On 7/22/07, Steven M. Bellovin <smb@cs.columbia.edu> wrote: I would suggest not underestimating the ingenuity and persistence of the bad guys to escalate the neverending war, when a new weapon is invented to use against them. If there's a way around it, history has shown, the new weapon quickly becomes worthless, you get to use it maybe for a month or two. Maybe that's enough, if you can be assured of constantly coming up with new improvements. It's really tiresome stuff, and if ISPs do it, they'll find themselves having to get more and more invasive for each "new and improved" anti-bot weapon. Much more likely than not the bad guys even read the list (if not the other few security lists where the events of reported DNS mangling by Cox have been mentioned) and now know how to proceed to minimize the disruption to their annoying botnets. Hint: the "common ways to try to remove a bot" are not hard for bots to detect; kiddies often scripted the things to not allow removal, anyways. End result: Legitimate IRC users get blocked, script kids quickly adapt, and get their well-hidden botnets back into place and "patched" against DNS-based hacks in the future. Conclusion: Everybody loses (ISP and legit IRC users), except the script kiddies now have more robust junk (and another victory).
So -- I think that DNSSEC, if deployed, will protect users who care, even against their ISP. It won't protect the clueless; I'm not sure
I would suggest the "protection" you get with DNSSEC is not so solid, even for the non-clueless. I see DNSSEC alone as no protection by itself, even with the additional assumptions. An ISP can possibly instead of "changing" the DNS, "redirect" traffic destined for the actual target IP address (from their own users), or push traffic through transparent proxies that accomplish the same end.. In fact, it will be less visible to the user what is occuring (at least with DNS manipulations, the user can _SEE_ that what happened, if they are not among the clueless, and maybe get around DNS mangling, by skipping DNS and going to the _right_ IP) IRC traffic is much like SMTP in certain respects -- it is not encrypted, there is no digital certificate that can be used to verify the peer legitimately uses the ip address (or dns name) you think it does when you connect. And spammers are a problem (Unauthorized bot nets logging on to IRC networks are really just a very bad type of spammer, a type that is often very difficult for IRC networks to detect and eliminate; and IRC networks risk all their IRC servers being DDoSed later in retaliation, just for trying to kill off a botnet -- the d*** things may just autoconnect to the next network, and switch secret channels, from a list with God knows how many entries....). - I am doubting most of the world sees DNSSEC implementations as the ideal solution to any current problem -- compared to the current DNS, it seems like overkill to digitally sign everything.. Considering the excessive bloat and overhead of DNSSEC implementations, when there is a bigger hole in the security of the underlying protocol (TCP/IP itself) The canonball-sized hole (Your ISP can pretend to be any IP address they want) should have priority to be be plugged, it should be "way ahead" on the list of the pinhole (Your ISP can pretend that a given name is associated with any IP address they want instead of the correct one). OTOH, universally deployed IPSEC seems even farther off. If it is even a workable plan for a netizen (to distrust the ISP), considering the ISP can always, after all, block instead of redirect. -- -J