<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-rap-dt] counter-attack idea
- To: gnso-rap-dt@xxxxxxxxx
- Subject: Re: [gnso-rap-dt] counter-attack idea
- From: Roland Perry <roland@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Apr 2009 20:47:03 +0100
In message <200904011614.n31GEDK6019606@xxxxxxxxxxxxxxxxxxxxxx>, at
11:14:15 on Wed, 1 Apr 2009, Mike O'Connor <mike@xxxxxxxxxx> writes
let's say that we find a person abusing the domain-name system to power
their botnet. let's further presume that (like the Conficker case) we
know the domain names. what if we didn't take those names down, but
instead made it possible to use those names to wrest the botnet away
from the bad-guys?
I have been thinking along similar lines.
At the very least, wouldn't answering the "call home" (but not with
anything that was necessarily guaranteed to be an instruction to turn
themselves off) give us a list of the infected PCs?
what policy would we need to craft in order to allow good-guys to do
that in a safe and orderly way?
That's the easy question: we need to define the use of the domain names
in that way [1] unambiguously as "abuse", so that any organisation who
might be considering useful taking action does not refrain from doing so
on the basis that "it is not in the business of deciding what abuse is".
[1] And in all the other ways we are beginning to document.
--
Roland Perry
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|