On Sat, 31 Mar 2007 08:49:27 EDT, alex pilosoft.com said:
> OK, so, do you officially declare the emergency? Should
we all block the
> domains listed on http://isc.sans.org/, is
that an authoritative site of
> botnet hunters? If so, there are couple of surprises
for you.
> baidu.com listed there is a chinese equivalent of
google, who'd get very
> upset if its domain name got "revoked".
Similarly, alexa.com.
>
> There needs to be due process for these actions. And
once we close this
> vector, I'm sure that botnets will simply migrate away
from DNS to some
> other protocol.
The real problem is that the bad guys are able to deploy new
DNS entries
in timespams on the order of 10s of minutes, and we can't
manage anything
resembling due process in that timeframe. (And yes, one
could easily
imagine a botnet that switches to an entirely new name for
the C&C host
every 10 minutes - the herder just needs a function that's
fed a time-of-day,
and generate a hash. Run it for 144 values for tomorrow,
register those
domains, and distribute the values to your botnet (assuming
10-byte hashes,
you'd need all of one 1500 byte packet per day) - or let the
bots do the
hash themselves if you trust their clocks to be somewhere
near accurate.
If you want to be *really* obscure, consider the fact that
rfc3490 IDN's
provide a very good way to hide the fact that it's a
hash...
|
