| This 37 message thread spans 2 pages: < < 37 ( 1  ) || |
|Free Dynamic DNS Services Pose Massive Security Threats|
Should broadband customers be blocked from free DNS?
| 6:19 pm on May 5, 2008 (gmt 0)|
The recent rash of botnet [webmasterworld.com] issues has uncovered that the source of power for the latest and most widespread strain of malware is the free DNS servers being used to locate their command centers.
Why this is a problem is because these dynamic DNS services allow anyone to freely create a dynamic domain name such as "any-subdomain.example.com" which can be quickly and easily redirected to any new server when the previous botnet command and control center (C&C) is identified and blocked.
Botnets tend to have lots of infected machines that are idle, just waiting to be put into service, therefore closing one command center only shuts down the bot for a few minutes, perhaps even seconds, until the IP address is changed for "any-subdomain.example.com" to point to the next infected server now being used as the botnet C&C.
Best yet, the latest botnet strains have algorithms that allow them to detect new random subdomain names created so when "botnetsubdomain1.example.com" is removed from the free DNS service a new "botnetsubdomain2.example.com" is created, which the botnet can detect, and continues to run.
The names being used are completely randomized so it's not as simple as looking for something like "botnetsubdomain*.example.com" and blocking all variations as it's fairly undetectable.
Therefore, it seems a simple solution to eliminating this threat posed by free dynamic DNS services is to filter out the free variations of the dynamic domain names so that "any-subdomain.example.com" isn't accessible by anyone from a broadband service which would render the entire current variation of the Kraken botnet completely harmless.
So the question then is should broadband services, or all internet services for that matter, block these free dynamic DNS services in order to protect the safety of the internet as a whole and stop hundreds of thousands of machines from communication with their command center in one simple step?
I'd say YES, just like like ISPs currently use RBS to block spammers and known hosts of malware, that it's a reasonable step to providing internet-wide security against this latest and the most difficult to stop (to date) brand of botnet before more copycats emerge and the situation is completely out of control.
| 9:04 pm on May 7, 2008 (gmt 0)|
|We require captchas on signup. |
Hi DDNS, welcome to WebmasterWorld and I'm glad to hear that some of the DNS services play hardball!
However, all of the DNS services listed in the botnet code don't require captcha's, bet you're surprised?
Some of them are real small players asking for paypal donations so I doubt they have a staff around to stop this kind of abuse.
FWIW, sounds like your service wouldn't be impacted by my suggested way to fight this problem.
| 9:55 pm on May 7, 2008 (gmt 0)|
It does affect us if companies start blacklisting our name servers ... of which both paid customers and free ones are using. A few weeks back example.com had entered A records for our NS set therefore stopping ANY of our paid customers from emailing example.com - because reverse domain checks failed. (domain doesnt exist) We've begun the process of migrating all free ddns to separate name servers because of this, but it's not easy.
You are right, some of the smaller hobbyist ddns providers are abuse prone. They don't last long in the scheme of things.
It all boils down to this; if you chase them down and disallow them from using our service you are just advancing them to the next stage which will be harder to combat. They are already moving to p2p and other stealth methods because of the great job providers like us have been doing. In the end though - is it a good job to make them more technologically advanced ? The real pressure has to be on the botmasters themselves, arrest them, prosecute them, and keep that going.
[edited by: phranque at 11:59 pm (utc) on May 7, 2008]
[edit reason] No urls, please. See TOS [webmasterworld.com] [/edit]
| 10:08 pm on May 7, 2008 (gmt 0)|
>> It does affect us if companies start blacklisting our name servers
Correct me if I'm wrong, but I think Bill is suggesting that ddns domains *earn* their way onto the blacklist in the same way that spam email domains do. No bots running on your servers, no spot on the blacklist. That's why he doesn't think you would be affected.
I suspect that the ddns companies that have things locked down would benefit in the long run as the garbage services get forced out.
Unfortunately, as with email blacklists, though innocent organizations will get hurt. For several years I could not use my university account (that's my employer, not my student account) because it was blacklisted all over. This is a university of 40K students and 20K faculty and staff. However, they deserved it b/c they were running an open relay and eventually, complaints from all us legit users forced them to lock things down - no open relay, TLS, encrypted authentication, etc. In the long run, it's a good thing. But in the short run it was a PITA
| 11:47 pm on May 7, 2008 (gmt 0)|
welcome to WebmasterWorld [webmasterworld.com], ddns!
thanks for the insight.
| 5:04 am on May 8, 2008 (gmt 0)|
|is it a good job to make them more technologically advanced ? |
Of course it is because the botnets and bot stoppers are in a race to see who wins.
Eventually one of the sides will find out they are out of options and can't win and that's when the fun starts.
People said you couldn't stop scrapers too...
| 10:47 am on May 8, 2008 (gmt 0)|
|Eventually one of the sides will find out they are out of options and can't win and that's when the fun starts. |
I think you will find that is us that are running out of options.
|People said you couldn't stop scrapers too... |
You can't stop scrapers, if you display your site to a browser then it can be scraped. It is similar to this situation in that we can be grateful that they make it so easy to stop and block them. It is only a matter of time before they disappear off the radar totally.
Bill Gates said he would fix spam by 2002 or so and look how that went.
| 4:39 pm on May 8, 2008 (gmt 0)|
|I think you will find that is us that are running out of options. |
Not true, better machine security, more aggressive AV. and educating people to avoid random IM links or strange emails will slowly close the noose. If they run out of machines to infect it's party over.
|You can't stop scrapers, if you display your site to a browser then it can be scraped. |
That would be incorrect, stop by the Spider forum some day and we'll enlighten you on this topic ;)
| This 37 message thread spans 2 pages: < < 37 ( 1  ) |