The non-profit group that oversees the internet's address system is seeking the public's help in deciding what to do about the growing use of a technology known as fast flux, which is used by cybercriminals to thwart take-down efforts, but which can also be used for legitimate purposes as well. The Internet Corporation for …
If they do this
Then the botnets will simply use the minimum TTL. Even if they do take down the master channel, the botnet could be designed not to need things like DNS to work - that way, the controller just needs to get back up and the net just processes the orders it had and fails to grow for a while. Since in all odds they can bring new masters up very quickly, I doubt the problem would be very big for botnet operators.
All the dynamic DNS sites and systems that rely on a short TTL.
I use dyndns to access my server at home. My old aluminium pair is a little unreliable despite being less than 3km from the exchange, so daily disconnects and new IP assignment are a common occurrence. Without dyndns support provided by my router, I wouldn't be able to find where my server had ended up!
Criminal is it?
We have this problem with knives and guns. Lot's of people use them to carry out useful and necessary work, they've become part of normal life all over the world. However, there is a significant use of knives and guns by criminals which causes great inconvenience, if not trauma and grief, to ordinary law abiding people.
The weapons expert user groups are trying to figure out ways to modify knives and guns so that criminals can't use them, but they can't agree among themselves, so nothing happens. The police aren't interested because they are happy with the use of clubs, spears and stones and always have been. Besides, those weapons experts are a bunch of wacky geeks and nobody can understand what they say most of the time. Some police forces have started using knives but they need lots of special training and are not seen as 'core activity'.
It's an intractable problem and will probably be with us for many years.
Why don't we?
Make running a botnet illegal!
Maybe in different way
Maybe instead we can just "ask nicely" ISPs to check the traffic and disconnect all users with infected systems. No heuristics or anything like that - just well proven malware patterns. It doesn't need to be very fast in response - just extremely accurate to eliminate risk of false positives.
Protocol needed for criminal domain seizure
If botnet herders can hide their zombie control channels using a constant domain name and dynamic addresses, then instead of criminalising dynamic DNS users, what is needed is a workable protocol for identifying, confirming, suspending and seizing domain names used for criminal purposes. If all but a few small domain registries agree to follow the protocol then if the criminals can't be traced through the registrar, at least they can have the domain seized from them and the holdout registrars' names can be blacklisted as aiders and abetters.
Better still to prevent domain registration without proof of ID, but this one will vary between different jurisdictions.
Plant a Seed and watch IT Grow with AIMind 42 Grow and WalkTall and True with Y'All..
" Why don't we? Make running a botnet illegal!
Oh..wait." ...... By Anonymous Coward Posted Wednesday 28th January 2009 11:28 GMT
Does that free the botnet to do as IT will, AC? ....... with Internal AIdDrivers Commending Direction and Facilitating Means and Miens and Memes ....... Virtual Machinery InfraStructure for AI Beta Virtual Governance Model.
Irregular Unconventional SoftWareFare with Special Force Algorithms. Known Unknowns to Battle Hardened Heroes and the Imperfectly Vetted and Vetoed.
re: Protocol needed for criminal domain seizure
"Better still to prevent domain registration without proof of ID, but this one will vary between different jurisdictions."
And exactly what "proof of ID" would you like? Credit card number? Company letterhead? A telephone number for the registrar to call? The notion of identity is virtually meaningless on the Internet. There is no way to confirm identity.
I also don't like the idea of forcing ISPs to police their customers, acting as complaint department, investigator, and judge.
Simply put, we need to stop thinking reactively and start thinking proactively. We need to devise education and software to prevent systems from getting infected, not how to block the control channel once a system is already infected.
"Browser Redirect" User Consent Panel: YES!
@ Chris C Posted Wednesday 28th January 2009 17:28 GMT
Amid all the ICANN-dependent approaches thus far hoisted, this *local* approach sure does look as though it'd be the fastest and simplest to implement. In fact, I am sore tempted to build me up a dedicated compiler box on sheer exuberant impulse, just to have a go at, say, Galeon's source to that end. Konqueror too, for that matter.
But alas, I am already pre-overbooked by two years' worth of pending promises already. Ah, but I LIKE that approach very much indeed!
Any takers in position to give it a whirl over the next few weeks? You cut the patch code, .deb and .rpm it and all; I'll very gladly do the wee update to the docko. (That's all I am really much good at in this field, but gee, I'd LOVE to take part on that.)
Anyone from Team KDE in the house today?
Indeed, that last. Paging Mister Ballmer; is there a Mister Ballmer in the house?
I'm the general manager of public participation of ICANN and I just want to provide some quick URLs so people can comment directly on the issue if they want.
The report is here: http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf
The public comment page is here:
You can see all the comments here:
And you can email in a comment here:
@Chris C, @Walking Turtle
You could consider forwarding that suggestion to the guy who does noscript. I don't know enough to judge the sensible-ness of it.
Just a thought.
- Asteroids as powerful as NUCLEAR BOMBS strike Earth TWICE YEARLY
- Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
- Apple stuns world with rare SEVEN-way split: What does that mean?
- Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
- Sony Xperia Z2: 4K vid, great audio, waterproof ... Oh, and you can make a phone call