New service - the Team Cymru Malware Hash Registry!
--[ UxBoD ]--
uxbod at splatnix.net
Wed Oct 29 08:17:14 GMT 2008
Cheers for putting me straight Steve ;) Nice explanation aswell :)
Regards,
--
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749
----- "Steve Freegard" <steve.freegard at fsl.com> wrote:
> All the records from the Malware Hash Registry have a TTL of 86400
>
> seconds (24 hours), so that means that if you're looking up the same
>
> hash within 24 hours - it will come from your local cache provided it
>
> hasn't been purged to reclaim space.
>
>
>
> If you maintain a local cache - you really don't save a lot of lookups
>
> to the upstream since the vast majority of lookups are going to be
>
> negative lookups (e.g. NXDOMAIN).
>
>
>
> DNS was designed with caching in mind; and it works just fine for the
>
> purposes it was designed for - adding a second cache is almost always
> a
>
> bad idea and will introduce lag and incorrect results along with space
>
> bloat.
>
>
>
> If you're going to argue a local cache for these hashes - why not
> argue
>
> for local caching for DNS BL or URI BL lookups as well? The reason we
>
> don't do local caching for these is exactly the same as why we
> shouldn't
>
> do it here - the data is fluid - there's no guarantee that a positive
> or
>
> negative lookup now yield the same result the next time you look at
> the
>
> data.
>
>
>
> Regards,
>
> Steve.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list