North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: netsky issue.
Jamie Reid writes: > If you have a look at > http://vil.nai.com/vil/content/v_101083.htm > There is a list of IP addresses that are nameservers which are > hard-coded into the worm. It spreads by e-mail (currently) and thus > it can be blocked using anti-virus filters. > My concern is that these addrs are all for nameservers, which could > be authoritative for other domains, and by blocking these servers > any domains they host could be effectively put out of commission. I think that (most of) the IP addresses in the list belong to *recursive* DNS servers of larger Internet access providers. There certainly are quite a few requests from these to authoritative name servers in our network. So if you have authoritative name servers in your network, blocking the IP addresses will result in some denial of service. The operators of these servers could probably do a useful thing or the other here: they could try to trace suspicious queries to help locate infected machines, and/or limit access to these name servers to only their customer address ranges. The latter may be operationally difficult depending on whether these name servers are also authoritative (perhaps a good argument for separating recursive and authoritative name servers) and how easy it is to map the "legitimate user of recursive name service" predicate to a range of IP addresses. > I am not aware of an easy way to find out all the domains registered > to a particular nameserver, and the trend of blocking addrs that > appear in worm code is starting to concern me a bit. Rightly so. > It is not indicated how blocking these servers will have an > appreciable effect on the worm propagation (unless it gets a second > stage from them), and I wonder if anyone else has similar concerns, > or an opinion on whether these IP addresses should actually be > blocked. I'd recommend against it, due to collateral damage and more general end-to-end arguments. -- Simon Leinen firstname.lastname@example.org SWITCH http://www.switch.ch/misc/leinen/ Computers hate being anthropomorphized.