On-going Internet Emergency and Domain Names
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currenly being handled by several operational groups. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends. ----- Begin quoted message ----- Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST) From: Gadi Evron To: reg-ops@... Subject: [reg-ops] Internet security and domain names Hi all, this is a tiny bit long. Please have patience, this is important. On this list (which we maintain as low-traffic) you guys (the registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call "The Internet Security Operations Community". We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas. Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can't handle this. I don't blame you. In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it: 1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved). 2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner). 3. We coordinated with law enforcement. 4. We coordinated that no one does a press release which will hurt law enforcement. 5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully. One thing though - at a second's notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected. Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn't make life easy. Then, these could change, too. This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same. Now, if we have a domain which can be mitigated to solve such emergencies and one of you happen to run it, that's great... However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language. ICANN has a lot of policy issues as well, and the good guys there can't help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx. All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be. We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. Members of reg-ops: What do you think can be conceivably done? How can we make a difference which is REALLY needed on today's Internet? Please participate and let me know what you think, we simply can no longer wait for some magical change to happen. Gadi. ----- End of quoted message ----- Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to "get rid" of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast. On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS: 1. A system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their AUP and ICANN policy, thus "getting rid" of them in a much quicker fashion, is being set up at the ISOTF. A black list for registrars, if you will. This is far from perfect and currently slow-going. Naturally, this can not be forced on all registrars, nor do the black hat ones, care. 2. A black list for resolvers (hopefully large service providers) is also being created at the ISOTF, so that the risk of visibility of bad domains, as will be defined, can be minimized. Naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc. Other options that have been raised as technically possible, but considered unlikely and indeed, bad: 3. Setting up a black list of domain names for TLD servers, for them not to respond on. 4. Creating an alternate root which we could trust. Another suggestion which was raised: 5. Apply to change the ICANN policy. We need a solution. This operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. I blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on DNS for many years, but what's done is done. The operational communities do not always know how to voice their needs or the difficulties they face. Nor will everyone agree on what the issues are. It is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the Internet that this issue is paramount, and I am sending here a call for help to the DNS experts of the world: what is our next step to be? What do we currently intend to do (not my personal opinion): We are formalizing a letter to ICANN's SSAC, as they are the top experts on DNS infrastructure security issues, coming from operational folks at the ISOTF dealing with daily usage of the DNS for abuse purposes (and specifically fastflux). Further, the ISOTF is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored. Are we missing a possible solution? What does the larger community suggest? Gadi Evron.
On Fri, 30 Mar 2007, Gadi Evron wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were in vogue back in 2002 or so. These botnets use DNS as central registry. Yes, it'd be nice to hit the C&C using our control of DNS, and yes, it'd be nice if registrars/registries were cooperating. However, DNS isn't the root of the problem here - tomorrow, they'll use some p2p tracker[less]
Before the readers of the list think that the world is about to end, please read Gadi's previous predictions here: http://www.securityfocus.com/archive/1/354200/30/0/threaded Eventually, crying wolf will get tiring. protocol to distribute this information.
While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. I do not think that this reaches 'operational' just yet, unless you are operating a registry or registrar.
<snip>
This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. I dare to say, that's not the weakest link, and that's not the only mitigation route.
<snip>
We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. -alex
On Sat, 31 Mar 2007 08:49:27 EDT, alex@pilosoft.com said:
OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
The real problem is that the bad guys are able to deploy new DNS entries in timespams on the order of 10s of minutes, and we can't manage anything resembling due process in that timeframe. (And yes, one could easily imagine a botnet that switches to an entirely new name for the C&C host every 10 minutes - the herder just needs a function that's fed a time-of-day, and generate a hash. Run it for 144 values for tomorrow, register those domains, and distribute the values to your botnet (assuming 10-byte hashes, you'd need all of one 1500 byte packet per day) - or let the bots do the hash themselves if you trust their clocks to be somewhere near accurate. If you want to be *really* obscure, consider the fact that rfc3490 IDN's provide a very good way to hide the fact that it's a hash...
On Sat, 31 Mar 2007 alex@pilosoft.com wrote:
OK, so, do you officially declare the emergency? Should we all block the
This is an emergecy incident on the scale of WMF, but no, it is indeed being handled. I am raising the flag on an ever increasing problem with DNS. This latest incident illustrates some of our operational problems with the security of the Internet.
domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. DNS is not going anywhere, patch for the hosts file or not.
-alex
On Sat, 31 Mar 2007, Gadi Evron wrote:
domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got "revoked". Similarly, alexa.com.
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. I'm not sure I understand your point. Intarweb Storm Center listed a number of domain names "involved in these attacks", presumably so the registrars/registries pull the DNS records. I am pointing out that at least two of the ones listed are innocent.
