nanog mailing list archives
Re: Interesting new dns failures
From: "Chris L. Morrow" <christopher.morrow () verizonbusiness com>
Date: Mon, 21 May 2007 18:14:39 +0000 (GMT)
On Mon, 21 May 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Chris L. Morrow" <christopher.morrow () verizonbusiness com> wrote:So, I think that what we (security folks) want is probably not to auto-squish domains in the TLD because of NS's moving about at some rate other than 'normal' but to be able to ask for a quick takedown of said domain, yes? I don't think we'll be able to reduce false positive rates low enough to be acceptable with an 'auto-squish' method :(Hi Chris, While I agree with you, there are many of us who know that these fast-flux hosts are malicious due to malware & malicious traffic analysis...
Oh, so we switched from 'the domain is bad because..' to 'the hosts using the domain are bad because...' I wasn't assuming some piece of intel at the TLD that told the TLD that 'hostX that was just named NS for domain foo.bar is also compromised'. I was assuming a s'simple' system of 'changing NS's X times in Y period == bad'. I admit that's a might naive, but given the number, breadth, content, operators of lists of 'bad things' on the internet today I'm not sure I'd rely on them for a global decision making process, especially if I were a TLD operator potentially liable for removal of a domain used to process real business :(
I completely agree with you, however, on the issue of making assumptions that it will always be malicious -- of course, that will not always be the case. :-)
agreed.
Current thread:
- Re: Interesting new dns failures, (continued)
- Re: Interesting new dns failures Valdis . Kletnieks (May 21)
- Use of portions of 44.0.0.0/8? Neal R (May 21)
- Re: Use of portions of 44.0.0.0/8? Andy Brezinsky (May 21)
- OK - functioning administration of 44.0.0.0/8 Neal R (May 21)
- Re: OK - functioning administration of 44.0.0.0/8 Harald Koch (May 21)
- Re: Use of portions of 44.0.0.0/8? Joel Jaeggli (May 21)
- Re: Interesting new dns failures John Curran (May 21)
- Re: Interesting new dns failures Chris L. Morrow (May 21)
- Re: Interesting new dns failures David Ulevitch (May 22)
- Re: Interesting new dns failures Chris L. Morrow (May 22)
- Re: Interesting new dns failures Chris L. Morrow (May 24)
- Re: Interesting new dns failures Roger Marquis (May 24)
- Re: Interesting new dns failures John Levine (May 24)
- Re: Interesting new dns failures Per Heldal (May 25)