Re: Interesting new dns failures

["Fergie" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Chris L. Morrow" <christopher.morrow () verizonbusiness com> wrote:

> > While I agree with you, there are many of us who know that these
> > fast-flux hosts are malicious due to malware & malicious traffic
> > analysis...
>
> Oh, so we switched from 'the domain is bad because..' to 'the hosts using
> the domain are bad because...' I wasn't assuming some piece of intel at
> the TLD that told the TLD that 'hostX that was just named NS for domain
> foo.bar is also compromised'. I was assuming a s'simple' system of
> 'changing NS's X times in Y period == bad'. I admit that's a might naive,
> but given the number, breadth, content, operators of lists of 'bad things'
> on the internet today I'm not sure I'd rely on them for a global decision
> making process, especially if I were a TLD operator potentially liable for
> removal of a domain used to process real business :(

Well, I don't think I ever implied that, but let's say that there
are certainly some fast-flux behavior (fluxing across multiple
administratively managed prefix blocks, NS fast-flux) which should
immediately raise a red flag.

Decisions based on those flags are policy issues -- whether or not
someone decides to take action upon only on that information or do
further research, is something that has to be determined by the
person(s) who detect the behavior, etc.

Having said that, most people don't even realize that fast-flux
exists...

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.1 (Build 1012)

wj8DBQFGUeNhq1pz9mNUZTMRAgC5AJ98cW092rV7ghrlIzjLP89qjiurDACdEFaV
qUxEcKgfr42Mh9IQAOmaKr0=
=Hrk0
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/