What does TCP/IP or IRC or HTTP have to do with anything?
DNS is not going anywhere, patch for the hosts file or not. Glad you understand that.
On Sat, Mar 31, 2007, Gadi Evron wrote:
On Sat, 31 Mar 2007 alex@pilosoft.com wrote:
OK, so, do you officially declare the emergency? Should we all block the
This is an emergecy incident on the scale of WMF, but no, it is indeed being handled. I am raising the flag on an ever increasing problem with DNS.
One could argue its an ever increasing problem with IP.
This latest incident illustrates some of our operational problems with the security of the Internet.
Again; one could argue its also an increasing problem with IP. I wonder if anyone can come up with methods of solving this at the IP layer..
There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol.
YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc.
DNS is not going anywhere, patch for the hosts file or not.
And I'm sure they'll migrate away from DNS when it becomes inconvienent. I'm still pleasantly surprised how many organisations spend large amounts of money controlling what comes in and almost never try to handle what goes -out-. Adrian
On 3/30/07, Gadi Evron <ge@linuxbox.org> wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
This incident is currenly being handled by several operational groups.
This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse.
While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed.
The following is my original email message, elaborating on these above statements. Please note this was indeed just an email message, sent among friends.
----- Begin quoted message ----- Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST) From: Gadi Evron To: reg-ops@... Subject: [reg-ops] Internet security and domain names
Hi all, this is a tiny bit long. Please have patience, this is important.
On this list (which we maintain as low-traffic) you guys (the registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call "The Internet Security Operations Community".
We face problems today though, that you can not help us solve under the current setting. But only you can help us coming up with new ideas.
Day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can't handle this. I don't blame you.
In emergencies, we can only mitigate threats if one of you or yours are in control.. Just a week ago we faced the problem of the Dolphins stadium being hacked and malicious code being put on it:
1. We tracked down all the IP addresses involved and mitigated them (by we I mean also people other than me. Many were involved). 2. We helped the Dolphins Stadium IT staff take care of the malicious code on their web page - Specifically Gary Warner). 3. We coordinated with law enforcement. 4. We coordinated that no one does a press release which will hurt law enforcement. 5. We did a lot more. Including actually convincing a Chinese registrar to pull one of the domains in question. A miracle. There was another domain to be mitigated, unsuccessfully.
One thing though - at a second's notice, this could all be for nothing as the DNS records could be updated with new IP addresses. There were hundreds of other sites also infected.
Even if we could find the name server admin, some of these domains have as many as 40 NSs. That doesn't make life easy. Then, these could change, too.
This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name.
Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same.
Now, if we have a domain which can be mitigated to solve such emergencies and one of you happen to run it, that's great... However, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. Sorry for the language.
ICANN has a lot of policy issues as well, and the good guys there can't help. ICANN has enough trouble taking care of all those who want money for .com, .net or .xxx.
All that being said, the current situation can not go on. We can no longer ignore it nor are current measures sufficient. It is imperative that we find some solutions, as limited as they may be.
We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way.
Members of reg-ops: What do you think can be conceivably done? How can we make a difference which is REALLY needed on today's Internet?
Please participate and let me know what you think, we simply can no longer wait for some magical change to happen.
Gadi. ----- End of quoted message -----
Thousands of malicious domain names and several weeks later, we face the current crisis. The 0day vulnerability is exploited in the wild, and mitigating the IP addresses is not enough. We need to be able to "get rid" of malicious domain names. We need to be able to mitigate attacks on the weakest link - DNS, which are not necessarily solved by DNS-SEC or Anycast.
On Reg-Ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running DNS:
1. A system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their AUP and ICANN policy, thus "getting rid" of them in a much quicker fashion, is being set up at the ISOTF. A black list for registrars, if you will. This is far from perfect and currently slow-going. Naturally, this can not be forced on all registrars, nor do the black hat ones, care.
2. A black list for resolvers (hopefully large service providers) is also being created at the ISOTF, so that the risk of visibility of bad domains, as will be defined, can be minimized. Naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.
Other options that have been raised as technically possible, but considered unlikely and indeed, bad:
3. Setting up a black list of domain names for TLD servers, for them not to respond on.
4. Creating an alternate root which we could trust.
Another suggestion which was raised:
5. Apply to change the ICANN policy.
We need a solution. This operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. I blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on DNS for many years, but what's done is done.
The operational communities do not always know how to voice their needs or the difficulties they face. Nor will everyone agree on what the issues are. It is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the Internet that this issue is paramount, and I am sending here a call for help to the DNS experts of the world: what is our next step to be?
What do we currently intend to do (not my personal opinion): We are formalizing a letter to ICANN's SSAC, as they are the top experts on DNS infrastructure security issues, coming from operational folks at the ISOTF dealing with daily usage of the DNS for abuse purposes (and specifically fastflux).
Further, the ISOTF is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.
Are we missing a possible solution? What does the larger community suggest?
Gadi Evron.
What really surprises the living crap out of me is that you're attempting to find a technical solution to what is essentially a social problem. If you really want to do something to fix this problem, as you describe it, try suing microsoft for lost time/man-hours/profits/whatever due to their lax security practices instead of mucking about with DNS/ICANN/whatever else. Social problems generally can only be solved by social solutions, specifically because the moment your technical 'solution' is released, someone will bypass it. If you'd like examples of technical solutions for social problems not working, try DeCSS or any one of a number of anti-drm solutions (social problems: piracy, copyright infringement; technical solutions defeated recently within 1 week of release into the wild). If you need more examples: spam (email, blog, seo), phishing, 419 scams, DDoS 'ransoming.' All of these problems *continue* to work because they continue to be profitable for the folks committing the crimes, any technical solution the community *might* come up with will be bypassed simply because it's in someone's best interest for them to continue. You'd do better by trying to study the sociological concepts at work and attempting to address *THOSE.* It's been said that if you build your software to be idiot proof, the universe will simply invent a better idiot. My 2/100th's of a monetary unit, Allen Parker
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots,
I feel very strongly that this is just yet-another-Windows-vulnerability. If I wanted to read about Windows vulnerabilities, then I would be subscribed to whatever list that is. As such, it really has no place on nanog. I don't want to have this list clogged every time some moron has his Windows 2000 / IIS v5.x site hacked. Further, you are suggesting that everyone else pay the freight for what are Microsoft's security problems. This "Internet Emergency" doesn't appear to be a problem on Linux/OSX/Solaris; nor have I read about Cisco IOS or CatOS, or Juniper's OS having problems either. I actually signed up to post instead of just lurking, specifically to ask you all to kill this thread. If the list feels otherwise, and that it is of interest and within nanog guidelines, then I acquiesce, respecting the greater wisdom of the list. --Patrick
On Sat, 31 Mar 2007, Patrick Giagnocavo wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots,
I feel very strongly that this is just yet-another-Windows-vulnerability.
If I wanted to read about Windows vulnerabilities, then I would be subscribed to whatever list that is.
As such, it really has no place on nanog.
I don't want to have this list clogged every time some moron has his Windows 2000 / IIS v5.x site hacked.
Further, you are suggesting that everyone else pay the freight for what are Microsoft's security problems.
This "Internet Emergency" doesn't appear to be a problem on Linux/OSX/Solaris; nor have I read about Cisco IOS or CatOS, or Juniper's OS having problems either.
I actually signed up to post instead of just lurking, specifically to ask you all to kill this thread.
If the list feels otherwise, and that it is of interest and within nanog guidelines, then I acquiesce, respecting the greater wisdom of the list.
You do realize this post is not about Microsoft or IE 0days, right? Gadi.
--Patrick
On Mar 31, 2007, at 8:57 PM, Gadi Evron wrote:
On Sat, 31 Mar 2007, Patrick Giagnocavo wrote:
If the list feels otherwise, and that it is of interest and within nanog guidelines, then I acquiesce, respecting the greater wisdom of the list.
You do realize this post is not about Microsoft or IE 0days, right?
It's hard to say. By some standards (even if not local ones) I'd be considered mildly knowledgable about DNS, and from what you've posted I haven't a clue what the real underlying issue is that you're wibbling on about, beyond botnets bad (OK) + short TTLs bad (uhm, no) + getting domains without paying bad (OK) + registries won't pull domains on my say so (seems reasonable). I'm prepared to concede, despite your previous history, that there may well be an actual issue (as there are an awful lot of hideously ugly corners with both DNS the protocol and domain reigsitration the policy), but you're being incredibly bad at communicating what you actually think it is. You may want to try again. Cheers, Steve
On Sat, 31 Mar 2007, Steve Atkins wrote:
I'm prepared to concede, despite your previous history, that there may well be an actual issue (as there are an awful lot of hideously ugly corners with both DNS the protocol and domain reigsitration the policy), but you're being incredibly bad at communicating what you actually think it is.
He's talking about when DNS protocol is used to either control or serve as main entry into a botnet (i.e. domain points to various servers on botnet and quickly changes among them). Previously a lot of that was (still is?) done using IRC and it generally offers more superior tools but rudimentary control can be done with DNS quite easily and unlike IRC or higher-end ports that enterprise firewalls know quite well how to block, dns protocol is almost always available from any computer and it also has great way of providing externally reliable reference to unify thousands of botnet computers. But DNS here is just a tool, bad guys could easily build quite complex system of control by using active HTTP such as XML-RPC, they are just not that sophisticated (yet) or maybe they don't need anything but simple list of pointers. -- William Leibzon Elan Networks william@elan.net
On Mar 31, 2007, at 11:16 PM, william(at)elan.net wrote:
But DNS here is just a tool, bad guys could easily build quite complex system of control by using active HTTP such as XML-RPC, they are just not that sophisticated (yet) or maybe they don't need anything but simple list of pointers.
