Re: Interesting new dns failures

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Mon, 21 May 2007, Fergie wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- "Chris L. Morrow" <christopher.morrow () verizonbusiness com> wrote:
>
> > So, I think that what we (security folks) want is probably not to
> > auto-squish domains in the TLD because of NS's moving about at some rate
> > other than 'normal' but to be able to ask for a quick takedown of said
> > domain, yes? I don't think we'll be able to reduce false positive rates
> > low enough to be acceptable with an 'auto-squish' method :(
>
> Hi Chris,
>
> While I agree with you, there are many of us who know that these
> fast-flux hosts are malicious due to malware & malicious traffic
> analysis...

Oh, so we switched from 'the domain is bad because..' to 'the hosts using
the domain are bad because...' I wasn't assuming some piece of intel at
the TLD that told the TLD that 'hostX that was just named NS for domain
foo.bar is also compromised'. I was assuming a s'simple' system of
'changing NS's X times in Y period == bad'. I admit that's a might naive,
but given the number, breadth, content, operators of lists of 'bad things'
on the internet today I'm not sure I'd rely on them for a global decision
making process, especially if I were a TLD operator potentially liable for
removal of a domain used to process real business :(

> I completely agree with you, however, on the issue of making
> assumptions that it will always be malicious -- of course, that
> will not always be the case. :-)

agreed.