ICANN freezes over fast flux fury The non-profit group that oversees the internet's address system is seeking the public's help in deciding what to do about the growing use of a technology known as fast flux, which is used by cybercriminals to thwart take-down efforts, but which can also be used for legitimate purposes as well. The Internet Corporation for …
Then the botnets will simply use the minimum TTL. Even if they do take down the master channel, the botnet could be designed not to need things like DNS to work - that way, the controller just needs to get back up and the net just processes the orders it had and fails to grow for a while. Since in all odds they can bring new masters up very quickly, I doubt the problem would be very big for botnet operators.
All the dynamic DNS sites and systems that rely on a short TTL.
I use dyndns to access my server at home. My old aluminium pair is a little unreliable despite being less than 3km from the exchange, so daily disconnects and new IP assignment are a common occurrence. Without dyndns support provided by my router, I wouldn't be able to find where my server had ended up!
We have this problem with knives and guns. Lot's of people use them to carry out useful and necessary work, they've become part of normal life all over the world. However, there is a significant use of knives and guns by criminals which causes great inconvenience, if not trauma and grief, to ordinary law abiding people.
The weapons expert user groups are trying to figure out ways to modify knives and guns so that criminals can't use them, but they can't agree among themselves, so nothing happens. The police aren't interested because they are happy with the use of clubs, spears and stones and always have been. Besides, those weapons experts are a bunch of wacky geeks and nobody can understand what they say most of the time. Some police forces have started using knives but they need lots of special training and are not seen as 'core activity'.
It's an intractable problem and will probably be with us for many years.
Maybe instead we can just "ask nicely" ISPs to check the traffic and disconnect all users with infected systems. No heuristics or anything like that - just well proven malware patterns. It doesn't need to be very fast in response - just extremely accurate to eliminate risk of false positives.
If botnet herders can hide their zombie control channels using a constant domain name and dynamic addresses, then instead of criminalising dynamic DNS users, what is needed is a workable protocol for identifying, confirming, suspending and seizing domain names used for criminal purposes. If all but a few small domain registries agree to follow the protocol then if the criminals can't be traced through the registrar, at least they can have the domain seized from them and the holdout registrars' names can be blacklisted as aiders and abetters.
Better still to prevent domain registration without proof of ID, but this one will vary between different jurisdictions.
" Why don't we? Make running a botnet illegal!
Oh..wait." ...... By Anonymous Coward Posted Wednesday 28th January 2009 11:28 GMT
Does that free the botnet to do as IT will, AC? ....... with Internal AIdDrivers Commending Direction and Facilitating Means and Miens and Memes ....... Virtual Machinery InfraStructure for AI Beta Virtual Governance Model.
Irregular Unconventional SoftWareFare with Special Force Algorithms. Known Unknowns to Battle Hardened Heroes and the Imperfectly Vetted and Vetoed.
"Better still to prevent domain registration without proof of ID, but this one will vary between different jurisdictions."
And exactly what "proof of ID" would you like? Credit card number? Company letterhead? A telephone number for the registrar to call? The notion of identity is virtually meaningless on the Internet. There is no way to confirm identity.
I also don't like the idea of forcing ISPs to police their customers, acting as complaint department, investigator, and judge.
What we need is education. We need to educate users about what is and is not acceptable behavior (as in "If a popup box you don't recognize says you're infected with xyz, don't 'click here to scan' and don't click to 'buy now'."), how to detect (and where possible without outside help, clean) infections, and how to avoid getting infected in the first place. We also need better software. We need software that isn't riddled with holes. We need built-in (not add-on) user-customizable filtering in our browsers so users can block specific sites (and IP addresses) and PCRE patterns. DansGuardian is great for this on a network level, but browsers should have built-in ability to filter requests based on the URL. Lastly, we need browsers to become smart enough to not endlessly redirect us to random sites simply because a host uses a 3xx redirect, meta refresh, or Javascript location change, at least not without explicit consent. Changing to another page in the same site/domain is one thing, but redirecting from safe-site.local to i-am-going-to-infect-you.com is another. A change in this behavior alone would eliminate probably at least 90% of the infections.
Simply put, we need to stop thinking reactively and start thinking proactively. We need to devise education and software to prevent systems from getting infected, not how to block the control channel once a system is already infected.
@ Chris C Posted Wednesday 28th January 2009 17:28 GMT
"Lastly, we need browsers to become smart enough to not endlessly redirect us to random sites simply because a host uses a 3xx redirect, meta refresh, or Javascript location change, at least not without explicit consent. Changing to another page in the same site/domain is one thing, but redirecting from safe-site.local to i-am-going-to-infect-you.com is another. A change in this behavior alone would eliminate probably at least 90% of the infections."
Amid all the ICANN-dependent approaches thus far hoisted, this *local* approach sure does look as though it'd be the fastest and simplest to implement. In fact, I am sore tempted to build me up a dedicated compiler box on sheer exuberant impulse, just to have a go at, say, Galeon's source to that end. Konqueror too, for that matter.
But alas, I am already pre-overbooked by two years' worth of pending promises already. Ah, but I LIKE that approach very much indeed!
Any takers in position to give it a whirl over the next few weeks? You cut the patch code, .deb and .rpm it and all; I'll very gladly do the wee update to the docko. (That's all I am really much good at in this field, but gee, I'd LOVE to take part on that.)
Anyone from Team KDE in the house today?
I'm the general manager of public participation of ICANN and I just want to provide some quick URLs so people can comment directly on the issue if they want.
The report is here: http://gnso.icann.org/issues/fast-flux-hosting/gnso-issues-report-fast-flux-25mar08.pdf
The public comment page is here:
http://www.icann.org/en/public-comment/#ff-initial
You can see all the comments here:
http://forum.icann.org/lists/fast-flux-initial-report/
And you can email in a comment here:
fast-flux-initial-report@icann.org
Kieren
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