Actually, the discussion isn't about the use of the DNS protocol itself as a botnet C&C channel (as you indicate, that's certainly doable), but rather about domains used as pointers to malware which is then distributed via various methods, same for phishing, as well as the use of DNS to provide server agility for botnet controllers irrespective of the actual protocol used for C&C. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
On Mar 31, 2007, at 11:57 PM, Gadi Evron wrote:
You do realize this post is not about Microsoft or IE 0days, right?
Your words made it clear that it was. Generalizing from "Windows 0day" to "coordinate shutdown of DNS for evil domain in a timely fashion" is just obfuscating that the only reason to do so is because Windows is the way it is. From your original post, you explicitly defined the "Internet emergency" as "a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems" The desktop systems in question were all Windows ones, as I am sure you know. Up-ending methods of basic Internet admin functions that have evolved over many years, due solely to Windows problems is only going to paper over the underlying problem. I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit. Again if the rest of the list wants to continue, then so be it. --Patrick
Patrick Giagnocavo wrote:
On Mar 31, 2007, at 11:57 PM, Gadi Evron wrote:
You do realize this post is not about Microsoft or IE 0days, right?
Your words made it clear that it was.
Generalizing from "Windows 0day" to "coordinate shutdown of DNS for evil domain in a timely fashion" is just obfuscating that the only reason to do so is because Windows is the way it is.
As I see it, the problem at hand is the current Windows 0day. What Gadi is doing is concentrating on a tactic it is using to justify solving what he sees as a more general problem (DNS abuse) that could be used by an exploit to any operating system. By solving it, this could mitigate future problems. We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run). Does that sound about right? -- Jeff Shultz
Jeff Shultz wrote:
We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).
Does that sound about right?
If you drain the swamp the hippo's will be very angry and run at you. The problem argued here is heavily dependent on how long it would take for the bad guys to adapt. I would assume it's less time than it would take to deploy a global system for DNS abuse mitigation. So "fixing" a single protocol would not take us any significant distance because the next thing would be either: - XML-RPC - SOAP - proprietary name-lookup system - p2p botnet control - etc... (yes, blocking port 80 would be a good start) I also have yet to observe measurable reduction of spam since more port 25 blocking has been supposedly taken into use. This is a problem in the policy / edge. It's not something that should be solved in the core. It's immensely easier to blame somebody else (in the case of this thread, registries/registrars) for somebody elses problem (Windows users). It's significantly harder to fix the real issue. But I hope at least part of the loudmouths are up for that. Pete
On Sat, 31 Mar 2007, Jeff Shultz wrote:
Does that sound about right?
If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it. Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently. So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure. ... and people have very bad experiences from blacklists not being maintained properly. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Sun, 1 Apr 2007, Mikael Abrahamsson wrote:
net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure.
You just lost my respect for the remainder of this thread. :)
... and people have very bad experiences from blacklists not being maintained properly.
Black lists are a horrid idea, I'd love to hear of other solutions to the DNS as an abuse infrastructure. Gadi.
On Sun, 1 Apr 2007, Mikael Abrahamsson wrote:
If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it.
Maybe if a body with the proper authority to penalize the ISP's were in order this wouldn't be an issue. Look at BGP dampening and route flaps for instance, something goes awry, the router is penalized. A quick check, all goes well, if not, an added penalty is given. Perhaps if some of these business were forced to get their acts in order, many of these issues would not be occurring.
Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently.
Solving this at the DNS issue is a better idea than having to hope that - by contacting someone clueful on level 8 - they'll 1) even understand what you mean, 2) understand how to address the issue. If you meant contacting the owner of the infected machine good luck. If you meant contacting the provider of the owner of the ISP, even better luck. Its far easier to accomplish some form of DNS filtering to block out infected machines, and even servers propagating infections. I've contacted who knows how many administrators of infections on their networks. Typically the response is "Contact our abuse team." Which is understandable being someone wants to keep in tune with policy, but heck some of these companies' policies are more of a facade if you ask me. Within the next month, I will be posting the networks, contacts, etc., of the dirtiest brute force pushing networks I've seen. If needed, I will re-post some of the absurd responses I've seen like one from NASA... And no its no April Fools joke... So a NASA address is brute forcing a machine of mine... I contact the admin listed on a whois and it gets sent to a CISSP gentleman... His response "We were doing some pen testing on our networks..." What? They were pentesting on their network yet I managed to get hit up in the mix. Right... Its not like the network connecting to mines was typed in accidentally, my network was in the 208.x.x.x range, theirs... Not even close.
