does it matter the size of the domain system? also, perhaps this is an incentives problem from the top down? (if it's really a problem, I mean).
FWIW one of the people involved in the takedown has reported that most of the 800K domain names were DGA. Here was my nutshell overview summary synopsis posted elsewhere: DGA = Domain Generation Algorithm (term in wikipedia.) So an infected bot and a C&C (command and control computer) have an algorithm -- on the bot it's in the virus -- to generate seemingly random domains using seeds such as the current date. Usually more sophisticated but that's the idea, the goal is that both ends generate the same seemingly random domain. So they'll each generate for example xerv1dvm and attach it to a TLD, it doesn't matter what, xerv1dvm.foo, or it could be .com or whatever. They resolve it because they also infect the host's DNS resolver software (or just inject their own, same thing) so it queries a non-standard root server controlled by the attacker, could just be the C&C computer, which will return an IP address for the infected bot to use. This set up allows these systems to change these parameters as often as they like, every minute or less if needed tho that's probably not necessary, every hour might do or even just once a day. Whatever it takes to stay one step ahead of anyone seeking to interfere with them such as law enforcement. TL;DR: There needn't be any (accredited) registrars/registries involved. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
participants (4)
-
bzs@theworld.com
-
Christopher Morrow
-
Rich Kulawiec
-
Roland Dobbins