Re: Last Call: <draft-oreirdan-mody-bot-remediation-16.txt> (Recommendations for the Remediation of Bots in ISP Networks) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 06:52 23-09-2011, The IESG wrote:


The IESG has received a request from an individual submitter to consider
the following document:
- 'Recommendations for the Remediation of Bots in ISP Networks'
  <draft-oreirdan-mody-bot-remediation-16.txt> as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2011-10-21. Exceptionally, comments may be
I suggest publishing this document or else the FCC would have to reference a work-in-progress. 

In Section 1.5:

  "DNS Fast Fluxing occurs when a domain is bound in DNS using A records
   to multiple IP addresses, each of which has a very short Time To Live
   (TTL) value associated with it."

I suggest covering AAAA records as well.

  "This means that the domain resolves to varying IP addresses over a
   short period of time."

According to that definition and the following:

  ; QUESTION SECTION:
  ;google.com.                    IN      A

  ;; ANSWER SECTION:
  google.com.             300     IN      A       74.125.224.52
  google.com.             300     IN      A       74.125.224.48
  google.com.             300     IN      A       74.125.224.49
  google.com.             300     IN      A       74.125.224.50
  google.com.             300     IN      A       74.125.224.51

google.com qualifies as a fast-flux service network.

In Section 4:

  'Where legally permissible or otherwise an industry accepted
   practice in a particular market region, an ISP may in some manner
   "scan" their IP space in order to detect un-patched or otherwise
   vulnerable hosts, or to detect the signs of infection.'
The same paragraph acknowledges that this technique would not be effective due to NAT devices. It would be better if ISPs do not resort to wide-spread "scanning".
Section 5.1 discusses about email notification. As noted, it creates a market for social engineering. This common form of notification should not be encouraged. 

In Section 10:

 "As noted in Section 8, any sharing of data from the user to the ISP
  and/or authorized third parties should be done on an opt-in basis."
I suggest using "with the consent of the user" instead of "opt-in" as the latter is everything but opt in nowadays. 

Regards,
-sm

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]