On Apr 3, 2007, at 3:29 PM, Sam Stickland wrote:
Maybe it would make sense for someone to reiterate what types of abuse DNS is facilitating? I believe what Gadi was getting at was mainly the ability to use fake details to register a domain, and then very rapidly cycling the A records through a wide range of hosts, attempting to avoid detection. As opposed to there actually being fundamental flaws open to abuse in a system that maps names to IP addresses.
Despite doubts several stated about creating a fairly comprehensive view of the Internet landscape, dedicated systems working in unison do keep fairly close tabs on what is what. Threat information is then pushed to the edge (as some would call it). The abuse of registries has been able to thwart the effectiveness in dealing with much of the threat landscape as it undergoes a transformation every few minutes. The latency in distributing threat information prevents its protection from being as effective as it should be when facing undefined threats within a rapidly transforming environment. No one wants to wait for security checks while browsing. This information must be preprocess and "at the ready", or the Internet starts to feel rather slow and broken. By slowing down registry updates and even providing a preview of upcoming changes will allow security to become much faster in providing comprehensive answers, and make browsing seem unimpaired (as it should be). There is no need for rapidly unannounced updates by the registries. Getting a commerce site set up in milliseconds all to often benefits those wishing to abuse this immediacy. Would it really be that hard to say "Confirm the operation of DNS for this website at this time tomorrow."? Just because this information can be published within a few milliseconds, does not make doing so a good idea. It would be a better for security reasons to offer this information for review first well before it goes "live". The price for pushing protective information to the edge by just one company fighting this blitz krieg is simply astounding. In addition, there are costs incurred by the reduced protection caused as well. Whether it is click fraud, botnets C&Cs, phishing sites, etcetera, etcetera. Slowing registries and offering a preview can dramatically shift the balance in this faltering struggle. There are many security concerns that can make extremely good use of this information without depending upon some centralized policing that never seems to be sufficient or effective as to be noticeable. It is not obvious how the daily 5 million domain name churn driven by an astounding high level of fraud and identity thief can be slowed. Perhaps we will all soon need a cryptographic fob instead of a wrist watch to accompany our other pieces of identification. Stabilizing the landscape can better ensure system owners have a better idea when they are entering dangerous territory. This alone should help them keep their systems as safe as possible in the face of unknown threats. Tracking all this information may seem daunting, but is there any other practical alternative? -Doug