So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure.
Single point of failure? I'm sure many can point out multiple points of failures. One thing I've been doing with my brute forcer blacklist (if you want to call it this) is blocking entire net blocks from accessing attacked machines. When admins contact me wondering why their clients cannot connect, the answer is simple for me. After a quick lookup of the bruteforcer list, I simply tell them that one(or many) hosts on their network have been ssh brute forcing some of my servers. Therefore their ENTIRE range was blocked. Quite frankly, I don't care if I have to block up to /6's (I've got one or two of APNIC's), I will do whatever it takes to make sure my networks stay clean and secure.
... and people have very bad experiences from blacklists not being maintained properly.
Funny you should mention... Nothing in this world has ever from the onset been a perfect invention/creation. Does this mean that if one implementation failed, the entire design is flawed. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
jeffshultz@wvi.com (Jeff Shultz) writes:
As I see it, the problem at hand is the current Windows 0day. What Gadi is doing is concentrating on a tactic it is using to justify solving what he sees as a more general problem (DNS abuse) that could be used by an exploit to any operating system. By solving it, this could mitigate future problems.
the more general problem is hard to agree about. i think it's that every day neustar and afilias and verisign and the other TLD registries handle many millions of new-domain transactions, most of which will never be paid for ("domain tasting") and most of which are being held with stolen credit cards. i don't know if these companies book the revenue ("ship bricks") or if this is just a hell hole of wasted time and money for them (or, both?) i do know that a small number of criminals and wastrels among the registrant and registrar communities are responsible for between 95% and 99.98% of each day's domain churn, and that most of the domains will never be used or will only be used for evil. some of the costs of this infrastructure-for-evil are passed on to the rest of the registrants, and all of the costs of the evil itself are passed on to the rest of humanity. now we can try to pour widescale poison on the domains we see used for evil, and hope that everyone who would like to be protected by that poison is able to get in on the action; or we can look at the registrars and registrants, and track their actions, and build a reputation system indicating who has done evil and who has irresponsibly or greedily profited from enabling evil. in the first case we have an infinite set of possible choke points; in the second we have a finite set. in the first case we have to pay the cost on every DNS lookup, in the second case we have to pay the cost on every DNS registration event.
We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).
Does that sound about right?
that sounds exactly wrong. harkening back to my experience with "check-names" i can tell you that all i did was scare away a few alligators and the swamp remained. (probably the same was true of the original MAPS RBL.) what we've got in the DNS registry/registrar market today is as corrupt and abusable as the California electricity market was back in 2000-2001, and we're seeing the same kind of windfalls enjoyed by the same kind of assholes now as then. the system is ripe for policing, which icann has shown that they will not do. i want to see gadi in "ralph nader" mode, shining a light on all this, making it harder to profit from building the "infrastructure of evil." if that's what you meant by swamp-draining, then i apologize for misunderstanding you. -- Paul Vixie
the more general problem is hard to agree about. i think it's that every day neustar and afilias and verisign and the other TLD registries handle many millions of new-domain transactions, most of which will never be paid for ("domain tasting")
Right.
and most of which are being held with stolen credit cards. i don't know if these companies book the revenue ("ship bricks") or if this is just a hell hole of wasted time and money for them (or, both?)
Registrars don't get credit with registries. They have to prepay a deposit, then for each registration their account gets debited, for each reversal it gets credited, so they´re basically shipping and restocking a million bricks a day.. It is my understanding that one or two registrars do nearly all of the domain tasting, and it's widely assumed that they're their own "customer" for those registrations. They really do have $6M of deposit to handle a million registrations. Verisign tolerates tasting probably because the actual cost of handling a registration is close to zero, and a few of them aren't cancelled. Afilias has complained about the load and proposed and I think got an amendment so that registrars who cancel more than 90% of their registrations don't get quite all of their money back. I haven't seen much connection between tasting and malware. Tasted domains are set up as web sites which consist of nothing but pay per click ads. Malware domains are much less numerous, the registrar is not a knowing party (beyond some registrars' reluctance to do takedowns), and those probably are paid for with stolen plastic. R's, John
On 1 Apr 2007, Paul Vixie wrote:
We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).
Does that sound about right?
that sounds exactly wrong. harkening back to my experience with "check-names" i can tell you that all i did was scare away a few alligators and the swamp remained. (probably the same was true of the original MAPS RBL.) what we've got in the DNS registry/registrar market today is as corrupt and abusable as the California electricity market was back in 2000-2001, and we're seeing the same kind of windfalls enjoyed by the same kind of assholes now as then. the system is ripe for policing, which icann has shown that they will not do. i want to see gadi in "ralph nader" mode, shining a light on all this, making it harder to profit from building the "infrastructure of evil." if that's what you meant by swamp-draining, then i apologize for misunderstanding you.
