This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suresh Ramasubramanian
ops.lists at gmail.com
Thu Jun 27 17:21:41 CEST 2013
Usually one domain..? More often than not, a domain generation algorithm with lots more than just one Beyond that, please do some more research. On Thursday, June 27, 2013, Frank Gadegast wrote: > Suresh Ramasubramanian wrote: > >> On Thursday, June 27, 2013, Frank Gadegast wrote: >> >> Any nameserver has to be registered with the registry of the domain >> (is there another way DNS works, I dont know ?) >> >> So: you can always find the server running the nameserver for that >> domain. >> Take this server down. >> >> >> for fastflux, take it down and theres a fresh ns real soon. then what? >> > > The botnet has usually one domain wired into the bot. > This domain "a" is running on a nameserver. > The bot is asking the nameserver (wich isnt changed by the botnet owner) > for a second domain "b" (wich might not be registrered at all, but > configured) running fastflux for the IP of its control > servers. > > But: you can find the domain "a" by reverse engeneering the bot. > Find the nameservers for "a" and your done. > > And if the bot is doing only single fastflux, the botnet owner > HAS to update the domain at the registry, makes it even > easier. Take the first nameservers down, wait for the update > at the registry, take the next two nameservers down aso > until there is none left. > Complaining about Registries isnt the right start, even if it > would make things easy. Domains could change, even complaining about > the nameservers on hacked servers isnt the right start (probably > because they are hosted in countries where you have no chance to > to find a legal argument to take them down). > > I would even argue that not only the domainname cannot harm > anybody, the nameservers arent doing that too. > A nameservice itself isnt something illegal even if it resolves > IPs for a botnet (except it resides on a hacked und misused > server and if that is illegal in the country where it resides). > They are both only part of a system. > > The harmfull parts are the bots and the intruded and misused > servers, if you delete the domainname, they are all > still floating about and will be soon part of the next botnet ... > > > I personally would start at the other end and force Microsoft > legally to only have PCs connected to the Internet that > have an AntiVirus solution installed and running ... > > But then you have the antitrust agencies arguing > that Microsoft is not allowed to install a antivirus > solutions because it wouldnt be that nice to their > competitors ... > > And surely have laws in all countries to forbid > to run servers delivering malware and force the ISPs > to remove them after knowledge ... > > > Kind regards, Frank > > >> Lets say somebodies name is "John Doo". The name itself cannot >> harm anybody, the person "named" John Doo can. >> >> >> headdesk. >> >> >> >> -- >> --srs (iPad) >> > > > -- --srs (iPad) -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20130627/22c22eca/attachment.html>
- Previous message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
- Next message (by thread): [anti-abuse-wg] New Abuse Information on RIPE NCC Website
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]