RE: On-going Internet Emergency and Domain Names
One of the reasons that registrars are slow to take down sites that are paid with a credit card is because there is little financial incentive to do sothey've lost money it already, why have a department whose priority is speed if you can hire a person to do it at their own pace and minimize the loss? For almost all things prudent and effective there needs to be a financial incentive. For those registrars who take stolen credit cards, it's the rates and fees they are charged to process credit card transactions. It appears the rates that are charged and the penalties assessed aren't enough to dissuade them from these fraudulent transactions, which means that the monetary externalities of DNS registration abuse (spam, phishing sites, etc) are not fully assessed by financial institutions. We have a similar parallel in the cost of gasoline and the impact on the environment. Frank -Original Message- Sent: Monday, April 02, 2007 9:36 PM To: David Conrad Cc: Joseph S D Yao; nanog Subject: Re: On-going Internet Emergency and Domain Names On Mon, 2 Apr 2007, David Conrad wrote: On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? or victims of policy of that same 'vintage'... doing things faster isn't bad, doing it with less checks and balances and more people willing to abuse the lack of checks/balances seems like a bad idea. If you can get a domain added to the system fresh in 5min or less, why does it take +90 days to get it removed when all data about the domain is patently false and the CC used to purchase the domain was reported stolen 2+years ago? I don't mean to pick on anyone in particular, but wow, to me this seems like just a policy update requirement.
RE: On-going Internet Emergency and Domain Names
On Sat, 2007-04-07 at 14:43 -0500, Frank Bulk wrote: One of the reasons that registrars are slow to take down sites that are paid with a credit card is because there is little financial incentive to do so. Also there is the customer numbers affect, most often seen with public companies or those seeking VC funding. Those registrars compete heavily, none of them want to have negative numbers, not even one negative number. -Jim P.
Re: On-going Internet Emergency and Domain Names
Paul Vixie wrote: ... Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? on any given day, there's always something broken somewhere. in dns, there's always something broken everywhere. since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. I'd say it's a way to get DNS to be more inconsistent and it's likely to happen. Broken is both in the eye of the beholder and in the eye of the end-user. but, isp's responsible for large broadband populations could do this in their recursion farms That's right. And it will perpetuate the arms race of whitehats vs. blackhats. But that's no reason not to add intelligence into the DNS -- either in-band or out-of-band. Most of us already do some level of DNS intelligence out-of-band (passive dns, uribls, etc) and the power of doing it in-band is a logical next step. fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible. Unfortunately, that day, if it ever comes, will come after bot herders stop using DNS to manage their botnets because other mitigation strategies will have already forced them to move on. -David
Re: On-going Internet Emergency and Domain Names
On Mon, 2 Apr 2007, David Conrad wrote: Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? A good start would be to forbid the delegation of newly-registered domains that have not yet been paid for. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ HEBRIDES BAILEY: NORTH OR NORTHWEST 3 OR 4, OCCASIONALLY 5. SLIGHT OR MODERATE. MAINLY FAIR. MODERATE OR GOOD.
Re: On-going Internet Emergency and Domain Names
On Tue, Apr 03, 2007, Tony Finch wrote: On Mon, 2 Apr 2007, David Conrad wrote: Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? A good start would be to forbid the delegation of newly-registered domains that have not yet been paid for. Define paid for. Paid for == bank said yes, or Paid for == bank said yes and then said Whoa no; thats not really right. (I truely wonder what the domain registrars are seeing as CC transaction failure rates, and why the banks haven't stepped in.) Adrian
Re: On-going Internet Emergency and Domain Names
On 2 Apr 2007, at 21:21, Lasher, Donn wrote: Rather, I thought a lot more providers would actually be blocking outbound 25 except to their SMTP servers. Just brought up a new mail server for a friend; moved an old (14+ year) domain.. I was amazed at the number of connections from rr.com, comcast.net, cox.net, verizon, etc etc etc obviously not official mail servers. I'm actually tempted to start blocking anything that doesn't say mail. in it somewhere.. :) Lots of people do use the 'came from some consumer isp dynamic range' as a reason to block mail by using RBLs which list the entire dial-up/ dynamic ranges of ISPs they know about[0], so if you wan to have a go at doing that, don't just drop any inbound mail from mtas which don't have reverse dns set to mail.something. At least, not without telling your customers that they can outsource their mail to my company ;-) [0] - e.g. http://mail-abuse.org/dul/
Re: On-going Internet Emergency and Domain Names
On Tue, 3 Apr 2007, Adrian Chadd wrote: On Tue, Apr 03, 2007, Tony Finch wrote: On Mon, 2 Apr 2007, David Conrad wrote: Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? A good start would be to forbid the delegation of newly-registered domains that have not yet been paid for. Define paid for. Paid for == bank said yes, or Paid for == bank said yes and then said Whoa no; thats not really right. (I truely wonder what the domain registrars are seeing as CC transaction failure rates, and why the banks haven't stepped in.) The banks don't lose enough money to warrant action, at least action specific to these registrars. TWC (Transaction Without Card) is something banks lose billions of USD every year on. In most cases though, they are able to respond accordingly and then the registrar (not the victim user or the bank) are the ones losing money. Further action would mean further loss. Gadi. Adrian
Re: On-going Internet Emergency and Domain Names
created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? A good start would be to forbid the delegation of newly-registered domains that have not yet been paid for. I am not aware of any registrars that extend credit other than via credit cards. Registries all require prepayment from registrars. Is there some loophole I'm not aware of? Even domain tasting involves paying and then getting a refund. If you mean waiting long enough to see if the credit card bounces, that would be a swell idea but since it can often take more than six weeks for the cardholder to notice a bogus charge and complain, I suspect you'd see some pushback on a waiting period that long. R's, John
Re: On-going Internet Emergency and Domain Names
Gadi, 4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another INTERNET EMERGENCY or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it. Gadi Evron wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
Re: On-going Internet Emergency and Domain Names
On Wed, 4 Apr 2007, Albert Meyer wrote: Gadi, 4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another INTERNET EMERGENCY or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it. At least this time you send a comprehensible note to the list rather than can't you die already in private. :) Gadi Evron wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
Re: On-going Internet Emergency and Domain Names
On 1-Apr-2007, at 22:30, Gadi Evron wrote: But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice. Joe
Re: On-going Internet Emergency and Domain Names
On Mon, 2 Apr 2007, Joe Abley wrote: On 1-Apr-2007, at 22:30, Gadi Evron wrote: But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice. You got me there. I will add: You can NEVER make the Pirates go away but; You can make sure they never enter your seas Enough analogies though. :) Joe
Re: On-going Internet Emergency and Domain Names
You got me there. I will add: You can NEVER make the Pirates go away but; You can make sure they never enter your seas At which point, they take to land. The real issue at heart here is that some people wish to pursue evil means, and will change tactics and seek out weaknesses wherever they may find them. Today it might be weak verification of domain registry infrastructure, tomorrow it might be exploiting some p2p network. As has been repeated already, creating a fix in one technology will just force the would-be criminal to use another. The only real solution here is to make fewer criminals, and your only chances of that are to have more effective means of prosecuting them. In that aspect, I'm afraid we are quite a long way off, and will still always be a reactive process as opposed to a proactive process. The only hope is that it would deter future riffraff (though you could argue, such as with the pirate analogy, they will just find new avenues of attack).
Re: On-going Internet Emergency and Domain Names
On 1-Apr-2007, at 22:30, Gadi Evron wrote: But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice. It is uncommon for one single solution to be entirely correct to the point of not benefitting from other steps. Everybody locks their doors and windows at home ... right? (maybe not) We maintain a police department to deter bands of thugs from roaming the streets breaking into every house they pass. You may have an alarm system installed at your house, to notify someone when something is amiss. You may even harden your house in other ways (better locks, laminate on the windows, etc) to make it harder to penetrate. Not one of these steps is by itself a major deterrent to crime, but when taken together, it is reasonably effective at making a would-be intruder go elsewhere. The Internet is a new challenge, and Gadi is right in saying that security is dependent on others, since your neighbor's resources can be turned on you. However, the smart money is still on taking more steps than just relying on policing the core, or the community, or whatever. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: On-going Internet Emergency and Domain Names
On Mon, 2 Apr 2007, Andy Johnson wrote: weaknesses wherever they may find them. Today it might be weak verification of domain registry infrastructure, tomorrow it might be exploiting some p2p network. so, what exactly is the problem with registrations? One of the problems I see is with a seeming lack of follow-through on fraudulently purchased domains. Another is a seemingly long time to remove domains that are 'up to no good'. Taking out of this problem space the 'domain tasting' or 'domain kiting' issue (which is really a use of loopholes there for consumer protection...) If you look at the domain registration system as a legacy process, what would you do differently if re-inventing it? That, it seems to me, is likely the best path forward. Take your opinions/options and get them codified into new policy for registries/registrars to follow. With every relatively static and relatively open set of policies eventually bad-actors will find a set of loopholes or vulnerabilities to get their job done. It seems that re-evaulating the polcies/procedures/requirements would be useful in this matter. -Chris
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 8:15 PM, Roland Dobbins wrote: On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote: Reacting to new domains after the fact is often too late. What happens when they're wrong? Most assessments are fairly straight forward. As with any form of protection, there may be false positives. More attractive and successful services would reduce the level of false positives while still retaining a reasonable level of protection. And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch? Market forces would determine these questions. The service must be independent of registrars. One might expect law enforcement to become involved in look-alike domains when notified by affected third- parties. As a result of legal actions, there should be some agency (or geographic specific courts for ccTLDs) to resolve conflicts. This seems like a worthwhile investment, as reducing Internet crime in this manner should save much more than it costs. It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve. This is about recognizing the weapon being used. In the case of a zone file preview, that the same weapon is about to be used again. Zone previews enable another defensive layer to be provided by the market place. It requires little from the registries and nothing from the registrars. Although the registrar may have their deposit held when a law enforcement agency requests a domain be held pending resolution. -Doug
Re: On-going Internet Emergency and Domain Names
so, what exactly is the problem with registrations? One of the problems I see is with a seeming lack of follow-through on fraudulently purchased domains. Another is a seemingly long time to remove domains that are 'up to no good'. Agreed with on both points. See below for view of the problem. If you look at the domain registration system as a legacy process, what would you do differently if re-inventing it? That, it seems to me, is likely the best path forward. Take your opinions/options and get them codified into new policy for registries/registrars to follow. With every relatively static and relatively open set of policies eventually bad-actors will find a set of loopholes or vulnerabilities to get their job done. It seems that re-evaulating the polcies/procedures/requirements would be useful in this matter. Absolutely, we should always be re-evaluating our policies to verify they are up to meeting todays demands. The unfortunate side of this is, it may end up increasing costs. If we cut down on the automation of domains, and had more respect for what ends up in the TLD/root servers, perhaps it would cut down (note: cut down does not imply eradicate) DNS abuse. The process should be more akin to requesting more IP space. If we treat DNS space as an unlimited resource, and give it away for a couple of bucks per year, its much easier to abuse. However, if you had to justify your usage and naming, and have a human actually process that request, perhaps it would cut down on bogus registrations. Though, as I've mentioned already, once DNS becomes sufficiently difficult to abuse, said bad-actors will just pursue other methods, and we will be left with an overzealous registration process that costs entirely too much.
Re: On-going Internet Emergency and Domain Names
You got me there. I will add: You can NEVER make the Pirates go away but; You can make sure they never enter your seas Enough analogies though. :) The Flying Spaghetti Monster is not at all happy about this talk of stopping pirates. He will likely smite you all with his noodly appendage. RAmen. -Don
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote: Until Internet commerce requires some physical proof of identity, fraud will continue. As has already been stated, this is hardly a guarantee. It seems to me that we're in danger of straying into déformation professionnelle. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
RE: On-going Internet Emergency and Domain Names
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Dambier Sent: Saturday, March 31, 2007 4:46 AM To: nanog@merit.edu Subject: Re: On-going Internet Emergency and Domain Names Port 25 is bad. It has been blocked. I thought that. Rather, I thought a lot more providers would actually be blocking outbound 25 except to their SMTP servers. Just brought up a new mail server for a friend; moved an old (14+ year) domain.. I was amazed at the number of connections from rr.com, comcast.net, cox.net, verizon, etc etc etc obviously not official mail servers. I'm actually tempted to start blocking anything that doesn't say mail. in it somewhere.. :) smime.p7s Description: S/MIME cryptographic signature
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 11:07 AM, Roland Dobbins wrote: On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote: Until Internet commerce requires some physical proof of identity, fraud will continue. As has already been stated, this is hardly a guarantee. It seems to me that we're in danger of straying into déformation professionnelle. Agreed and my apologies for not being clear. Registrars are unable to curtail current levels of fraud without significant changes in how domains are acquired. Consider registrar related fraud as a separate and perhaps even fruitless topic. The recommendation was for registries to provide a preview of the next day's zone. A preview can reduce the amount of protective data required, and increase the timeframe alloted to push correlated threat information to the edge. This correlated threat information can act in a preemptive fashion to provide a significant improvement in security. This added level of protection can help defeat expected and even unexpected threats that are becoming far too common as well. -Doug
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: The recommendation was for registries to provide a preview of the next day's zone. A preview can reduce the amount of protective data required, and increase the timeframe alloted to push correlated threat information to the edge. This correlated threat information can act in a preemptive fashion to provide a significant improvement in security. This added level of protection can help defeat expected and even unexpected threats that are becoming far too common as well. OK, I understand this, but the previously-expressed comments about unintentional/undesirable consequences and not addressing the actual cause of the problem (inadequate and/or inefficient credit card processing and inefficient business processes), as well as the comments regarding practicalities and so forth, haven't really been addressed (pardon the pun), IMHO. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: The recommendation was for registries to provide a preview of the next day's zone. I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Rgds, -drc
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- David Conrad [EMAIL PROTECTED] wrote: On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: The recommendation was for registries to provide a preview of the next day's zone. I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. I'm not even sure how to respond to that one. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEaSsq1pz9mNUZTMRAofwAJ44O+cHJ8K5+Ini4Ub8Q5fpBYXpwQCeKUno QLU8T4gI9IgFRRBX0J9UV2A= =oDm8 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Fri, Mar 30, 2007 at 09:18:07PM -0500, Gadi Evron wrote: There is a current on-going Internet emergency: ... Having just read and deleted somewhere between 100 and 400 messages on this, I don't really want to add to the noise. I hope there's some signal here. One thing is clear, that Gadi wants DNS completely re-vamped. He says that it as an infrastructure for abuse. Come on! DNS is a lookup mechanism. It is the infrastructure for EVERYTHING. So, yes, it is the infrastructure for the abuse. It is ALSO the infrastructure for doing things right. It may even be the infrastructure for the solution. [Vixie thinks it's DNSSEC - but the problem is, the data being inserted IS authentic data, filed in a registry.] More likely, though, as this is a social problem, the solution is completely outside the technical realm. ICANN is working on the domain tasting issue, as a quick lookup shows. PIR has proposed a restock fee. An independent report to ICANN advises that Versign should do the same thing. Will this stop domain tasting? It will, at least, make it less profitable. Will this stop the pirates? No, of course not, as said at last fifty times in this thread. But if this catches on world- wide, they may choose a different mode of ingres into our lives than this fast-flux route. Will legislation solve anything? Probably not. Who legislates for the entire world? Although I did note that the WTO did smack the USA down for some things recently, and they had to sit there and take it. [Well, with some ineffective loud complaints.] So maybe there is someone who can really enforcce international law. I wouldn't know. [Who DOES make international law? Is it just treaty and precedent? Ooops, OT!] Gadi wants a separate root server that he can trust. I think we've already seen the evil of separate roots, except those who claim it's our saviour. I fail to see the relevance, here, at all. Besides, the root is in so many countries today, why aren't we trusting it? [Except for the poorly run or separated copies.] Gadi wants to be able to blacklist domain names immediately when called for by ... oh, wait, we haven't figured that out yet. It would have to be someone who is always right before I would accept it. And He hasn't said a thing about domain names yet. I kind of liked Doug Otis' suggestion of a mandatory waiting period for all domain registrations. Even if we didn't take the time to check all registered domains for illegal payment methods or known name-terrorists [;-)], it would certainly end the fast-flux capability. Of course, everyone would complain; but if it were universal, it would be accepted. Would someone come up with a way around it? Have they come up with a way around the firearm waiting period? Of course. But it's harder. But it's also not clear that, long-term [once they get bored with fast-flux, or the easily mined value of it has gone] it really has any merit. I don't want to say that none of Gadi's own ideas have merit, because they do. [As long as one doesn't make a spectacular leap from one of those to a totally unrelated idea with no visible support.] Perhaps there should be someone somewhere to whom the bewildered DNS user [everybody!] can turn when there is a domain [not DNS, but a domain] that is being abused. The someone could look into it and see whether it's purely an abuse domain, and if so, recommend that it be terminated. As much as I like this idea, it has the possibility for turning into the Inquisition. It would need checks and balances - for none of us mere humans could possibly find out all the uses of a domain, or how it was paid for, or all the things for which it is used. So we would have to go with the best information we can find, and that may not be enough. Ther would have to be checks and balances and appeals and all the trappings of the more civilised sort of justice that allow people and companies accused of violations of the law to keep doing it for years before a resolution is found. But this is what frustrates all of us, Gadi no less than any. And speaking of such companies, before fixing DNS, shouldn't we be forcing the company whose software generates a whole industry in fixing its bugs to correct itself? Why is that not the issue? There were too many other issues that I had wanted to address, but I think this is getting too long already. I do want to repeat, this is a social problem, and needs social solutions, most likely ones that take a bite out of the easy money causing the various abuses discussed in this thread. -- Joe Yao Analex Contractor
Re: On-going Internet Emergency and Domain Names
On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: The recommendation was for registries to provide a preview of the next day's zone. I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. -- Joe Yao Analex Contractor
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote: On Sun, 1 Apr 2007, David Conrad wrote: On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote: I'm not clear what this realm actually is. Abuse and Security (non infrastructure). Well, ICANN is supposed to look after the security and stability of the Internet, which is sufficiently vague and ambiguous to cover pretty much anything. I was actually looking for something a bit more concrete. The one concrete suggestion I've seen is to induce a delay in zone creation and publish a list of newly created names within the zone. The problem with this is that is sort of assumes: a) the registries all work on similar timescales b) that timescale is on the order of a day c) ICANN has a mechanism to induce the registries to make changes to those timescales d) making changes along these lines would be what end users actually want. Of these options: - (a) isn't true (by observation) - (b) is currently true for com/net, but I don't expect that to last -- I've heard there is a lot of competitive pressure on the registries to be faster in doing zone modifications - (c) I don't think is true now for even those TLDs ICANN has a contractual relationship with and is highly unlikely to ever be true for the vast majority of TLDs - (d) probably isn't true, given lots of people complain about how long it takes to get zone changes done now and I believe registries are working to reduce the amount of time significantly due to customer demand. Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? Rgds, -drc P.S. I should point out that IANA has only glancing interaction with the registry/registrar world, so I'm working from a large amount of ignorance here. Fortunately, being ignorant rarely stops me... :-)
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? Rgds, -drc
Re: On-going Internet Emergency and Domain Names
From: David Conrad [EMAIL PROTECTED] Subject: Re: On-going Internet Emergency and Domain Names Date: Mon, 2 Apr 2007 17:33:08 -0700 On Apr 2, 2007, at 4:56 PM, Douglas Otis wrote: The recommendation was for registries to provide a preview of the next day's zone. I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. This is getting far afield from 'network operations', but the underlying issue is really quite simple: There are *NO*PENALTIES* for registering 'bogus' domains. The registry operator has -no- (financial) incentive to investigate, nor remove, a 'falsified' entry. Once a name is in the database, _anything_ affecting it is an 'un-necessary expense' to the registry operator. Similarly, there is no dis-incentive to a registrar wih regard to _filing_ a bogus registration with a registry. Address _these_ issues, and the domain names problem will effectively disappear. One _possible_ approach to dealing with the problem: 1) registry includes in it's contract with registrars a (non-trivial) $$ penalty for any registration filed that is found to contain invalid information. 2) 'formal complaints' to registrar about invalid information must include a 'filing fee' for the complaint. If the complaint is in-accurate, the filer loses their filing fee. HOWEVER, if the complaint _is_ valid, the _original_ filer gets back _more_ than their fee (paid out of the 'fine', see item 1, above, assessed against the registrar) while any additional complainants get all their original money returned. Possible variation: the size of the fine assessed against the registrar for a 'confirmed' complaint depends on the number of complaints recieved within some 'reasonable' time of the first complaint -- and all complaints within that 'window' get the 'bounty' for a valid compliant. 3) Registrars are charged a _sliding-scale_ of fees, with higher fees based on the numbers and/or percentages of 'bogus' registrations submitted recently. (This is similar to the way 'unemployment taxes' are assessed in the U.S. If there are more claims against your company, you pay a higher rate than similar firms with lower claims.) 4) Registrars with higher rates of 'invalid' submissions are _rate-limited_ as to how fast they can submit registrations. Underlying assumptions: A) The 'filing fee' approximates the registry operator cost of performing a basic investigation. B) The 'fine' assessed against a registrar is signficantly higher than the actual 'cost' of the investigation. C) A registrar that has higher per-registration costs is at a competitive disadvantage to those who canprovide equivalent service at a lower price. D) A registrar who has to say We'll take your application now, but we can't tell you for xx hours (or days) if your application for that name was successful is at a competitive disadvantage to one who can tell you _now_ 'your application was successful'. *THIS* gives the registry operator an incentive to 'clean house' -- finding and eliminating 'problem listings' is a REVENUE SOURCE. Similarly, registrars have an incentive to ensure that their _own_ house is clean. Lack of diligence costs them extra money, -and- places them at a disadvantage relative to their competition. 'White-hat' registrars can do something similar with regard to registrants. Registrants fall into three broad categories; (a) those who have never filed before, (b) those who _do_ have a history of problem-free filings, and (c) those who have a history of filings where there have been some problems. Those with a 'no problems' history are processed in an expedited manner, suject to checks for 'abnormal' behavior -- e.g. a radical increase in the number/rate of submissions. Those with no histories are subjected to additional cross-checking/verification, and, possibly, higher 'new user' charges. Those with 'problematic' histories get deferred, surcharged, and/or rate- limited processing. One can 'tune' the rate schedules for 'new users', and 'problematic' filers, to reflect the risk level that the registrar is willing to incur, -with- the recogition that registrar-level penalties imposed by a registry operator will affect _all_ registrations through that registrar, not just 'problematic' ones. 1
Re: On-going Internet Emergency and Domain Names
On Mon, 2 Apr 2007, David Conrad wrote: On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? or victims of policy of that same 'vintage'... doing things faster isn't bad, doing it with less checks and balances and more people willing to abuse the lack of checks/balances seems like a bad idea. If you can get a domain added to the system fresh in 5min or less, why does it take +90 days to get it removed when all data about the domain is patently false and the CC used to purchase the domain was reported stolen 2+years ago? I don't mean to pick on anyone in particular, but wow, to me this seems like just a policy update requirement.
Re: On-going Internet Emergency and Domain Names
On Mon, 2 Apr 2007, David Conrad wrote: On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? Amen to that. That said, you know better than me that even if not constrained, it still needs legacy support as well as small steps. Unless, of course, the changes are not in engineering decisions. Rgds, -drc
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- David Conrad [EMAIL PROTECTED] wrote: On Apr 2, 2007, at 7:12 PM, Joseph S D Yao wrote: On Mon, Apr 02, 2007 at 05:33:08PM -0700, David Conrad wrote: I think this might be a bit in conflict with efforts registries have to reduce the turnaround in zone modification to the order of tens of minutes. Why is this necessary? Other than the cool factor. I think the question is why should the Internet be constrained to engineering decisions made in 1992? For me, it's more of a matter of Is the Internet actually a bigger cesspool than it was ten years ago? and the answer I keep hearing from every corner is a resounding Yes. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEbXnq1pz9mNUZTMRAmdfAJ0W1L5jl5qjl6YNJQZCfJa/CZnwfQCgy7xd FXLYVmJDk2xTJGqgVNRt6Eg= =WXoe -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 6:29 PM, David Conrad wrote: On Apr 1, 2007, at 8:45 AM, Gadi Evron wrote: On Sun, 1 Apr 2007, David Conrad wrote: On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote: I'm not clear what this realm actually is. Abuse and Security (non infrastructure). Well, ICANN is supposed to look after the security and stability of the Internet, which is sufficiently vague and ambiguous to cover pretty much anything. I was actually looking for something a bit more concrete. The one concrete suggestion I've seen is to induce a delay in zone creation and publish a list of newly created names within the zone. The problem with this is that is sort of assumes: a) the registries all work on similar timescales b) that timescale is on the order of a day c) ICANN has a mechanism to induce the registries to make changes to those timescales d) making changes along these lines would be what end users actually want. Of these options: - (a) isn't true (by observation) - (b) is currently true for com/net, but I don't expect that to last -- I've heard there is a lot of competitive pressure on the registries to be faster in doing zone modifications - (c) I don't think is true now for even those TLDs ICANN has a contractual relationship with and is highly unlikely to ever be true for the vast majority of TLDs - (d) probably isn't true, given lots of people complain about how long it takes to get zone changes done now and I believe registries are working to reduce the amount of time significantly due to customer demand. Even if a delay were imposed, I'm not sure I see how this would actually help as I would assume it would require folks to actually look at the list of newly created domains and discriminate between the ones that were created for good and the ones created for ill. How would one do this? Good points. The suggestion was to preview the addition of domains 24 hours in advance of being published. This can identify look-alike and cousin domain exploits, and establish a watch list when necessary. A preview provides valuable information for tracking bad actors and for setting up more effective defenses as well. Should a 24 hour delay on updates prove unworkable, one method might be to flag new domains. The flag would cause the record to remain hidden until the flag is removed. Perhaps IN could be set to something else as a signal the record is being previewed. The registrar would not see the flag, but would see the information as it would appear when finally published. Nothing should appear different from the registrar's perspective. It would also be good to establish feeds to interested parties of modifications as they occur. Currently domain name additions are accomplished in milli-seconds, but then reported after 24 hours. This agility is being heavily abused by bad actors hiding within the daily churn of millions of new domains. A preview mode of operation offers a viable defensive tactic that should not impose much in the way of additional costs. -Doug
Re: On-going Internet Emergency and Domain Names
On Mon, Apr 02, 2007 at 09:53:19PM -0500, Robert Bonomi wrote: ... This is getting far afield from 'network operations', but the underlying issue is really quite simple: There are *NO*PENALTIES* for registering 'bogus' domains. The registry operator has -no- (financial) incentive to investigate, nor remove, a 'falsified' entry. Once a name is in the database, _anything_ affecting it is an 'un-necessary expense' to the registry operator. ... See the aforementioned restock fees presented to ICANN. How much of a disincentive would they be? -- Joe Yao Analex Contractor
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Joseph S D Yao [EMAIL PROTECTED] wrote: See the aforementioned restock fees presented to ICANN. How much of a disincentive would they be? Not much, I would think. http://www.icann.org/minutes/resolutions-22nov06.htm Unless you have a more explicit pointer, a quick check at ICANN reveals that the restock fee proposed in November 2000 applies to PIR and the .ORG TLD. And even if it applied to all (non-ccTLD) domains across the board, it probably wouldn't stop the abuse that we are seeing with bulk registrations, tasting, abuse, etc. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcSxq1pz9mNUZTMRAnmDAJwNhX1NRADNzvqoWbXp6Yt3at81UACg87Pw 0MFaN0+owW878PmA7bRx9ZI= =5VZI -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Apr 2, 2007, at 10:27 PM, Douglas Otis wrote: The suggestion was to preview the addition of domains 24 hours in advance of being published. This can identify look-alike and cousin domain exploits, and establish a watch list when necessary. A preview provides valuable information for tracking bad actors and for setting up more effective defenses as well. And just how many humans would this require? Or are you going to write a 12-kilobyte regex in Perl to do the work for you? Do you know how many trademarks and words that represent companies there are in existence? What about local lingo that might be misleading--like if you weren't familiar with college sports and thus officialNittanyLions.com (contrived example) didn't raise any red flags with you? I could see perhaps a flag or a standard value to go into TXT (maybe part of the exiting SPF conventions) that indicate the age of the domain. Then leave it up to the user as to what to do with that information (a mail server not allowing emails from domains less than 15 days old for example). [True Story: I had a client who was a pastor of a church. One time he calls me because somebody had used his computer, which was in his locked office, to surf what he was sure was some kind of sick, filthy site. What had actually happened was that the guy fixing his machine the night before (who had a key to all the offices) had left up a browser for the popular tech-tips site ExpertsExchange.com . The pastor, not having heard of the site, read the lowercase site name in the browser bar as ExpertSexChange.com. ]
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Correction: - -- Fergie [EMAIL PROTECTED] wrote: -- Joseph S D Yao [EMAIL PROTECTED] wrote: See the aforementioned restock fees presented to ICANN. How much of a disincentive would they be? Not much, I would think. http://www.icann.org/minutes/resolutions-22nov06.htm Unless you have a more explicit pointer, a quick check at ICANN reveals that the restock fee proposed in November 2000 applies 2006 to PIR and the .ORG TLD. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcbEq1pz9mNUZTMRAg4BAJ4ziGIW/eb23Ayhqs66V40dqc6RgACgoFIa EiA+IkpvIcwLCNTgi+d3opw= =bM0V -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Patrick Giagnocavo [EMAIL PROTECTED] wrote: On Apr 2, 2007, at 10:27 PM, Douglas Otis wrote: The suggestion was to preview the addition of domains 24 hours in advance of being published. This can identify look-alike and cousin domain exploits, and establish a watch list when necessary. A preview provides valuable information for tracking bad actors and for setting up more effective defenses as well. And just how many humans would this require? Or are you going to write a 12-kilobyte regex in Perl to do the work for you? Do you know how many trademarks and words that represent companies there are in existence? What about local lingo that might be misleading--like if you weren't familiar with college sports and thus officialNittanyLions.com (contrived example) didn't raise any red flags with you? I could see perhaps a flag or a standard value to go into TXT (maybe part of the exiting SPF conventions) that indicate the age of the domain. Then leave it up to the user as to what to do with that information (a mail server not allowing emails from domains less than 15 days old for example). Good questions, all -- but having said that, there are certainly ways to approach each of these. And of course, there will obviously be things that fall through the cracks. And having said that, something is better than nothing. The value in matching newly registered domains, the registrants themselves, the nameservers, MX records, and historical IP addresses as a matrix operation is incrementally positive as the effort itself becomes also incremental in the positive. What I'm saying is this: Historical reputation systems, coupled with intelligence on known malware domains, observed fast-flux'ers, etc., gives some measure of control. You still have to do an enormous amount of weeding, but again, this is an endeavor that can be undertaken by private and commercial organizations, as long as the domain registration process is changed only slightly, to allow for a minor delay between toe time that the registration(s) are made, and the time that they become live. As it stands now, everyone gets pretty much blind-sided by domains that crop up solely for the sake of malfeasance. I'm not sure I articulated that very well, but there it is. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcveq1pz9mNUZTMRAtR8AKDvPCd/yJ4plkMROu/xg69CiHWfuQCfUmpZ SEW7BxFuIWvenbzn3KxBK38= =3prE -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names (kill this thread)
On Sat, 31 Mar 2007, Jeff Shultz wrote: Does that sound about right? If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it. Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently. So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure. ... and people have very bad experiences from blacklists not being maintained properly. -- Mikael Abrahamsson email: [EMAIL PROTECTED]
Re: On-going Internet Emergency and Domain Names
Fergie wrote: I would posit that it does when criminals are able to abuse the system. Almost any system can be abused by people with bad intentions. I am a strong advocate to not holding back on features, tools, new technologies or whatever merely because someone could abuse with it. The problem is the abuser, not the tool. We need to stop the abusers, not the tools. We should certainly always attempt to improve the tools, better the routines and so forth but always keep in mind that no matter what we do they will adapt and find another angle. If we add a 24h period to domain registrations, what harm will it REALLY do to the abusers? They will just register a myriad of the domains they want, have them stored and push them out when needed instead of at once. If we add some checkups on who registers a domain name, they will get middlemen to do it for them. Just look at the captcha stuff added on various sites to prevent spammers that lead to spammers paying people small amounts of money for each captcha solved, or put up fake pr0n sites where the visitors got free images when they solved a captcha (that was linked from the actual site). If we block low TTL from functioning we would break tools that use the low TTL setting for fast changing environments, load balancing or whatever and we would also block ourselves from a quick merger from one system to another for our customers. I don't want to sound all negative to efforts suggested that we may have use for in a _current_ problem; but we should consider what they will do next when we make major changes to a general system that will likely bother ourselves more than them. -- /ahnberg.
Re: On-going Internet Emergency and Domain Names (kill this thread)
On Sun, 1 Apr 2007, Mikael Abrahamsson wrote: net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure. You just lost my respect for the remainder of this thread. :) ... and people have very bad experiences from blacklists not being maintained properly. Black lists are a horrid idea, I'd love to hear of other solutions to the DNS as an abuse infrastructure. Gadi.
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Paul Vixie wrote: at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil. I've posted here a few times about this, but... in almost all cases of domain names used in a bad way (in malware or to further malware's intents) the domain is purchased on a stolen CC. The registrar knows this most often with in days of the purchase, they don't seem to turn off the domain though. Why is that? Why do they not terminate the domain or atleast terminate control of it by the 'bad actors'? It seems that if the registrars would terminate control in a timely fashion that would do what 'we' want, yes? remove the ease of use of this tool for the bad actors... fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since if the local side of the problem (an enterprise let's say) wants to use the dns-tool in their toolbox, 'ok'. I'm not sure that at the provider level it's as simple as that since there is an aggregation of security policies there and often the policies conflict (you can look at xxx vs you can't look at xxx).
Re: On-going Internet Emergency and Domain Names (kill this thread)
On Sun, 1 Apr 2007, Mikael Abrahamsson wrote: If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it. Maybe if a body with the proper authority to penalize the ISP's were in order this wouldn't be an issue. Look at BGP dampening and route flaps for instance, something goes awry, the router is penalized. A quick check, all goes well, if not, an added penalty is given. Perhaps if some of these business were forced to get their acts in order, many of these issues would not be occurring. Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently. Solving this at the DNS issue is a better idea than having to hope that - by contacting someone clueful on level 8 - they'll 1) even understand what you mean, 2) understand how to address the issue. If you meant contacting the owner of the infected machine good luck. If you meant contacting the provider of the owner of the ISP, even better luck. Its far easier to accomplish some form of DNS filtering to block out infected machines, and even servers propagating infections. I've contacted who knows how many administrators of infections on their networks. Typically the response is Contact our abuse team. Which is understandable being someone wants to keep in tune with policy, but heck some of these companies' policies are more of a facade if you ask me. Within the next month, I will be posting the networks, contacts, etc., of the dirtiest brute force pushing networks I've seen. If needed, I will re-post some of the absurd responses I've seen like one from NASA... And no its no April Fools joke... So a NASA address is brute forcing a machine of mine... I contact the admin listed on a whois and it gets sent to a CISSP gentleman... His response We were doing some pen testing on our networks... What? They were pentesting on their network yet I managed to get hit up in the mix. Right... Its not like the network connecting to mines was typed in accidentally, my network was in the 208.x.x.x range, theirs... Not even close. So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure. Single point of failure? I'm sure many can point out multiple points of failures. One thing I've been doing with my brute forcer blacklist (if you want to call it this) is blocking entire net blocks from accessing attacked machines. When admins contact me wondering why their clients cannot connect, the answer is simple for me. After a quick lookup of the bruteforcer list, I simply tell them that one(or many) hosts on their network have been ssh brute forcing some of my servers. Therefore their ENTIRE range was blocked. Quite frankly, I don't care if I have to block up to /6's (I've got one or two of APNIC's), I will do whatever it takes to make sure my networks stay clean and secure. ... and people have very bad experiences from blacklists not being maintained properly. Funny you should mention... Nothing in this world has ever from the onset been a perfect invention/creation. Does this mean that if one implementation failed, the entire design is flawed. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
America takes over DNS (re: On-going Internet Emergency and Domain Names)
Summary: The US Department of Homeland Security (DHS) ... wants to have the key to sign the DNS root zone solidly in the hands of the US government. This ultimate master key would then allow authorities to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system's root zone on the Internet. The key-signing key signs the zone key, which is held by VeriSign. http://www.heise.de/english/newsticker/news/87655 -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: On-going Internet Emergency and Domain Names
Paul Vixie wrote: on any given day, there's always something broken somewhere. in dns, there's always something broken everywhere. The catch-phrases you come up with are delightful. Catchy and deeply useful. Would that more folk would take them to heart, for their implications. since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. Although there are times to consider pursuing an ugly-but-expeditious path, you've made the point that the effects are long-term, while the symptoms might only be short-term. Given the complexity of the abuse space, it's worth thinking in terms of basic benefit in the change, while using the immediate situation merely as a motivator: Is the change something that makes sense on its own, independent of the current abuse manifestation? If so, then go ahead and do it. If not, the odds are high that it will only be part of a process of adding warts to warts. fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible. I was sitting at a bar, one Saturday, many years ago. Behind the bartender was a sign that said Free beer tomorrow. We were in an alcohol-paranoid state, so I asked the bartender about the sign, since I knew they'd be closed on Sunday. His comment was that tomorrow never comes. Someday, indeed. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
Re: On-going Internet Emergency and Domain Names
From: [EMAIL PROTECTED] (Dave Rand) ... We are not fighting technology. We are dealing with very well organized, smart, and well-funded people. We need to focus on solutions that we can deploy, which will address the problems at hand, as we discover them. That means we will deploy things that do not solve underlying prolems, but address the symptoms as best we can, to prevent the entire mess from falling down. That means that we must look at short-range solutions to address things in near-real-time, ... There is no one true solution to this. That means you, as network operators, need to look at what makes sense *today*, and *DEPLOY IT*. ... As Dave is certainly aware (as CTO of Trend Micro, which bought MAPS/Kelkea), his daytime employer has a product (called ICSS, and which I had a hand in building) that proposes to let enterprises or ISP's use recursive DNS as a delivery mechanism for security policy (like, poison this malware domain). I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's check-names facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so. But, that's the DNS edge, I'm not ready to see the DNS core gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than this week to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution. Some references to ICSS, in case you all missed it. (Note that I am not an employee, shareholder, representative, or agent of Trend Micro and I have no financial stake in ICSS at this point.) http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm http://www.eweek.com/article2/0,1895,2020286,00.asp http://www.vnunet.com/itweek/news/2164897/trend-appliance-sniffs-bot-nets http://www.computerwire.com/industries/research/?pid=2E16BA11-5976-42B0-9C13-EC19B10DB2F3 http://www.computing.co.uk/itweek/news/2164897/trend-appliance-sniffs-bot-nets
Re: On-going Internet Emergency and Domain Names
On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote: ICANN has not shown any interest or ability to affect change in this realm. I'm not clear what this realm actually is. Rgds, -drc
Re: On-going Internet Emergency and Domain Names
From: Dave Crocker [EMAIL PROTECTED] To: Paul Vixie [EMAIL PROTECTED], nanog@merit.edu, Gadi Evron [EMAIL PROTECTED] Subject: Re: On-going Internet Emergency and Domain Names offlist. actually, not, according to the headers shown above. Paul Vixie wrote: a push-pull. first, advance the current effort to get registrars and dynamic-dns providers to share information about bad CC#'s, bad customers, bad domains, whatever. arrange things so that a self-vetting society of both in-industry and ombudsmen have the communications fabric they need to behave responsibly. push hard on this, make sure everybody hears about it and that the newspapers are full of success stories about it. IP Address blacklists are a sufficiently solid staple of email anti-abuse effort, that I suspect similar approaches, for other information tidbits, would be quite useful. as the inventor of the internet's first ip address blackhole list (not blacklist), i agree that it's a solid staple, but i'm not sure it was the most effective 10-year plan we could have made at the time, had we been making 10-year plans. This is less about shaming and more about filtering. In this case, filtering at DNS registration time, ISP account setup, or the like. agreed. i'd be happy to see the DNS registration front end (one of its edges) gain some kind of reputation filtering. i just don't want to see core-level filtering like we did in e-mail, unless it's at the customer- facing (edge) level, like Trend ICSS offers. The difficulties, here, are to a) establish a credible organization for creating and maintaining the list(s), b) getting folks to submit data to it, and c) getting folks to use it. those are Gadi's three areas of strength and i'd help him if he did this. Since there is quite a lot of track-record on doing this -- both well and poorly -- the challenge here is all about implementation, rather than design, of the service. having designed a reputation system inadequately once upon a time, i think it's important to get both the design and implementation right.
Re: On-going Internet Emergency and Domain Names
It is my understanding that the various domain registries answer to ICANN policy _Some_ registries answer to ICANN policy, those that have entered into contracts with ICANN. Others, e.g., all the country code TLD registries, don't. However, even in those cases in which there are contractual agreements, ICANN's role is typically quite limited (by design: ICANN isn't the Internet's mommy). if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework. Sorry, I still haven't figured out what the problem is you're trying to lay at ICANN's door... Rgds, -drc
Re: On-going Internet Emergency and Domain Names
On Sunday 01 April 2007 00:35, Adrian Chadd wrote: On Sat, Mar 31, 2007, Gadi Evron wrote: On Sun, 1 Apr 2007, Adrian Chadd wrote: Stop trying to fix things in the core - it won't work, honest - and start trying to fix things closer to the edge where the actual problem is. Thing is, the problem IS in the core. DNS is no longer just being abused, it is pretty much an abuse infrastructure. That needs to be fixed if security operations on the Internet at their current effectiveness (which is low as it is) are to be maintained past Q4 2007-Q2 2008. And as I said tongue in cheek before - so is IP. Where do you draw the line? Agreed, Really, with this block this, block that, block the other additude so many people have nowadays, soon enough, unless we make the effort to stop the problems I view this kind of thing as an operational issue insomuch as it might affect my network - but malware writers are botnet operators are smarter than they once were and aren't nearly as spray your mark everywhere as quickly as possible as exploits used to be. As to malware: Protect against malware on your network, this isn't what this is about. It's about your network's security being reliant on someone half way across the world taking care of it. For the few I'm currently responsible for; you can be absolutely certain my network security is reliant on me, not someone else. I applaud you for your efforts, as well as to anyone else's on this list who makes efforts. I'm trying to push out the You've got to be responsible for what you send just as much as what you receive out to clients who only seem to take notice after their first spam blacklisting, or sneaky malware infection. Indeed, end users see their computer infected with something and they act innocent whenever something goes wrong with it, Users often times REFUSE to take responsibility if their computer becomes a problem. Users simply don't see the importance of keeping their computer secured. Have you tried pursuing the root cause of all of this horribleness - badly written software? Good point, Software companies that create badly written code then put it out on the market should be more-so held accountable, Until these companies are held FULLY responsible for exploits and such, you're going to keep seeing things like Months of bugs, it's because software companies keep rushing software out to the market to sell it, they're not concerned about security if you can make a month of bugs from one of their products, they're more concerned about the income and don't do enough security testing and QA before the software leaves their shop, and end-users will more than likely not ask about security of the software, because all they want to do is chat with their aunt bella somewhere. It's badly written software that is one of the main vectors of botners and such, we shouldn't be going after DNS Adrian
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, David Conrad wrote: On Mar 31, 2007, at 8:44 PM, Gadi Evron wrote: ICANN has not shown any interest or ability to affect change in this realm. I'm not clear what this realm actually is. Abuse and Security (non infrastructure). ICANN, as far as I understand, manages the business side of things. If I am wrong, I'd be happy to learn more. Can you share with us what your thoughts are? Gadi. Rgds, -drc
Re: On-going Internet Emergency and Domain Names
On Sunday 01 April 2007 01:42, you wrote: Gadi Evron wrote: Thing is, the problem IS in the core. DNS is no longer just being abused, it is pretty much an abuse infrastructure. That needs to be fixed if security operations on the Internet at their current effectiveness (which is low as it is) are to be maintained past Q4 2007-Q2 2008. Imminent death of the Internet predicted. News at 11. This fearmongering is getting to the scale of democrazy exports. Pete I would also like to point out as to echo one of my other posts: If we get block happy, they (The people abusing the exploits) WILL simply move to another port, andother protocol, so unless we're willing to block every port, every protcool, to ensure that it cannot become a vector, I suggest we STOP and think tactically: Will blocking these protocols stop these people? Or will they just move to exploit another port and/or protocol? Sadly, if blocking ports and protocols becomes the only method to control things like this from occurring, I sadly will have to agree with Pete's post, as soon we're going to have all 65535 ports on all protocols (TCP, UDP, etc) blocked.
Re: On-going Internet Emergency and Domain Names (kill this thread)
You do realize this post is not about Microsoft or IE 0days, right? I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit. Again if the rest of the list wants to continue, then so be it. In the end, phishing and scams work because people are stupid (or possibly ignorant- but then again with all the warnings they've received you'd have to be stupid to still be ignorant at this point). Period. End of discussion. Every time we come up with another solution - the universe comes up with a bigger idiot. Honestly- I, as well as everyone I know, receives a million warning messages from banks, web sites, etc. warning people not to trust email claming to be from said institution. And yet, every single day, thousands upon thousands of people keep falling for it. Where do you draw the line? Since we seem to love analogies: Imagine you have a high voltage outlet and people keep sticking their fingers in it and getting electrocuted. So you put up a sign that says Danger- high voltage, and people continue sticking their fingers in it. Then you warn them about it personally, and you have segments on the tv news and articles in the papers and people STILL do it. At what point do you just have to walk away and let nature take it's course? Everybody in the world has been _repeatedly_ warned about phishing and other scams, and yet just like 419 scams, they KEEP falling for it. Nobody stops to think. Enough is enough already. Do I think certain policies should be changed? Sure. Domain tasting is an idea that I can not believe benefits anyone but a scammer (or a domain advertiser- which is no better). There are plenty of other examples but in the end, no matter what we do, users are going to continue to do mind-bogglingly stupid things. -Don *Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable.
Re: On-going Internet Emergency and Domain Names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Mattias Ahnberg [EMAIL PROTECTED] wrote: Fergie wrote: I would posit that it does when criminals are able to abuse the system. Almost any system can be abused by people with bad intentions. I am a strong advocate to not holding back on features, tools, new technologies or whatever merely because someone could abuse with it. The problem is the abuser, not the tool. We need to stop the abusers, not the tools. We should certainly always attempt to improve the tools, better the routines and so forth but always keep in mind that no matter what we do they will adapt and find another angle. If we add a 24h period to domain registrations, what harm will it REALLY do to the abusers? They will just register a myriad of the domains they want, have them stored and push them out when needed instead of at once. If we add some checkups on who registers a domain name, they will get middlemen to do it for them. Just look at the captcha stuff added on various sites to prevent spammers that lead to spammers paying people small amounts of money for each captcha solved, or put up fake pr0n sites where the visitors got free images when they solved a captcha (that was linked from the actual site). If we block low TTL from functioning we would break tools that use the low TTL setting for fast changing environments, load balancing or whatever and we would also block ourselves from a quick merger from one system to another for our customers. I don't want to sound all negative to efforts suggested that we may have use for in a _current_ problem; but we should consider what they will do next when we make major changes to a general system that will likely bother ourselves more than them. These are all very good, legitimate questions -- I do not profess to have answers to them all. The one thing that seems to be missing, however, is accountability and an ability to stem the abuses in the domain registry system. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGD+flq1pz9mNUZTMRAtr7AJ9LCQi1B+BLPkVJQ5X76KXx9qTDLwCgx3nL tBYpzk7SoFgAr2ff/aYd5lI= =FElG -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: On-going Internet Emergency and Domain Names
On Sun, 2007-04-01 at 08:41 -0700, David Conrad wrote: It is my understanding that the various domain registries answer to ICANN policy _Some_ registries answer to ICANN policy, those that have entered into contracts with ICANN. Others, e.g., all the country code TLD registries, don't. However, even in those cases in which there are contractual agreements, ICANN's role is typically quite limited (by design: ICANN isn't the Internet's mommy). if ICANN policy allows them to operate in a manner which is conducive to allowing criminals to manipulate the system, then the buck stops with ICANN, and ICANN needs to rectify the problems in the policy framework. Sorry, I still haven't figured out what the problem is you're trying to lay at ICANN's door... When providers daily accept payment for thousands of accounts with unique, valid, albeit stolen credit card numbers, preventing abuse remains difficult without using time as a remedy. No doubt, domain tasting represents a retreat from dealing with fallout created by such fraud. In addition, several security strategies could become more comprehensive and rely less upon specific OS threat recognitions. Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible. A notice of change does not alter the core, but instead enables defensive strategies at the edge. These strategies are not limited to white-outs, but might be in the form of alerts or warnings. It takes time to push defensive information to the edge. A notification of change before it occurs reduces the significant advantage now afforded bad actors who are heavily exploiting DNS. -Doug
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 11:51 AM, Douglas Otis wrote: Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible. How does this help? Are you saying that new domains somehow are somehow to be judged based upon someone's interpretation as to whether or not the domain 'reads' well, or some other factor? Who makes that determination, and by what criteria? Or are you saying that notification of someone whose credit card has been stolen would somehow help? How would the registrar know whether or not an email address given at the time of registration is valid for the purported registree? If there's some kind of 'click-to- validate' system put into place, the miscreants will simply automate the acceptance process (there's been a lot of work done on defeating CAPTCHAs, for example; even if they do it by hand, that would work. And services like Mailinator can make it even easier for the miscreants due to their FIFO nature - no forensics possible). Several registrars offer private domain registration as an option, as well. How does this affect the notification model? I generally agree with you that when possible, time for analysis can be useful (though I'm unsure how that helps in this scenario, see above). But one of the ways registrars compete ison timeliness; last night, for example, I registered a few domains on a whim. If the registrar I chose to use had told me there was some delay in the process for vetting, I would've cancelled the order and gone somewhere else, because I wanted those domains -right then-, before someone else registered them. This is all probably way off-topic for NANOG, anyways. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Paul Vixie wrote: I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's check-names facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so. The problem that I think you fear is that DNS is 'basic plumbing' (the ICANN-SSAC had some term like this, which sticks in my head as 'basic plumbing'...) and that messing with it where there is low confidence of knowing WHY it's being used is not smart, or hazardous, or probably going to cause larger problems. On this I too agree, unless you can clearly scope your userbase and clearly be accountable for the problems that may arise, messing with basic plumbing is a bad, bad plan. The 'dns core' could be 'provider recursive servers' or 'TLD servers' or 'root servers' or some combination of these. As you move closer to the 'core' the userbase gets wider and more varied, their intent is not divinable in their requests and there's likely a higher chance you'll be doing something 'wrong' with their request if you dont' stick to the 'standards compliant' answer. But, that's the DNS edge, I'm not ready to see the DNS core gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than this week to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution. Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :)
Re: On-going Internet Emergency and Domain Names
On Sun, 2007-04-01 at 12:29 -0700, Roland Dobbins wrote: On Apr 1, 2007, at 11:51 AM, Douglas Otis wrote: Instituting notification of domain name additions before publishing would enable several preemptive defenses not otherwise possible. How does this help? Information collected by the registrar must be assumed to be untrustworthy, save the functional elements to be published. Several registrars offer private domain registration as an option, as well. How does this affect the notification model? By ensuring data published by registry's can be previewed, all registrars would be affected equally. I generally agree with you that when possible, time for analysis can be useful (though I'm unsure how that helps in this scenario, see above). When functional information is not valid, such as incorrect name servers or IP addresses, this would not impose an immediate threat. However, basic functional information will trace to the controlling entity. Only by being able to preview this information, would comprehensive preemptive efforts be able to prove fully effective. But one of the ways registrars compete is on timeliness; All registrars would be subject to the same delay. The previewing process would be a function of the registry. -Doug
Re: On-going Internet Emergency and Domain Names
[EMAIL PROTECTED] (Gadi Evron) writes: On Sun, 1 Apr 2007, Adrian Chadd wrote: Stop trying to fix things in the core - it won't work, honest - and start trying to fix things closer to the edge where the actual problem is. Thing is, the problem IS in the core. nope. read what he wrote-- it won't work, honest. the problem is on the front-end, an edge, specifically in the way domain tasting works. does anyone really believe that there will ever again be a million domains added to the DNS in a 24-hour period? (of course not.) then why do verisign and the other TLD registries have to cope with many millions of updates per day? if we solve THAT problem, which is difficult and barely tractible, then the dns core will go on as before, working just fine all the while. DNS is no longer just being abused, it is pretty much an abuse infrastructure. do you mean DNS or do you mean every Internet technology including IP, UDP, TCP, ICMP, BGP, etc; plus most non-Internet-specific technologies including ASCII, Unicode, 32-bit, 64-bit, and binary? the internet, and technology in general, is no longer just being abused, it is pretty much an abuse infrastructure. --- i'd agree with *that*. (but this is not the first time I've been irritated that I can't choose which other humans to share the galaxy with and which ones I'd like to kick out.) -- Paul Vixie
Re: On-going Internet Emergency and Domain Names (kill this thread)
[EMAIL PROTECTED] (Jeff Shultz) writes: As I see it, the problem at hand is the current Windows 0day. What Gadi is doing is concentrating on a tactic it is using to justify solving what he sees as a more general problem (DNS abuse) that could be used by an exploit to any operating system. By solving it, this could mitigate future problems. the more general problem is hard to agree about. i think it's that every day neustar and afilias and verisign and the other TLD registries handle many millions of new-domain transactions, most of which will never be paid for (domain tasting) and most of which are being held with stolen credit cards. i don't know if these companies book the revenue (ship bricks) or if this is just a hell hole of wasted time and money for them (or, both?) i do know that a small number of criminals and wastrels among the registrant and registrar communities are responsible for between 95% and 99.98% of each day's domain churn, and that most of the domains will never be used or will only be used for evil. some of the costs of this infrastructure-for-evil are passed on to the rest of the registrants, and all of the costs of the evil itself are passed on to the rest of humanity. now we can try to pour widescale poison on the domains we see used for evil, and hope that everyone who would like to be protected by that poison is able to get in on the action; or we can look at the registrars and registrants, and track their actions, and build a reputation system indicating who has done evil and who has irresponsibly or greedily profited from enabling evil. in the first case we have an infinite set of possible choke points; in the second we have a finite set. in the first case we have to pay the cost on every DNS lookup, in the second case we have to pay the cost on every DNS registration event. We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run). Does that sound about right? that sounds exactly wrong. harkening back to my experience with check-names i can tell you that all i did was scare away a few alligators and the swamp remained. (probably the same was true of the original MAPS RBL.) what we've got in the DNS registry/registrar market today is as corrupt and abusable as the California electricity market was back in 2000-2001, and we're seeing the same kind of windfalls enjoyed by the same kind of assholes now as then. the system is ripe for policing, which icann has shown that they will not do. i want to see gadi in ralph nader mode, shining a light on all this, making it harder to profit from building the infrastructure of evil. if that's what you meant by swamp-draining, then i apologize for misunderstanding you. -- Paul Vixie
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 3:36 PM, Douglas Otis wrote: By ensuring data published by registry's can be previewed, all registrars would be affected equally. But what is the probative value of the 'preview'? By what criteria is the reputational quality of the domain assessed, and by whom? It almost seems as if the base problem has to do with credit-card transaction validation and fraud reporting, rather than anything to do with the actual domain registration process? --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Douglas Otis wrote: When functional information is not valid, such as incorrect name servers or IP addresses, this would not impose an immediate threat. However, basic functional information will trace to the controlling entity. Only by being able to preview this information, would comprehensive preemptive efforts be able to prove fully effective. So assuming you get rid of tasting and reduce the flow of new names to say 50,000 per day [1] exactly how are you going to preview these in any meaningful sort of way? Are you going to do the same for every ccTLD as well? What about domains with constantly changing subdomains? Everything hosted in different countries with different languages, policies and privacy laws? Believe it or not, some countries don't even have states or 5 digit zip codes. Please detail exactly what you will do if I register trademe.ir using a Pakistani Registrar, a .ly contact email, a physical address in Nigeria, the name Tarek Rasshid [2] , $10/year name servers in Cuba and pay for using Visa gift credit card bought in Malaysia. [1] 20 million new domains each year, just 20% growth on what we have now. [2] http://www.angelfire.com/tx/afira/arabic1.html -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: On-going Internet Emergency and Domain Names
On Sun, 2007-04-01 at 16:42 -0700, Roland Dobbins wrote: On Apr 1, 2007, at 3:36 PM, Douglas Otis wrote: By ensuring data published by registry's can be previewed, all registrars would be affected equally. But what is the probative value of the 'preview'? By what criteria is the reputational quality of the domain assessed, and by whom? A preview affords time for correlating and pushing protective information to the edge. Some reviewing previews may specialize in look-alike fraud. Others may specialize in net nanny services. Not all exploits will be initially recognized, where a defense in depth should include examining the infrastructure. A preview is required before this infrastructural information can offer the greatest level of protection. Reacting to new domains after the fact is often too late. It almost seems as if the base problem has to do with credit-card transaction validation and fraud reporting, rather than anything to do with the actual domain registration process? Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge. -Doug
Re: On-going Internet Emergency and Domain Names (kill this thread)
On Sun, 01 Apr 2007 13:08:14 EDT, Donald Stahl said: *Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable. Eugenics has some promise in that area. Desperate times call for desperate measures. pgpOWe5Da5x1L.pgp Description: PGP signature
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Douglas Otis wrote: Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge. What on earth makes you think that physical proof of identity would be any sort of deterrant to fraud? Fraud existed long before the Internet, and in absolutely physical forms. cheers! == A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now.
Re: On-going Internet Emergency and Domain Names
On Mon, 2007-04-02 at 12:03 +1200, Simon Lyall wrote: So assuming you get rid of tasting and reduce the flow of new names to say 50,000 per day [1] exactly how are you going to preview these in any meaningful sort of way? A preview would not directly reduce a churn rate, although it might as a side effect. Computers are able to correlate even with millions of domains per day. Are you going to do the same for every ccTLD as well? Consistent rules should be established for ccTLD as well, however each ccTLD may wish to limit preview access differently. What about domains with constantly changing subdomains? Everything hosted in different countries with different languages, policies and privacy laws? Believe it or not, some countries don't even have states or 5 digit zip codes. Information collected can be pushed to the edge to protect against domains controlled by bad actors. A domain should be cautious about delegating to bad actors. Please detail exactly what you will do if I register trademe.ir using a Pakistani Registrar, a .ly contact email, a physical address in Nigeria, the name Tarek Rasshid [2] , $10/year name servers in Cuba and pay for using Visa gift credit card bought in Malaysia. This is not about modifying the function of registrars or registries, beyond requiring a zone preview from registries. This is about identifying threats, even zero day threats, and offering protection. The protection afforded can be fairly comprehensive, although nothing is 100%. -Doug
Re: On-going Internet Emergency and Domain Names (kill this thread)
the more general problem is hard to agree about. i think it's that every day neustar and afilias and verisign and the other TLD registries handle many millions of new-domain transactions, most of which will never be paid for (domain tasting) Right. and most of which are being held with stolen credit cards. i don't know if these companies book the revenue (ship bricks) or if this is just a hell hole of wasted time and money for them (or, both?) Registrars don't get credit with registries. They have to prepay a deposit, then for each registration their account gets debited, for each reversal it gets credited, so they´re basically shipping and restocking a million bricks a day.. It is my understanding that one or two registrars do nearly all of the domain tasting, and it's widely assumed that they're their own customer for those registrations. They really do have $6M of deposit to handle a million registrations. Verisign tolerates tasting probably because the actual cost of handling a registration is close to zero, and a few of them aren't cancelled. Afilias has complained about the load and proposed and I think got an amendment so that registrars who cancel more than 90% of their registrations don't get quite all of their money back. I haven't seen much connection between tasting and malware. Tasted domains are set up as web sites which consist of nothing but pay per click ads. Malware domains are much less numerous, the registrar is not a knowing party (beyond some registrars' reluctance to do takedowns), and those probably are paid for with stolen plastic. R's, John
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Chris L. Morrow wrote: On Sun, 1 Apr 2007, Paul Vixie wrote: But, that's the DNS edge, I'm not ready to see the DNS core gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than this week to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution. Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :) I agree with everything else you said, and being the guy who made up the term I believe in using DNS for detecting botnets in enterprise networks, etc. But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. Gadi.
Re: On-going Internet Emergency and Domain Names
On 1 Apr 2007, Paul Vixie wrote: [EMAIL PROTECTED] (Gadi Evron) writes: On Sun, 1 Apr 2007, Adrian Chadd wrote: Stop trying to fix things in the core - it won't work, honest - and start trying to fix things closer to the edge where the actual problem is. Thing is, the problem IS in the core. nope. read what he wrote-- it won't work, honest. the problem is on the front-end, an edge, specifically in the way domain tasting works. does anyone really believe that there will ever again be a million domains added to the DNS in a 24-hour period? (of course not.) then why do verisign and the other TLD registries have to cope with many millions of updates per day? if we solve THAT problem, which is difficult and barely tractible, then the dns core will go on as before, working just fine all the while. DNS is no longer just being abused, it is pretty much an abuse infrastructure. do you mean DNS or do you mean every Internet technology including IP, UDP, TCP, ICMP, BGP, etc; plus most non-Internet-specific technologies including ASCII, Unicode, 32-bit, 64-bit, and binary? the internet, and technology in general, is no longer just being abused, it is pretty much an abuse infrastructure. --- i'd agree with *that*. (but this is not the first time I've been irritated that I can't choose which other humans to share the galaxy with and which ones I'd like to kick out.) I stand corrected, the Internet is obviously the problem and botnets are the very seriosu symptom, but consider: This is not a DNS server being abused, it is the infrastructure. The network, centralized and de-centralized. So yes, DNS has become an infrastructure for abuse even if the Internet itself is not very safe. Gadi. -- Paul Vixie
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Cat Okita wrote: On Sun, 1 Apr 2007, Douglas Otis wrote: Until Internet commerce requires some physical proof of identity, fraud will continue. A zone preview approach can reduce related exploits and associated crime, and the amount of information pushed to the edge. What on earth makes you think that physical proof of identity would be any sort of deterrant to fraud? Fraud existed long before the Internet, and in absolutely physical forms. And as long as proof of identity, physical or otherwise, is trasferred virtually via the compromised channel or platform, we solve nothing. The all idea of the web channel is the low cost. :) But that is off topic to NANOG and this thread. cheers! == A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now.
Re: On-going Internet Emergency and Domain Names
On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote: Reacting to new domains after the fact is often too late. What happens when they're wrong? And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch? It seems to me as if we've just talked through the institutionalization of the Department of Domain Pre-Crime, with all that entails. It could be argued that the proposed solution might be worse than the problem it's purporting to solve. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
Re: On-going Internet Emergency and Domain Names
On Sun, 1 Apr 2007, Roland Dobbins wrote: On Apr 1, 2007, at 6:16 PM, Douglas Otis wrote: Reacting to new domains after the fact is often too late. What happens when they're wrong? And who's 'they', btw? What qualifications must 'they' have? And what happens if a registrar disagrees with 'them'? Or when 'they' are instructed by their governments to objection to a domain because of its perceived lack of redeeming social value, or somesuch? what are 'they' going to cost, and who's going to pay for 'them' at 6$/yr domain registration fee?
Re: On-going Internet Emergency and Domain Names
On 31 Mar 2007 06:09:30 +, Paul Vixie [EMAIL PROTECTED] wrote: are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. That does seem to be the single point of failure for these malwares, and for various other things besides [phish domains hosted on botnets, and registered on ccTLDs where bureaucracy comes in the way of quick takedowns] srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: On-going Internet Emergency and Domain Names
On Sat, Mar 31, 2007, Suresh Ramasubramanian wrote: On 31 Mar 2007 06:09:30 +, Paul Vixie [EMAIL PROTECTED] wrote: are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. That does seem to be the single point of failure for these malwares, and for various other things besides [phish domains hosted on botnets, and registered on ccTLDs where bureaucracy comes in the way of quick takedowns] .. just wait until they start living on in P2P trackerless type setups and not bothering with temporary domains - just use whatever resolves to the end-client. You'll wish it were as easy to track as accessing these websites or servers. (That, and the IPv6 space doesn't seem to be a saving grace either - it'll be easy to identify potential hosts to infect by infecting someone participating in P2P and moving across to other machines as you see P2P application connections to/from them.) Scary stuff. Adrian
Re: On-going Internet Emergency and Domain Names
On 3/31/07, Adrian Chadd [EMAIL PROTECTED] wrote: .. just wait until they start living on in P2P trackerless type setups and not bothering with temporary domains - just use whatever resolves to the end-client. You'll wish it were as easy to track as accessing these websites p2p based botnets are already there, I'm afraid.
Re: On-going Internet Emergency and Domain Names
On Sat, Mar 31, 2007, Suresh Ramasubramanian wrote: On 3/31/07, Adrian Chadd [EMAIL PROTECTED] wrote: .. just wait until they start living on in P2P trackerless type setups and not bothering with temporary domains - just use whatever resolves to the end-client. You'll wish it were as easy to track as accessing these websites p2p based botnets are already there, I'm afraid. Shiny. Know any papers which have looked at it? Adrian
Re: On-going Internet Emergency and Domain Names
On 3/31/07, Adrian Chadd [EMAIL PROTECTED] wrote: p2p based botnets are already there, I'm afraid. Shiny. Know any papers which have looked at it? The recent storm worm for example seems to have had at least some p2p functionality. There's a bunch of papers, ISC SANS posts etc that can be found by a quick google for p2p+botnet -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: On-going Internet Emergency and Domain Names
On 31 Mar 2007, Paul Vixie wrote: whoa. this is like deja vu all over again. when [EMAIL PROTECTED] asked me to patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host names in order to protect sendmail from a /var/spool/mqueue/qf* formatting vulnerability, i was fresh off the boat and did as i was asked. a dozen years later i find that that bug in sendmail is long gone, but the pain from BIND's check-names logic is still with us. i did the wrong thing and i should have said just fix sendmail, i don't care how much easier it would be to patch libc, that's just wrong. are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. I don't know about bind, obviously your knowledge over-shadows mine. Changing bind for sendmail was likely silly but it showed some agaility we seem to not have today. If it could have been a temporary dynamic solution (rather than a package change), it's an interesting concept. Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? Gadi. -- Paul Vixie
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Gadi Evron wrote: In this case, we speak of a problem with DNS, not sendmail, and not bind. The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS. Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam. So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Mikael Abrahamsson wrote: On Sat, 31 Mar 2007, Gadi Evron wrote: In this case, we speak of a problem with DNS, not sendmail, and not bind. The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS. Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam. So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms. The real problem? Okay, I'd like your ideas than. :) What we are referring to here is not just malware, phishing, DDoS (rings a bell, root servers?) and othr threats. It is about the DNS being manipulated and abused and causing instability across the board, only not in reachability and availability which is the infrastructure risk already being looked after. Hijacking may be resolved by DNS-SEC, this isn't. If an A record with a low TTL can be changed every 10 minutes, that means no matter what the problem is, we can't mitigate it. There are legitimate reasons to do that, though. The CC for a botnet would not disapear, as it would be half way across the world by the time we see it. The only constant is the malicious domain name. If the NS keeps skipping around, that's just plain silly. :) If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. It HAS become an infrastructure for abuse, and it disturbs daily life on the Internet. We'd like solutions and we raised some ideas - we are willing to accept they are not good ones, please help us out with better ones? Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Gadi.
Re: On-going Internet Emergency and Domain Names
Paul Vixie wrote: whoa. this is like deja vu all over again. when [EMAIL PROTECTED] asked me to patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host names in order to protect sendmail from a /var/spool/mqueue/qf* formatting vulnerability, i was fresh off the boat and did as i was asked. a dozen years later i find that that bug in sendmail is long gone, but the pain from BIND's check-names logic is still with us. i did the wrong thing and i should have said just fix sendmail, i don't care how much easier it would be to patch libc, that's just wrong. are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make. Okay, what I am about to suggest here is clearly going to be heretical, and I have to admit I thought about it before reading Paul's post... but I still want to put it out for thought. Clearly, the bad guys are manipulating DNS as a means to hide. Quoting Gadi from earlier: Every day we see two types of fast-flux attacks: 1. Those that keep changing A records by using a very low TTL. 2. Those that keep changing NS records, pretty much the same. So, since they are manipulating DNS, how about trying to fix DNS as somewhat of a work-around here? After all, this is a DNS issue, and **MAYBE** a patch to BIND may be the easiest temporary work-around? What I would suggest is as follows: Add an option to BIND that: a) Returns a lookup failure if the TTL for the NS or A record is too low b) Caches the failure record for the server's negative lookup TTL time period to slow the rate of future lookups c) Clearly flags the forced failure in the query log to allow for the identification of potentially infected hosts and to help evaluate the effectiveness of this kludge There should probably be separate options for setting minimum acceptable NS and A TTLs. I would think that in most circumstances you would want to consider rejecting NS RRs with TTLs 4hrs and A RRs with TTL 1hr. If my bit-herding skills were a little more up to date, I might have even tried to write such a patch myself. I think we can all agree that this is a BAD IDEA, but given the current circumstances, maybe this bad idea could be the lesser of several evils? Maybe we could get an unofficial patch from someone outside the ISC to allow this idea to be tried, thus avoiding ISC's having to forever support another bad idea that in reality didn't fix much? I would posit that if we don't try it, we would never know how effective it would be. Jon -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Re: On-going Internet Emergency and Domain Names
Port 25 is bad. It has been blocked. Port 53 is bad. Some ISPs are already going to block it. How about port 80? I think port 80 should have been the first and only port to block. Let the other ports stay alive. And maby a test for port 42 would be nice. If port 42 is answered by an IEN 116 nameserver then everything is fine. If it is windows nameservice - then shot the guy. Chance is 75% that it is a bot already. If you dont shot him chance is 75% that he will get infected anyhow. Can somebody tell me how to delay this post until midnight your time? I have unlocked the mettre en voyage lever already and the kettle is boiling. I am shure we built staem enough :) Cheers Peter and Karin Gadi Evron wrote: On Sat, 31 Mar 2007, Mikael Abrahamsson wrote: On Sat, 31 Mar 2007, Gadi Evron wrote: In this case, we speak of a problem with DNS, not sendmail, and not bind. The argument can be made that you're trying to solve a windows-problem by implementing blocking in DNS. Next step would be to ask all access providers to block outgoing UDP/53 so people can't use open resolvers or machines set up to act as resolvers for certain DNS information that the botnets need, as per the same analysis that blocking TCP/25 stops spam. So what you're trying to do is a pure stop-gap measure that won't scale in the long run. Fix the real problem instead of trying to bandaid the symptoms. The real problem? Okay, I'd like your ideas than. :) What we are referring to here is not just malware, phishing, DDoS (rings a bell, root servers?) and othr threats. It is about the DNS being manipulated and abused and causing instability across the board, only not in reachability and availability which is the infrastructure risk already being looked after. Hijacking may be resolved by DNS-SEC, this isn't. If an A record with a low TTL can be changed every 10 minutes, that means no matter what the problem is, we can't mitigate it. There are legitimate reasons to do that, though. The CC for a botnet would not disapear, as it would be half way across the world by the time we see it. The only constant is the malicious domain name. If the NS keeps skipping around, that's just plain silly. :) If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. It HAS become an infrastructure for abuse, and it disturbs daily life on the Internet. We'd like solutions and we raised some ideas - we are willing to accept they are not good ones, please help us out with better ones? Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Gadi. -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
Re: On-going Internet Emergency and Domain Names
On Fri, 30 Mar 2007, Gadi Evron wrote: There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. Before the readers of the list think that the world is about to end, please read Gadi's previous predictions here: http://www.securityfocus.com/archive/1/354200/30/0/threaded Eventually, crying wolf will get tiring. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were in vogue back in 2002 or so. These botnets use DNS as central registry. Yes, it'd be nice to hit the CC using our control of DNS, and yes, it'd be nice if registrars/registries were cooperating. However, DNS isn't the root of the problem here - tomorrow, they'll use some p2p tracker[less] protocol to distribute this information. While we argue about this or that TLD, there are operational issues of the highest importance that are not being addressed. I do not think that this reaches 'operational' just yet, unless you are operating a registry or registrar. snip This is the weakest link online today in Internet security, which we in most cases can't mitigate, and the only mitigation route is the domain name. I dare to say, that's not the weakest link, and that's not the only mitigation route. snip We need to be able to get rid of domain names, at the very least during real emergencies. I am aware how it isn't always easy to distinguish what is good and what is bad. Still, we need to find a way. OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. -alex
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007 08:49:27 EDT, [EMAIL PROTECTED] said: OK, so, do you officially declare the emergency? Should we all block the domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. The real problem is that the bad guys are able to deploy new DNS entries in timespams on the order of 10s of minutes, and we can't manage anything resembling due process in that timeframe. (And yes, one could easily imagine a botnet that switches to an entirely new name for the CC host every 10 minutes - the herder just needs a function that's fed a time-of-day, and generate a hash. Run it for 144 values for tomorrow, register those domains, and distribute the values to your botnet (assuming 10-byte hashes, you'd need all of one 1500 byte packet per day) - or let the bots do the hash themselves if you trust their clocks to be somewhere near accurate. If you want to be *really* obscure, consider the fact that rfc3490 IDN's provide a very good way to hide the fact that it's a hash... pgp4GHD7H5SJ0.pgp Description: PGP signature
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007 [EMAIL PROTECTED] wrote: OK, so, do you officially declare the emergency? Should we all block the This is an emergecy incident on the scale of WMF, but no, it is indeed being handled. I am raising the flag on an ever increasing problem with DNS. This latest incident illustrates some of our operational problems with the security of the Internet. domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. DNS is not going anywhere, patch for the hosts file or not. -alex
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Gadi Evron wrote: domains listed on http://isc.sans.org/, is that an authoritative site of botnet hunters? If so, there are couple of surprises for you. baidu.com listed there is a chinese equivalent of google, who'd get very upset if its domain name got revoked. Similarly, alexa.com. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. I'm not sure I understand your point. Intarweb Storm Center listed a number of domain names involved in these attacks, presumably so the registrars/registries pull the DNS records. I am pointing out that at least two of the ones listed are innocent. What does TCP/IP or IRC or HTTP have to do with anything? DNS is not going anywhere, patch for the hosts file or not. Glad you understand that.
Re: On-going Internet Emergency and Domain Names
On Sat, Mar 31, 2007, Gadi Evron wrote: On Sat, 31 Mar 2007 [EMAIL PROTECTED] wrote: OK, so, do you officially declare the emergency? Should we all block the This is an emergecy incident on the scale of WMF, but no, it is indeed being handled. I am raising the flag on an ever increasing problem with DNS. One could argue its an ever increasing problem with IP. This latest incident illustrates some of our operational problems with the security of the Internet. Again; one could argue its also an increasing problem with IP. I wonder if anyone can come up with methods of solving this at the IP layer.. There needs to be due process for these actions. And once we close this vector, I'm sure that botnets will simply migrate away from DNS to some other protocol. YOu shouldn't confuse TCP/IP for the control channel of the botnets which is IRC, HTTP, etc. DNS is not going anywhere, patch for the hosts file or not. And I'm sure they'll migrate away from DNS when it becomes inconvienent. I'm still pleasantly surprised how many organisations spend large amounts of money controlling what comes in and almost never try to handle what goes -out-. Adrian
Re: On-going Internet Emergency and Domain Names
On Sat, 2007-03-31 at 06:16 -0500, Gadi Evron wrote: Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Based on Lorenzen's data, domain tasting enables millions of domain names to be in flux every day. Exchange lists this large to end users is extremely costly. When small handguns became a weapon of choice for holdups, a waiting period was imposed to allow enforcement agencies time to block exchanges. Even when bad actors can be identified, a reporting lag of 12 to 24 hours in the case of global registries ensures there can be no preemptive response. If enforcement at this level is to prevent crime, registries would need to help by providing some advanced notice. Perhaps all registries should be required to report public details of domain name additions 24 hours in advance of the same details being published in the TLD zones. -Doug
Re: On-going Internet Emergency and Domain Names
Gadi Evron wrote: The real problem? Okay, I'd like your ideas than. :) Just because one doesn't have a solution to the real problem doesn't invalidate them from objecting to an idea presented by someone else, you know? Trying to fix DNS this way is just the wrong thing to do, even though the goal is honorable. We'll just end up having them do something else instead and the attempts we've made will be in vain and will likely have ended up with limitations to ourselves rather than to them. They will adapt to any change like this we would try to do. The only real way to attempt to stop this is lobbying for legislation, nailing people for what we see around us and the damage they cause us and to make it risky business rather than the piece of cake it is today. Anything else is just a minor setback for them, and a HUGE deal of investment and money for us on top of what we already spend handling what we're exposed to. -- /ahnberg.
