Re: Interesting new dns failures

[Roger Marquis <marquis () roble com>]

On Mon, 21 May 2007, Chris L. Morrow wrote:
> ok, so 'today' you can't think of a reason (nor can I really easily) but
> it's not clear that this may remain the case tomorrow.

Not a good justification for doing nothing while this sort of trojan
propagates.  As analogy, it is also true we cannot see how email-based
trojans may be desirable tomorrow, but that doesn't stop us from
protecting ourselves against their detrimental effects today.

> It's possible that as a way to 'better loadshare' traffic akamai
> (just to make an example) could start doing this as well.

Actually not.  There is no legitimate purpose for this dns hack.

> So, I think that what we (security folks) want is probably not
> to auto-squish domains in the TLD because of NS's moving about
> at some rate other than 'normal'

Except that there's a lot more to this pattern than simply changing NS
at a rate other than normal, enough that it can be easily identified
for what it is.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/