incrediBILL - 3:34 pm on May 6, 2008 (gmt 0)

Of course, there are a few legitimate users of the service, but they are merely people who are too cheap to plunk down a few $'s a year for a service now given away free, so no great loss.

Even blogsp... er example.com has an option where you can use your own domain.

I even bought the domain in case I need to use it so feel free to block *.example.com and I'll use the domain already sitting on a server on standby.

I'm currently using that domain for other things, but it can be deployed in minutes.

However, there's a big difference as that service is just full of spam, it's not the same as the botnet actually doing the spamming.

i think you over-simplify the beauty of dynamic dns services. I know of at least a few dozen friends who use it so they can easily VPN into their home network and access desktops remotely.

I know those uses, didn't say they weren't legit, but you can use a subdomain off your own domain with those same dynamic services. There's no reason why you must use a subdomain off the dynamic dns services domain itself, unless you're just cheap, that's all we're talking about.

here is nothing stoppign th ebad guys from gettign their own somainnamep

Except it's not as easily scalable and exposes them to an actual registrar.

Besides, did I say this was the end-all-be-all solution?

No, this solution just stops the current rash of hundreds of thousands of problem children machines from communicating with each other.

Besides, just because someone can get around certain types of security is no reason not to employ that security method. Security is done in layers and you keep piling layers on top of layers because removing a single layer opens and old vulnerability which will be quickly exploited.

For instance, the dumb botnets probing my site to infect it still use the default Perl user agent "libwww-perl" which is easy to block to stop those attacks. However, a smarter version of the botnet bothers to set the user agent so his Perl script claims it's MSIE "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" which makes it harder to stop as it appears to be a real browser.

Does that mean I stop blocking "libwww-perl" just because it's easily changed?

Nope, it's just another security layer.

There is nothing stoppign th ebad guys from gettign their own somainname and do what we know as "fast flux". They even change the DNS servers fast onto the botnet itself.

Fast Flux is exactly what we're discussing here and the list of DNS servers built into the current code infecting machines is less than 10.

I did research this topic before posting ;)