Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

netsky issue.

  • From: Jamie Reid
  • Date: Mon Mar 08 21:16:25 2004

If you have a look at 

http://vil.nai.com/vil/content/v_101083.htm 

There is a list of IP addresses that are nameservers which 
are hard-coded into the worm. It spreads by e-mail (currently)
and thus it can be blocked using anti-virus filters. 

My concern is that these addrs are all for nameservers, which could 
be authoritative for other domains, and by blocking these servers
any domains they host could be effectively put out of commission. 

I am not aware of an easy way to find out all the domains registered
to a particular nameserver, and the trend of blocking addrs that appear
in worm code is starting to concern me a bit. 

It is not indicated how blocking these servers will have an appreciable
effect on the worm propagation (unless it gets a second stage from them), 
and I wonder if anyone else has similar concerns, or an opinion on whether
these IP addresses should actually be blocked. 

Regards, 

-j


--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>If you have a look at </FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><A href="http://vil.nai.com/vil/content/v_101083.htm";><FONT 
size=2>http://vil.nai.com/vil/content/v_101083.htm</FONT></A><FONT 
size=2>&nbsp;</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>There is a list of IP addresses that are nameservers which 
</FONT></DIV>
<DIV><FONT size=2>are hard-coded into the worm. It spreads by e-mail 
(currently)</FONT></DIV>
<DIV><FONT size=2>and thus it can be blocked using anti-virus filters. 
</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>My concern is that these addrs are all for nameservers, which 
could </FONT></DIV>
<DIV><FONT size=2>be authoritative for other domains, and by blocking these 
servers</FONT></DIV>
<DIV><FONT size=2>any domains they host could be effectively put out of 
commission. </FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>I am not aware of an easy way to find out all the domains 
registered</FONT></DIV>
<DIV><FONT size=2>to a particular nameserver, and the trend of blocking addrs 
that appear</FONT></DIV>
<DIV><FONT size=2>in worm code is starting to concern&nbsp;me a bit. 
</FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>It is not indicated how blocking these servers will have an 
appreciable</FONT></DIV>
<DIV><FONT size=2>effect on the worm propagation (unless it gets a second stage 
from them), </FONT></DIV>
<DIV><FONT size=2>and I wonder if anyone else has similar concerns, or an 
opinion on whether</FONT></DIV>
<DIV><FONT size=2>these IP addresses should actually be blocked. </FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>Regards, </FONT></DIV>
<DIV><FONT size=2></FONT>&nbsp;</DIV>
<DIV><FONT size=2>-j</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A 
href="mailto:jamie.reid@mbs.gov.on.ca";>jamie.reid@mbs.gov.on.ca</A><BR>Senior 
Security Specialist, Information Protection Centre <BR>Corporate Security, 
MBS&nbsp; <BR>416 327 2324 </DIV></BODY></HTML>



Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.