To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- At 12:00 PM -0500 5/9/07, [EMAIL PROTECTED] wrote: > >Message: 1 >Date: Tue, 8 May 2007 19:02:48 -0500 >From: "Travis H." <[EMAIL PROTECTED]> >Subject: Re: [botnets] On-going Internet Emergency and Domain Names >To: [email protected] >Message-ID: <[EMAIL PROTECTED]> >Content-Type: text/plain; charset="us-ascii" > >On Fri, Mar 30, 2007 at 09:20:10PM -0500, Gadi Evron wrote: >> Every day we see two types of fast-flux attacks: >> 1. Those that keep changing A records by using a very low TTL. >> 2. Those that keep changing NS records, pretty much the same. > >Can you describe this a bit more? Exactly what does this buy the opposition? >How is it used? > >I suspect that what you mean is that botnets use domain names, and when people >track down the IPs and thus machines and clean them up, they just >hose new systems >and change the IPs in DNS. Is this what you mean? > >Now, it seems to me that they could use any sort of mechanism for distributing >IP addresses, and that DNS just happens to be a convenient one. It strikes me >as imminently trackable though. > >What you're asking - the ability to stop a domain from functioning in a quick >manner - sounds fairly dangerous in a couple of ways. I completely understand >the desire to stop infections and compromises from spreading as quickly as >possible. However, I also know that yanking a domain is a serious matter, >and can easily bring an organization to a standstill. Virtually >nothing except >network security systems use bare IP addresses anymore. Everything else will >fail. And that can certainly open the registrars to some serious financial >liability should they start pulling them on short notice. I would want my >registrar to make darn sure that they had exhausted all other >options, and that >they would be causing less "damage" (in terms of unavailability of network >services) than they are preventing, before they did something like this. > >Looking at it from a "who owns it" perspective, although no registrar >is obligated to serve my data, I pay for the service, not the clients. >Looking at it another way, if you don't like the answers you get from >my DNS, then stop asking questions. What seems to be in conflict here >is that you and other white hats are essentially third parties to what >is going on; you are not running the malware, and you are not feeding >it data. Giving third parties the ability to stop or interfere with >a network communication seems like it could lead to some undesirable >consequences. > >Of course I am well aware that many if not all of the people doing >this are more than capable of using DDoS techniques to neutralize the >DNS server, but cannot legally do so. It seems to me, however, that >by doing so you could achieve the same results, without introducing >any new vulnerabilities in the system; black hats already are familiar >with DDoS, and being unconstrained by legal/moral issues are free to >use it at any time. In contrast, providing a system for a third party >to deny DNS service to a domain in a short time frame, whatever the >exact mechanism, may create more problems than it solves, and the >opposition will just find another way to distribute IP addresses. >There's nothing that DNS does that couldn't be accomplished by some >other mechanism; the only real difference between that and something >else a person might cook up is that the infrastructure is widely >deployed, highly available, and can't be disabled without >significantly disrupting legitimate business. Though that has obvious >advantages for the opposition, none of those seem _critical_ to the >application here as I understand it. They could just as easily >query slashdot forums or google or use peer-to-peer overlay networks >to distribute new IPs, right?
Travis, I think you missed the point. They have not only 100's of zombied IPs that serve up http for drugs, phish, porn, etc. but they have hundreds of zombied machines that do DNS for them as well. Traditionally, if you couldn't get a multi IP homes phishing site shut down because there were multiple cable ISPs that were dragging their feet you could contact the one or two folks hosting there DNS and get them shut down that way. Now, they have 100's of DNS machines that pop in and out of the lookup chain based upon the low TTL and constantly changing authoritatives and secondaries so it becomes impossible to contact everyone required to shut a site (or anything else) down in any reasonable length of time. Tom -- Tom Shaw - Chief Engineer, OITC <[EMAIL PROTECTED]>, http://www.oitc.com/ US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging: http://www.oitc.com/Pager/sendmessage.html AIM/iChat: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] skype: trshaw _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
