discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] botnets mitigation

From: Oleg Khovayko <khovayko AT gmail.com>
To: discuss AT lists.opennicproject.org
Subject: Re: [opennic-discuss] botnets mitigation
Date: Sun, 10 Jun 2018 14:52:07 -0400

William,

Thanks for answer.
I understand your concern about running software. I just would like note - you can create dedicated username for run it, with minimal permissions, and this would be safe.

But, anyway, I would like ask again:

Is this OK, if we will setup firewall for Tier1 allowed servers only? Or needed to include Tier2, too? Or, this is wrong way, and existing some better solution?

Thanks,
Oleg

William Weber wrote:

I do not see any reason to run further software that nobody has time to analyse fully (or will pay for analysis) to run on Tier1 servers which is always extremely high risk.

William Weber

https://william.co.il || https://ip6.im

On Sun, Jun 10, 2018 at 20:09, Oleg Khovayko <khovayko AT gmail.com> wrote:

Hi,

I am representing Emercoin, which has successful peering with OpenNIC
for years.

However, recently I see, our servers seed1 and seed2, where OpenNIC
requests info about zones .coin/.emc/.bazar/.lib, started used to
control botnets.
There is many requests from different IPs for same domain name, fields
A/TXT.
I analyzed field TXT in some EmerDNS recors, for example:
dns:refereefitter.lib
And found there - there is some encrypted strings, seems like command to
botnet.
This article contains more information:
https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html

I would like continue peering, but do not want to serve a criminal botnets.

I see 2 ways, how to mitigate this issue:

1. Each Tier1 OpenNIC will setup local Emer node, and perform peering to
the localhost. And we will just discontinue our peering services.
Pros: Quick resolving, best security
Cons: Needed ~1G HDD and 300MB RAM to running process.

2. We can add IP filters to our seed1/seed2, and ban all IPs, but 10
Tier 1 OpenNIC servers.
Pros: Nothing needed to do on OpenNIC side
Cons: Dependence on network, bigger latencies.

So, I have questions:
1. If we will add DNS-filters, which includes Tier1 servers - is this
enough to continue peering with option 2?
2. Is this possible to move to option 1, when OpenNIC keeps local resolver?

Thanks,
Oleg

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

[opennic-discuss] botnets mitigation, Oleg Khovayko, 06/10/2018
- Re: [opennic-discuss] botnets mitigation, William Weber, 06/10/2018
  - Re: [opennic-discuss] botnets mitigation, Oleg Khovayko, 06/10/2018
- Re: [opennic-discuss] botnets mitigation, Katie Holly, 06/10/2018
  - Re: [opennic-discuss] botnets mitigation, Jonah Aragon, 06/10/2018
    - Re: [opennic-discuss] botnets mitigation, Jacob Bachmeyer, 06/11/2018
      - Re: [opennic-discuss] botnets mitigation, Jonah Aragon, 06/11/2018
        
        Re: [opennic-discuss] botnets mitigation, Oleg Khovayko, 06/11/2018
        
        Re: [opennic-discuss] botnets mitigation, Jeff Taylor, 06/19/2018
        
        Re: [opennic-discuss] botnets mitigation, Jonah Aragon, 06/19/2018