nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netsky issue.

From: Simon Leinen <simon () limmat switch ch>
Date: Tue, 09 Mar 2004 18:59:39 +0100

Jamie Reid writes:

If you have a look at 



http://vil.nai.com/vil/content/v_101083.htm 



There is a list of IP addresses that are nameservers which are
hard-coded into the worm. It spreads by e-mail (currently) and thus
it can be blocked using anti-virus filters.



My concern is that these addrs are all for nameservers, which could
be authoritative for other domains, and by blocking these servers
any domains they host could be effectively put out of commission.


I think that (most of) the IP addresses in the list belong to
*recursive* DNS servers of larger Internet access providers.  There
certainly are quite a few requests from these to authoritative name
servers in our network.  So if you have authoritative name servers in
your network, blocking the IP addresses will result in some denial of
service.

The operators of these servers could probably do a useful thing or the
other here: they could try to trace suspicious queries to help locate
infected machines, and/or limit access to these name servers to only
their customer address ranges.

The latter may be operationally difficult depending on whether these
name servers are also authoritative (perhaps a good argument for
separating recursive and authoritative name servers) and how easy it
is to map the "legitimate user of recursive name service" predicate to
a range of IP addresses.


I am not aware of an easy way to find out all the domains registered
to a particular nameserver, and the trend of blocking addrs that
appear in worm code is starting to concern me a bit.


Rightly so.


It is not indicated how blocking these servers will have an
appreciable effect on the worm propagation (unless it gets a second
stage from them), and I wonder if anyone else has similar concerns,
or an opinion on whether these IP addresses should actually be
blocked.


I'd recommend against it, due to collateral damage and more general
end-to-end arguments.
-- 
Simon Leinen                                   simon () babar switch ch
SWITCH                             http://www.switch.ch/misc/leinen/

               Computers hate being anthropomorphized.
Previous By Date Next
Previous By Thread Next

Current thread: