nanog mailing list archives
Re: Interesting new dns failures
From: "Fergie" <fergdawg () netzero net>
Date: Mon, 21 May 2007 18:22:29 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Chris L. Morrow" <christopher.morrow () verizonbusiness com> wrote:
While I agree with you, there are many of us who know that these fast-flux hosts are malicious due to malware & malicious traffic analysis...Oh, so we switched from 'the domain is bad because..' to 'the hosts using the domain are bad because...' I wasn't assuming some piece of intel at the TLD that told the TLD that 'hostX that was just named NS for domain foo.bar is also compromised'. I was assuming a s'simple' system of 'changing NS's X times in Y period == bad'. I admit that's a might naive, but given the number, breadth, content, operators of lists of 'bad things' on the internet today I'm not sure I'd rely on them for a global decision making process, especially if I were a TLD operator potentially liable for removal of a domain used to process real business :(
Well, I don't think I ever implied that, but let's say that there are certainly some fast-flux behavior (fluxing across multiple administratively managed prefix blocks, NS fast-flux) which should immediately raise a red flag. Decisions based on those flags are policy issues -- whether or not someone decides to take action upon only on that information or do further research, is something that has to be determined by the person(s) who detect the behavior, etc. Having said that, most people don't even realize that fast-flux exists... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGUeNhq1pz9mNUZTMRAgC5AJ98cW092rV7ghrlIzjLP89qjiurDACdEFaV qUxEcKgfr42Mh9IQAOmaKr0= =Hrk0 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Current thread:
- Use of portions of 44.0.0.0/8?, (continued)
- Use of portions of 44.0.0.0/8? Neal R (May 21)
- Re: Use of portions of 44.0.0.0/8? Andy Brezinsky (May 21)
- OK - functioning administration of 44.0.0.0/8 Neal R (May 21)
- Re: OK - functioning administration of 44.0.0.0/8 Harald Koch (May 21)
- Re: Use of portions of 44.0.0.0/8? Joel Jaeggli (May 21)
- Re: Interesting new dns failures John Curran (May 21)
- Re: Interesting new dns failures Chris L. Morrow (May 21)
- Re: Interesting new dns failures David Ulevitch (May 22)
- Re: Interesting new dns failures Chris L. Morrow (May 22)
- Re: Interesting new dns failures Chris L. Morrow (May 24)
- Re: Interesting new dns failures Roger Marquis (May 24)
- Re: Interesting new dns failures John Levine (May 24)
- Re: Interesting new dns failures Per Heldal (May 25)
- Re: Interesting new dns failures Simon Waters (May 25)