So, is the infrastructure in question which is an abuse infrastructure, the ICANN policy and registry/registrars combination on TLD management and domain registration/revokation? I can testify as to some registrars (enom, godaddy, tucows, etc.) being very responsive and some registries (read .info) being very cooperative. OBVIOUSLY this is not the case for everyone. I can testify as to ICANN folks being clued-in and helpful as far as they can under current policies which make ICANN itself being very much non-existent when it comes to security and abuse. Gadi.
-- Paul Vixie
On Sun, Apr 01, 2007 at 09:51:16PM -0500, Gadi Evron <ge@linuxbox.org> wrote a message of 39 lines which said:
I can testify as to some registrars (enom, godaddy, tucows, etc.) being very responsive and some registries (read .info) being very cooperative.
OBVIOUSLY this is not the case for everyone.
If "being cooperative" means "shoot immediately any presumed-to-be-innocent each time a random vigilante asks you so", I hope that the ".fr" registry is uncooperative.
I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias. Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don't even do an investigation. Maybe this new American mentality explains Guantanamo Bay. Roderick S. Beck Hibernia Atlantic 30 Dongan Place, NY, NY 10040 http://www.hiberniaatlantic.com Landline: 1-212-942-3345 Wireless: 1-212-444-8829. rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein. -----Original Message----- From: owner-nanog@merit.edu on behalf of Stephane Bortzmeyer Sent: Mon 4/2/2007 1:58 PM To: Gadi Evron Cc: nanog@merit.edu Subject: Re: redefining which infrastructure is the proble [was: Re: On-going ..] On Sun, Apr 01, 2007 at 09:51:16PM -0500, Gadi Evron <ge@linuxbox.org> wrote a message of 39 lines which said:
I can testify as to some registrars (enom, godaddy, tucows, etc.) being very responsive and some registries (read .info) being very cooperative.
OBVIOUSLY this is not the case for everyone.
If "being cooperative" means "shoot immediately any presumed-to-be-innocent each time a random vigilante asks you so", I hope that the ".fr" registry is uncooperative. This e-mail and any attachments thereto is intended only for use by the addressee(s) named herein and may be proprietary and/or legally privileged. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, without the prior written permission of the sender is strictly prohibited. If you receive this e-mail in error, please immediately telephone or e-mail the sender and permanently delete the original copy and any copy of this e-mail, and any printout thereof. All documents, contracts or agreements referred or attached to this e-mail are SUBJECT TO CONTRACT. The contents of an attachment to this e-mail may contain software viruses that could damage your own computer system. While Hibernia Atlantic has taken every reasonable precaution to minimize this risk, we cannot accept liability for any damage that you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment
On Mon, 2 Apr 2007, Rod Beck wrote:
I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias.
Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don't even do an investigation.
Maybe this new American mentality explains Guantanamo Bay.
I wouldn't have even replied to this email, but you accused Spamhaus of being an American organization! How dare you? They sit inh the UK! :) How dare they, though, start the war in Iraq?! Gadi.
I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias.
Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don't even do an investigation.
Even if this were on-topic, don't you think it would a good idea to make at least a cursory attempt to get your facts straight? Spamhaus is located in the UK, I personally know multiple Spamhaus volunteers who spend vast amounts of time resarching their blacklist entries, and they put large dossiers on their web site to document them. ObOperations: Spamhaus publishes a drop list of IP ranges intended for your router that I heartily recommend. It is much smaller than their mail blacklist, chosen to include only network ranges with no socically redeeming value at all. R's, John
Hi John, No where in that email did I say Spamhaus was an American organization. So let's not be petty. As for Spamahaus' professionalism, I would be point that some organizations that use opt-in list still get hit by Spamhaus either because the end users complained after apparently 1. forgetting that they had opted into the list 2. or they changed their mind. Many of the biggest publishing houses now run their email operations overseas precisely because they are tired of dealing with Spamhaus complaints The question is how is to achieve accountability. I don't think volunteer organizations are ideal from an accountability point of view. Regards, Roderick S. Beck Hibernia Atlantic 30 Dongan Place, NY, NY 10040 http://www.hiberniaatlantic.com Landline: 1-212-942-3345 Wireless: 1-212-444-8829. rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein. -----Original Message----- From: John Levine [mailto:johnl@iecc.com] Sent: Mon 4/2/2007 3:03 PM To: nanog@nanog.org Cc: Rod Beck Subject: Re: redefining which infrastructure is the proble [was: Re: On-going ..]
I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias.
Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don't even do an investigation.
Even if this were on-topic, don't you think it would a good idea to make at least a cursory attempt to get your facts straight? Spamhaus is located in the UK, I personally know multiple Spamhaus volunteers who spend vast amounts of time resarching their blacklist entries, and they put large dossiers on their web site to document them. ObOperations: Spamhaus publishes a drop list of IP ranges intended for your router that I heartily recommend. It is much smaller than their mail blacklist, chosen to include only network ranges with no socically redeeming value at all. R's, John Hi Joe, I know some organizations that use opt-in list and yet got complaints either because the end users complained after apparently 1. forgetting that they opted into the list 2. or they changed their mind. Many of the biggest publishing houses now run their email operations overseas precisely because they are tired dealing with Spamhaus. This e-mail and any attachments thereto is intended only for use by the addressee(s) named herein and may be proprietary and/or legally privileged. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this email, and any attachments thereto, without the prior written permission of the sender is strictly prohibited. If you receive this e-mail in error, please immediately telephone or e-mail the sender and permanently delete the original copy and any copy of this e-mail, and any printout thereof. All documents, contracts or agreements referred or attached to this e-mail are SUBJECT TO CONTRACT. The contents of an attachment to this e-mail may contain software viruses that could damage your own computer system. While Hibernia Atlantic has taken every reasonable precaution to minimize this risk, we cannot accept liability for any damage that you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment
On Mon, 02 Apr 2007 15:16:34 BST, Rod Beck said:
I don't think volunteer organizations are ideal from an accountability point of view.
On the other hand, most volunteer organizations are thought of as being more trustable than corporations or governments, precisely because while often a corporation or government is wielded as a tool to further some end of the leadership (usually money, power, or both), it's a lot harder to do that with volunteers - they tend to be more self-policing. It's a lot easier to read Spamhaus's motives for any given action (even if you don't agree with their methods), and make your own decision regarding their trustworthyness, than it is to figure out why DHS wants control of the DNSSEC key-signing-key. (And "volunteer" doesn't imply "unaccountable" - anybody who's been following the US news will likely have heard that the US Dept of Justice seems to have this big unaccountable gap in their e-mail trail regarding the firing of some attorneys...)
My apologies to all for feeding the trolls... On 4/2/07, Rod Beck <Rod.Beck@hiberniaatlantic.com> wrote:
I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias.
Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don't even do an investigation.
Maybe this new American mentality explains Guantanamo Bay.
I'm sorry, you must be confused. This is NANOG, which purports to be a technical discussion regarding network operations in North America. Down the hall you'll find plenty of mailing lists maintained by the Democrat Party - your odd, incorrect, and factually-flawed "blame America(ns) for everything" diatrabes will be better received by that audience. If that doesn't work, I suggest a daily dose of DailyKos and some tinfoil to wrap around your head. Thanks.
You do realize this post is not about Microsoft or IE 0days, right?
I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit.
Again if the rest of the list wants to continue, then so be it. In the end, phishing and scams work because people are stupid (or
possibly ignorant- but then again with all the warnings they've received you'd have to be stupid to still be ignorant at this point). Period. End of discussion. Every time we come up with another "solution" - the universe comes up with a bigger idiot. Honestly- I, as well as everyone I know, receives a million warning messages from banks, web sites, etc. warning people not to trust email claming to be from said institution. And yet, every single day, thousands upon thousands of people keep falling for it. Where do you draw the line? Since we seem to love analogies: Imagine you have a high voltage outlet and people keep sticking their fingers in it and getting electrocuted. So you put up a sign that says "Danger- high voltage," and people continue sticking their fingers in it. Then you warn them about it personally, and you have segments on the tv news and articles in the papers and people STILL do it. At what point do you just have to walk away and let nature take it's course? Everybody in the world has been _repeatedly_ warned about phishing and other scams, and yet just like 419 scams, they KEEP falling for it. Nobody stops to think. Enough is enough already. Do I think certain policies should be changed? Sure. Domain tasting is an idea that I can not believe benefits anyone but a scammer (or a domain advertiser- which is no better). There are plenty of other examples but in the end, no matter what we do, users are going to continue to do mind-bogglingly stupid things. -Don *Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable.
On Sun, 01 Apr 2007 13:08:14 EDT, Donald Stahl said:
*Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable.
Eugenics has some promise in that area. Desperate times call for desperate measures.
What really surprises the living crap out of me is that you're attempting to find a technical solution to what is essentially a social problem. If you really want to do something to fix this problem, as you describe it, try suing microsoft for lost time/man-hours/profits/whatever due to their lax security practices instead of mucking about with DNS/ICANN/whatever else.
Wasn't going to comment on this thread as I really can't add much (as I read the entire thread bemused as I still don't see the prob even when i learned abou this zero day days ago) but amen to Allen's comment here. There are multiple issues here and DNS and / or $insert_favorite_technology isn't the problem. On completely OT side comment for laughs: why is nobody blaming the real root problem here ... marketing folk and their insistent drive for multimedia for sales reasons (e.g.animated cursors and HTML email) :)
On Fri, Mar 30, 2007 at 09:18:07PM -0500, Gadi Evron wrote:
There is a current on-going Internet emergency: ...
