[anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Thu Jun 27 17:21:41 CEST 2013
Usually one domain..? More often than not, a domain generation algorithm with lots more than just one Beyond that, please do some more research. On Thursday, June 27, 2013, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > >> On Thursday, June 27, 2013, Frank Gadegast wrote: >> >> Any nameserver has to be registered with the registry of the domain >> (is there another way DNS works, I dont know ?) >> >> So: you can always find the server running the nameserver for that >> domain. >> Take this server down. >> >> >> for fastflux, take it down and theres a fresh ns real soon. then what? >> > > The botnet has usually one domain wired into the bot. > This domain "a" is running on a nameserver. > The bot is asking the nameserver (wich isnt changed by the botnet owner) > for a second domain "b" (wich might not be registrered at all, but > configured) running fastflux for the IP of its control > servers. > > But: you can find the domain "a" by reverse engeneering the bot. > Find the nameservers for "a" and your done. > > And if the bot is doing only single fastflux, the botnet owner > HAS to update the domain at the registry, makes it even > easier. Take the first nameservers down, wait for the update > at the registry, take the next two nameservers down aso > until there is none left. > Complaining about Registries isnt the right start, even if it > would make things easy. Domains could change, even complaining about > the nameservers on hacked servers isnt the right start (probably > because they are hosted in countries where you have no chance to > to find a legal argument to take them down). > > I would even argue that not only the domainname cannot harm > anybody, the nameservers arent doing that too. > A nameservice itself isnt something illegal even if it resolves > IPs for a botnet (except it resides on a hacked und misused > server and if that is illegal in the country where it resides). > They are both only part of a system. > > The harmfull parts are the bots and the intruded and misused > servers, if you delete the domainname, they are all > still floating about and will be soon part of the next botnet ... > > > I personally would start at the other end and force Microsoft > legally to only have PCs connected to the Internet that > have an AntiVirus solution installed and running ... > > But then you have the antitrust agencies arguing > that Microsoft is not allowed to install a antivirus > solutions because it wouldnt be that nice to their > competitors ... > > And surely have laws in all countries to forbid > to run servers delivering malware and force the ISPs > to remove them after knowledge ... > > > Kind regards, Frank > > >> Lets say somebodies name is "John Doo". The name itself cannot >> harm anybody, the person "named" John Doo can. >> >> >> headdesk. >> >> >> >> -- >> --srs (iPad) >> > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/anti-abuse-wg/attachments/20130627/22c22eca/attachment.html>
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]