In <[EMAIL PROTECTED]> on Fri, 5 May 2006 17:32:36 -0400, Ken Schafer <[EMAIL PROTECTED]> wrote:
Hi Ken, Welcome, and thanks so much for the detailed report. For what they are worth, here are my comments: 1. Disclosure. There is of course an ongoing debate in the security community about the merits of full disclosure (peer review, alerting others) versus maintaining some level of secrecy (security by obscurity, making things harder for bad guys). My own feeling is that in cases like this, after a reasonable delay to allow beefing up of defenses, the merits of full disclosure outweigh the merits of maintaining secrecy (which tend to be overestimated). Thus I urge Tucows to revisit this issue in (say) a month or two. 2. NS3 capacity. One issue you didn't touch on directly was the apparent inability of NS3 to handle the load when NS1 and NS2 became unavailable. This suggests that NS3 had insufficient capacity, something you will hopefully address with your upgrades. 3. Failure testing. The capacity of NS3 issue might have been found in live failure testing (scheduled and announced of course). Hopefully that will become part of your ongoing operations, not just in DNS, but in other areas as well. 4. Syn flood protection. Syn flood has been around for a relatively long time, and various forms of reasonably effective protection (e.g., Syn Proxy) are readily available, so I'm wondering why Tucows was apparently so vulnerable. Hopefully this is being addressed, along with protection against other known attack vectors. 5. Recorded announcement. I think it would have helped (on both sides) if your telephone tree system had included a brief alert status message, so it wasn't necessary to reach a person to find out what was going on. 6. Email alert. I think it would have helped to have an mass email alert mailing as soon as you knew that you had a serious problem. 7. Punishing the victim. I'm a bit troubled that you asked the target of the attack to move away from Tucows, unless you had clear evidence the target had done something inappropriate. We are all potential targets, even when there's no good reason. Also, while I have your attention, I'd like to take this opportunity to ask you for enhancements to Managed DNS that I think are long overdue (and available from some of your competitors): (a) Subdirectory Forwarding. Given Domain Forwarding of (say) http:/www.example.com/ to (say) http:/example.net/client1/, it would be nice to have http:/www.example.com/topic/ automatically forward to http:/example.net/client1/topic/. (b) Preservation of Page Titles and Meta Tags. When URL Frame is turned on, page titles are lost, an unfortunate side effect. Likewise meta tags. Thanks again, John Navas The Navas Group -- Best regards, John Navas <http://NavasGroup.com/> _______________________________________________ domains-gen mailing list [email protected] http://discuss.tucows.com/mailman/listinfo/domains-gen