Having just read and deleted somewhere between 100 and 400 messages on this, I don't really want to add to the noise. I hope there's some signal here. One thing is clear, that Gadi wants DNS completely re-vamped. He says that it as an infrastructure for abuse. Come on! DNS is a lookup mechanism. It is the infrastructure for EVERYTHING. So, yes, it is the infrastructure for the abuse. It is ALSO the infrastructure for doing things right. It may even be the infrastructure for the solution. [Vixie thinks it's DNSSEC - but the problem is, the data being inserted IS authentic data, filed in a registry.] More likely, though, as this is a social problem, the solution is completely outside the technical realm. ICANN is working on the "domain tasting" issue, as a quick lookup shows. PIR has proposed a "restock fee". An independent report to ICANN advises that Versign should do the same thing. Will this stop domain tasting? It will, at least, make it less profitable. Will this stop the "pirates"? No, of course not, as said at last fifty times in this thread. But if this catches on world- wide, they may choose a different mode of ingres into our lives than this "fast-flux" route. Will legislation solve anything? Probably not. Who legislates for the entire world? Although I did note that the WTO did smack the USA down for some things recently, and they had to sit there and take it. [Well, with some ineffective loud complaints.] So maybe there is someone who can really enforcce international law. I wouldn't know. [Who DOES make international law? Is it just treaty and precedent? Ooops, OT!] Gadi wants a separate root server that he can trust. I think we've already seen the evil of separate roots, except those who claim it's our saviour. I fail to see the relevance, here, at all. Besides, the root is in so many countries today, why aren't we trusting it? [Except for the poorly run or separated copies.] Gadi wants to be able to blacklist domain names immediately when called for by ... oh, wait, we haven't figured that out yet. It would have to be someone who is always right before I would accept it. And He hasn't said a thing about domain names yet. I kind of liked Doug Otis' suggestion of a mandatory waiting period for all domain registrations. Even if we didn't take the time to check all registered domains for illegal payment methods or known name-terrorists [;-)], it would certainly end the fast-flux capability. Of course, everyone would complain; but if it were universal, it would be accepted. Would someone come up with a way around it? Have they come up with a way around the firearm waiting period? Of course. But it's harder. But it's also not clear that, long-term [once they get bored with fast-flux, or the easily mined value of it has gone] it really has any merit. I don't want to say that none of Gadi's own ideas have merit, because they do. [As long as one doesn't make a spectacular leap from one of those to a totally unrelated idea with no visible support.] Perhaps there should be someone somewhere to whom the bewildered DNS user [everybody!] can turn when there is a domain [not DNS, but a domain] that is being abused. The someone could look into it and see whether it's purely an abuse domain, and if so, recommend that it be terminated. As much as I like this idea, it has the possibility for turning into the Inquisition. It would need checks and balances - for none of us mere humans could possibly find out all the uses of a domain, or how it was paid for, or all the things for which it is used. So we would have to go with the best information we can find, and that may not be enough. Ther would have to be checks and balances and appeals and all the trappings of the more civilised sort of justice that allow people and companies accused of violations of the law to keep doing it for years before a resolution is found. But this is what frustrates all of us, Gadi no less than any. And speaking of such companies, before "fixing" DNS, shouldn't we be forcing the company whose software generates a whole industry in fixing its bugs to correct itself? Why is that not the issue? There were too many other issues that I had wanted to address, but I think this is getting too long already. I do want to repeat, this is a social problem, and needs social solutions, most likely ones that take a bite out of the easy money causing the various abuses discussed in this thread. -- Joe Yao Analex Contractor
Gadi, 4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another "INTERNET EMERGENCY!!!!" or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it. Gadi Evron wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
On Wed, 4 Apr 2007, Albert Meyer wrote:
Gadi,
4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another "INTERNET EMERGENCY!!!!" or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it.
At least this time you send a comprehensible note to the list rather than "can't you die already" in private. :)
Gadi Evron wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
participants (22)
-
Adrian Chadd
-
Albert Meyer
-
alex@pilosoft.com
-
Allen Parker
-
Donald Stahl
-
Douglas Dever
-
Gadi Evron
-
J. Oquendo
-
Jeff Shultz
-
John Levine
-
Joseph S D Yao
-
Mikael Abrahamsson
-
Patrick Giagnocavo
-
Paul Vixie
-
Peter Thoenen
-
Petri Helenius
-
Rod Beck
-
Roland Dobbins
-
Stephane Bortzmeyer
-
Steve Atkins
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net