RE: On-going Internet Emergency and Domain Names
The only constant is the malicious domain name. If we are able to take care of all the rest, and DNS becomes the one facet which can rewind the wheel, DNS is the problem. You have just explained how DNS is *NOT* the problem. The only constant is the domain name. That is handled by domain name registries, not by the DNS. Since domain name registries are not a technical issue, there is no technical solution to the problem. I suggest that you would get further by working with (or suing) the domain name registries that allow these domain names to be so constant. Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? In my opinion, yes. This gives the police something to subpoena from the registries to track down these people. If they were registering random words from the dictionary, the police would not know what records to subpoena. And if the registries disallowed applications with amazon and paypal in them, then the crooks would be using random words from the dictionary. Should there be black hat malicious registrars around? Yes. Again it gives a target for the police. As the FBI learned in the 1950's, you get much further by chasing the money than by chasing the men behaving badly. --Michael Dillon
Re: On-going Internet Emergency and Domain Names
On Saturday 31 March 2007 07:45, Peter Dambier wrote: Port 25 is bad. It has been blocked. Port 53 is bad. Some ISPs are already going to block it. How about port 80? I think port 80 should have been the first and only port to block. Close one, the will go to another, and another -- Nowadays, you'd have to block all 65535 ports on both TCP and UDP to get anywhere, Port blocking isn't the answer -- It ONLY postpones the attacks and such. What needs to be done is the ISPs allowing botnets and malware to run rampid on their networks to be held accountable for being negligent on their network security, Service provider abuse mailboxes should be paid more heed to, and reports should be acted upon, But I will relitterate, you can block all the ports you want, they (The origins of these attacks) will just ove to the next available one.
RE: On-going Internet Emergency and Domain Names
What about a worldwide clearing house where all registrars must submit their domains for some basic verification? Naming: For phishing reasons. I think detection of possible trademark violations would be too contentious. Contact info: It's fine to use a proxy to hide true ownership to the public, but the clearing house would verify telephone numbers and addresses against public and private databases, and for those countries that don't have that well built-out, something that ties payment (whether that be credit card, bank transfer, or check) to a piece of identification as strong as a passport. Funding of such a clearing house: a flat fee per domain Maintenance: It can't be a one-time event, but I'm not sure how this would look. Of course, the above is only utopia and the problem has to get much worse before we'll see international cooperation. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Otis Sent: Saturday, March 31, 2007 9:47 AM To: Gadi Evron Cc: nanog@merit.edu Subject: Re: On-going Internet Emergency and Domain Names On Sat, 2007-03-31 at 06:16 -0500, Gadi Evron wrote: Or we can look at it from a different perspective: Should bad guys be able to register thousands of domains with amazon and paypal in them every day? Should there be black hat malicious registrars around? Shouldn't there be an abuse route for domain names? One problem at a time, please. Based on Lorenzen's data, domain tasting enables millions of domain names to be in flux every day. Exchange lists this large to end users is extremely costly. When small handguns became a weapon of choice for holdups, a waiting period was imposed to allow enforcement agencies time to block exchanges. Even when bad actors can be identified, a reporting lag of 12 to 24 hours in the case of global registries ensures there can be no preemptive response. If enforcement at this level is to prevent crime, registries would need to help by providing some advanced notice. Perhaps all registries should be required to report public details of domain name additions 24 hours in advance of the same details being published in the TLD zones. -Doug
Re: On-going Internet Emergency and Domain Names
... Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? on any given day, there's always something broken somewhere. in dns, there's always something broken everywhere. since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. in practical terms, and i've said this to you before, you'll get as much traction by getting people to switch from windows to linux as you'd get by trying to poison dns. that is, neither solution would be anything close to universal. that rules it out as an alternative we can use today. but, isp's responsible for large broadband populations could do this in their recursion farms, and no doubt they will contact their dns vendors to find a way. BIND9, sadly, does not make this easy. i'll make sure that poison at scale makes the BIND10 feature list, since clustering is already coming. at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil. fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible.
Re: On-going Internet Emergency and Domain Names
On Mar 31, 2007, at 9:20 AM, Paul Vixie wrote: fundamentally, this isn't a dns technical problem, and using dns technology to solve it will either not work or set a dangerous precedent. and since the data is authentic, some day, dnssec will make this kind of poison impossible. Some SPs are doing DNS manipulation/poisoning now for various reasons, with varying degrees of utility/annoyance. If those SPs choose to manipulate their own DNS in a way which affects their own users, that's fine; if the users don't like it, they can to elsewhere. Some enterprises are doing the same kinds of things, with the same options available to the user population (though not always quite as easy to 'go elsewhere', heh). What SPs or enterprises choose to do for/to their own user bases is between them and their users. When we start talking about involving registries, etc., that's when we've clearly jumped the shark. There is no 'emergency', any more than there was an 'emergency' last week or the week before or the month before that - after a while, a state of 'emergency' becomes the norm, and thus the bar is raised. It's merely business as usual, and no extraordinary measures are required. Yes, there are ongoing, long-term problems, but they need rationally-thought-out, long-term solutions. 'Think globally, act locally' seems a good principle to keep in mind, along with 'Be liberal in what you accept, and conservative in what you send'. Much unnecessary grief and gnashing of teeth would be avoided if folks worries about what was going on in their own networks vs. grandiose, 'fix-the-Internet'-type 'solutions' (the appeal of the latter is that it requires no actual useful effort or sacrifice on one's own part, merely heated rhetoric and a pointed finger, which appeals to some of the least attractive aspects of human nature). --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice Words that come from a machine have no soul. -- Duong Van Ngo
Re: On-going Internet Emergency and Domain Names
Mattias Ahnberg wrote: They will adapt to any change like this we would try to do. The only real way to attempt to stop this is lobbying for legislation, nailing people for what we see around us and the damage they cause us and to make it risky business rather than the piece of cake it is today. Anything else is just a minor setback for them, and a HUGE deal of investment and money for us on top of what we already spend handling what we're exposed to. I second this motion, I think the only way to make a step change for the better is to seek and implement measures that make it more expensive and challenging to be in the badware/phishing/spam business. These measures should also hold their ground and push the problem into the backyards of those who choose to ignore the crap they allow into the public network. Unfortunately nothing to address this seriously exists today and I've yet to identify serious effort to get this done. I'd be happy to be part of such endeavour if one is going to be founded someday. But I do believe it could be done. Even without clean slate daydreaming. Pete
Re: On-going Internet Emergency and Domain Names
Kradorex Xeron wrote: What needs to be done is the ISPs allowing botnets and malware to run rampid on their networks to be held accountable for being negligent on their network security, Service provider abuse mailboxes should be paid more heed to, and reports should be acted upon, The presupposes that people will report problems. The situation with spam shows clearly that when the problem gets big enough, people will *stop* *reporting* *incidents*. Out of a clear blue sky, one of my servers found its way into the CBL. No spam reports, none at all. (I'm the Abuse Investigator, the one who has to read all the reports -- and the spam -- directed at [EMAIL PROTECTED], so I would know.)
Re: On-going Internet Emergency and Domain Names
On Sat, 31 Mar 2007, Fergie wrote: ...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious. Wow, if both gadi and fergie say its important, it must be a real showstopper. [EMAIL PROTECTED]darwin Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
Re: On-going Internet Emergency and Domain Names
* Fergie: While the 0-day exploit is the ANI vulnerability, there are many, many compromised websites (remember the MiamiDolhins.com embedded javascript iframe redirect?) that are using similar embedded .js redirects to malware hosted sites which fancy this exploit. And some of them have vast audiences, increasing the potential for a major issue -- TBD. In today's world of ubiquitous advertising, vast audiences equal lots of money. That's why this is a problem which a few class-action suits can and will fix. The hard problem is repeated damage done by many small incidents.
Re: On-going Internet Emergency and Domain Names
* Paul Vixie: since malware isn't breaking dns, and since dns not a vector per se, the idea of changing dns in any way to try to control malware strikes me as a way to get dns to be broken in more places more often. Well, once more people learn about DLV (especially the NS override extension that has been requested by zone operators), more and more questions will pop up why we can't do this for NS records they don't like for some reason. The genie is out of the bottle, I'm afraid. in practical terms, and i've said this to you before, you'll get as much traction by getting people to switch from windows to linux as you'd get by trying to poison dns. that is, neither solution would be anything close to universal. that rules it out as an alternative we can use today. The legal details for operating and using a lookaside zone are rather interesting, which strongly suggests that this isn't a solution that can be rolled out in a reasonable time frame. On the more technical side, some very large operators have mostly out-sourced their DNS operation, so they can't easily deploy an upgrade from ISC even if it were available today. at the other end, authority servers which means registries and registrars ought, as you've oft said, be more responsible about ripping down domains used by bad people. whether phish, malware, whatever. what we need is some kind of public shaming mechanism, a registrar wall of sheep if you will, to put some business pressure on the companies who enable this kind of evil. I fear that many registrars make most of their money with trademark violations of their customers. If that is indeed true, showing any sign of responsibility could be suicidal.
RE: On-going Internet Emergency and Domain Names
On Sat, 2007-03-31 at 11:09 -0500, Frank Bulk wrote: On Sat, 31 Mar 2007 07:46:47 -0700, Douglas Otis wrote: Even when bad actors can be identified, a reporting lag of 12 to 24 hours in the case of global registries ensures there can be no preemptive response. If enforcement at this level is to prevent crime, registries would need to help by providing some advanced notice. Perhaps all registries should be required to report public details of domain name additions 24 hours in advance of the same details being published in the TLD zones. What about a worldwide clearing house where all registrars must submit their domains for some basic verification? Rather than a clearinghouse, require gTLDs, ccTLDs, and SLDs establish rules regarding access to a 24 hour preview of zone transfers. Establish some type of international domain dispute resolution agency that responds to hold requests made by recognized legal authorities. Establishing transfers for the next day's zone provides extremely valuable information that would significantly aid efforts in fighting crime. An advanced warning permits deployment of preemptive technologies. This technology could be bind10, but there are other solutions as well. Legal authorities should also be able to request holds placed on specific domains when the minimal details appear related to criminal activity, such as names commonly used for look-alike attacks. Only then would additional information become relevant, and be handled by the domain dispute resolution agency. They would not be a general clearinghouse. Naming: For phishing reasons. I think detection of possible trademark violations would be too contentious. Agreed. Contact info: It's fine to use a proxy to hide true ownership to the public, but the clearing house would verify telephone numbers and addresses against public and private databases, and for those countries that don't have that well built-out, something that ties payment (whether that be credit card, bank transfer, or check) to a piece of identification as strong as a passport. While this sounds like an excellent idea, it also seems unlikely the current levels of trust permits a broad sharing of such detail in the fashion of a clearinghouse. Just a 24 hour advanced peak at tomorrow's zone file would not represent any additional data preparation, nor would this be information someone wishes to keep private. After all, there is competition between registrars. Funding of such a clearing house: a flat fee per domain Maintenance: It can't be a one-time event, but I'm not sure how this would look. Perhaps registries should be allowed to charge a small fee to cover just the expense related to the transfers. Of course, the above is only utopia and the problem has to get much worse before we'll see international cooperation. The financial damage caused by crime taking advantage of DNS features to then dance rapidly over the globe should justify rather minor changes to the current mode of registry operations. -Doug