As a result of that activity the IP address has been flagged ~1300 times at
MyNetwatchman (www.mynetwatchman.com) and any firewalls that use that info are
now blocking access from 209.200.168.66.
Under incidents it's listed as "escalated - no response". So it will remain
blocked.
Ragnar Paulson
The Software Group Limited
----- Original Message -----
From: "Dan Kaminsky" <dan@doxpara.com>
To: <incidents@securityfocus.com>
Sent: Wednesday, November 30, 2005 1:59 AM
Subject: DNS Query Details from 209.200.168.66
Great to find people logging DNS traffic :) As mentioned, most of the
traffic is part of a mechanism for measuring the damage from Sony's
activities.
WRT the Base32 names--
The Base32 stuff is part of a technique that's attempting to decode the
actual topology of DNS. DNS servers can be configured in a forwarding
relationship, whereby instead of going up to the root servers, they
access peers. Sometimes the peer relationships can get quite complex --
and these relationships all cause cache pollution that degrades the
quality of my Sony data. So I'm working to clean that aspect up: In
the Base32 name, there exists a cookie. The cookie documents the server
I sent a request to. I compare the stored IP with the IP that comes
back to me to resolve a query. (This technique is mentioned in my 2005
slides, see www.doxpara.com for details).
The other names -- email me privately for details, if you want to know.
Let me know if you have any further queries. My research goal is to be
aware of threats to the global infrastructure, and Sony's operations do
appear to have had global consequences (and set a rather terrifying
example!).
--Dan
