[nsp-sec] FW: Storm worm changing DNS resolver settings onvictim system
Florian Weimer
fweimer at bfk.de
Thu Mar 13 10:56:55 EDT 2008
* Barry Greene:
>> So blocking DNS requests to non-ISP servers doesn't make that
>> much sense, but I'm relatively sure it will become standard
>> industry practice on consumer accounts. 8-/
>
> If you redirect port 53 to your DNS infrastructure - the Miscreants
> counter with changing the ports - you then have a signature to look for
> in Netflow - watching for all DNS patterns which do not match port 53
> exiting your network.
To my knowledge, the name servers used by Zlob are fairly stable and
on an obscure netblock. Detection shouldn't be the issue here.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list