nanog mailing list archives
Re: FBI tells the public to call their ISP for help
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Thu, 14 Jun 2007 14:54:54 -0400
On Jun 14, 2007, at 2:45 PM, Chris Adams wrote:
Once upon a time, John Levine <johnl () iecc com> said:I realize it's not a technical problem, although I suspect there aresome technical twiddles that could help, e.g., persuading Microsoft toput the update servers in their own ASN to make it easier to put themin a sandbox. And I realize that Microsoft's combination of arroganceand naivete can make them painful to deal with.$ dig download.windowsupdate.com ;download.windowsupdate.com. IN A download.windowsupdate.com. 3411 IN CNAME main.dl.wu.akadns.net. main.dl.wu.akadns.net. 111 IN CNAME dom.dl.wu.akadns.net. dom.dl.wu.akadns.net. 111 IN CNAME dl.wu.ms.edgesuite.net. dl.wu.ms.edgesuite.net. 8080 IN CNAME a26.ms.akamai.net. a26.ms.akamai.net. 20 IN A 216.180.86.39 a26.ms.akamai.net. 20 IN A 216.180.86.37 $ If you have Akamai servers, the IPs will be on your network (and ofcourse shared with many other sites). You'd have to limit access with alimited DNS server (since few will use or even know IPs to visit) that only gives out DNS for certain hosts/domains.
Unfortunately, this is not always true.MS does not single-source. Users going to Windows Updates can and will be directed to a number of places, including Akamai, and Microsoft itself, depending on time of day, phase of moon, and whim of the content owner.
In general, creating a sandbox where a computer can only reach $UPDATE_SERVER is very, very difficult. And, as much as I hate to admit it, MS OSes are not the only ones that can be compromised (he types on his black MacBook).
That said, the majority of compromised computers do run some flavor of Redmond-Ware. (One can argue about the underlying cause - market share, quality of software, virus writer's preference, whatever - but the fact still stands that most compromised computers run Windows.) So getting a "windows update sandbox" would be very useful.
-- TTFN, patrick
Current thread:
- Re: FBI tells the public to call their ISP for help, (continued)
- Re: FBI tells the public to call their ISP for help Jim Popovitch (Jun 14)
- Re: FBI tells the public to call their ISP for help Owen DeLong (Jun 14)
- Re: FBI tells the public to call their ISP for help Florian Weimer (Jun 15)
- Re: FBI tells the public to call their ISP for help Owen DeLong (Jun 15)
- Re: FBI tells the public to call their ISP for help Florian Weimer (Jun 15)
- Re: FBI tells the public to call their ISP for help Kevin Day (Jun 15)
- Re: FBI tells the public to call their ISP for help Fred Baker (Jun 15)
- Re: FBI tells the public to call their ISP for help Florian Weimer (Jun 16)
- Re: FBI tells the public to call their ISP for help John Levine (Jun 14)
- Re: FBI tells the public to call their ISP for help Chris Adams (Jun 14)
- Re: FBI tells the public to call their ISP for help Patrick W. Gilmore (Jun 14)
- Re: FBI tells the public to call their ISP for help Jeroen Massar (Jun 14)
- Re: FBI tells the public to call their ISP for help Sean Donelan (Jun 14)
- Re: FBI tells the public to call their ISP for help Roland Dobbins (Jun 14)
- RE: FBI tells the public to call their ISP for help Frank Bulk (Jun 16)
- Re: FBI tells the public to call their ISP for help Jeroen Massar (Jun 16)
- RE: FBI tells the public to call their ISP for help Frank Bulk (Jun 16)
- Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Jeroen Massar (Jun 17)
- Re: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help) Sean Donelan (Jun 17)
- RE: Assigning a fine (Was: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)) Frank Bulk (Jun 18)
- Re: Assigning a fine (Was: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help)) Leigh Porter (Jun 18)