BlackHole-DNS problems
Results 1 to 9 of 9

Thread: BlackHole-DNS problems

Hybrid View

  1. #1
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792

    BlackHole-DNS problems

    FYI

    For those that use files from bleedingthreats.net ( or bleedingthreats.com ) there seems to be a problem with the sites.

    From The Bleeding-sigs Archives those names haven't been able to be resolved since 11/22/2007. ( a look-up indicates the domains were updated 10/21/2007 )

    For now updates can apparently be found at The DNS-BH project

    Anyone have more info on this ?

    .
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792

    UPDATE

    I have not seen this anywhere else!

    Although there have been views, no one has posted, so I guess I will post to keep this alive, as I think it is very important !!!!!

    For those that don’t realize, this also effects files from
    http://www.bleedingsnort.com/blackhole-dns/files/

    Many people run scripts that update their blackhole-dns, and do not realize the files are no longer there. ( checking logs, are we ???? )

    The files ( updates ) were actually noticed missing since 11/20/2007.

    The current conditions occurred shortly after this post I'm Leaving Bleeding Threats by Matt Jonkman ( jonkman at jonkmans.com )
    ... After nearly 5 years as the founder and admin of Bleeding Edge Threats I must step out of the project. ...
    Although I can think of a thousand reasons to leave after five years, I am still dumbfounded as to the reasons for the missing files / domains.

    These problems may be corrected in the near future, but since it has been over 10 days with these files ( and domains ) effectively missing, I thought security minded individuals ( especially those utilizing open source options ) would want to know about this. ( No posts indicate no interest ??? )

    Anyone here been effected?

    Is this still a security orientated site, despite the lack of any recent substance?

    .
    Last edited by IKnowNot; November 30th, 2007 at 07:59 AM.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    The date of the last entry in the archives is 30 November 2007.

    As for the other site:

    Removed at Authors request
    I guess there is some "reading between the lines" to be done here?

    ( No posts indicate no interest ??? )
    Not necessarily, I guess it just means that nobody has any further information and are just awaiting developments.

    This is an endemic weakness of open source projects........... if the driving force(s) leave suddenly, then there is frequently a hiatus whilst the community reorganises and regroups. The fewer the major players the greater the risk.

    There also might be hosting problems in the short term?

    Another possibility is that if he left without naming heirs there might be a bit of politicing going on behind the scenes?

    I guess we will just have to wait and see

    EDIT: I had a quick look and this is all I could find:

    http://www.inliniac.net/blog/2007/11...ding-edge.html

    There is a suggestion that he was pushed rather than jumped?
    Last edited by nihil; November 30th, 2007 at 12:57 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    I also noticed the files were missing. I'm not using blackhole dns at this time but I was using the blackhole snort rules file. I did notice it was missing and reverted to a backup (11-16-07) and disabled the update from my update script. I was not receiving many hits from the blackhole rule anyway thanks to websense.
    Last edited by phishphreek; November 30th, 2007 at 02:05 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    Being an amateur, I don't automatically update mine,
    but I guess this does point out a weakness in open source,
    at least for professionals who depend on this stuff.
    I came in to the world with nothing. I still have most of it.

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    3
    I am the originator of the Black-Hole DNS Project which Matt Jonkman was kind enough to host.

    I started the list as a way to give back to the open source community, especially bleedingsnort, as I extensively used their sigs but suck at writing my own

    With Matt leaving, I also lost the ability to update the list through CVS. Due to the uncertainty of the future of bleedingthreats, I made the decision to create a new domain for the dns-blacklist at malwaredomains.com.

    Although this is now costing me money to host on my own, I also did not want to be immediately tied to a single vendor, especially one which I did not have prior relationship.

    I know this would cause some problems for users, so I emailed the bleeding-sigs and other mailing lists about the new domain. I am now posting to as many boards as possible (such as this one).

    Matt is actively working on his new projects, and we are actively working on keeping the professional relationship going. I hope his new projects will contain a sandbox where he can continue to feed the BH-DNS malware domain list with active domains.....


    Regards
    D Glosser
    malwaredomains.com

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    I saw that the new files are located @ http://www.malwaredomains.com/files/

    At this time, I am not using the DNS files, but was using the snort rules. Are there any plans to keep updates of the snort rules? If not, can you make available the script to create the snort rules file?

    BTW: I've been a big fan of the project for a while. I've recommended it to many people over the years. I use many layers in my approach to security and the blackhole dns solution was great. I just used the snort sigs to see which hosts may be infected. Luckily, I don't get many hits... but I love the rules. Even if they do use up huge amounts of memory....
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Junior Member
    Join Date
    Dec 2007
    Posts
    3
    SN has stated that they want to keep the project going and need a bit of time. They are active on the bleeding-sigs mailing list so you may want to post a question there. Thanks for the being a fan of the dns-bh project. Another way to see if hosts are infected may be to change the loopback address in the file to an internal web server and check the logs.....

  9. #9
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Similar Threads

  1. Windows 2000 Tips
    By Nokia in forum Tips and Tricks
    Replies: 0
    Last Post: June 12th, 2004, 05:13 PM
  2. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 07:01 AM
  3. Classic Social Engineering Attacks
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: December 16th, 2003, 08:30 PM
  4. Solving Common Problems with Norton Antivirus 8 Corporate
    By CS4Life in forum The Security Tutorials Forum
    Replies: 2
    Last Post: June 26th, 2003, 12:02 PM
  5. Millennium Problems
    By tampabay420 in forum Cosmos
    Replies: 1
    Last Post: January 23rd, 2003, 07:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides