RE: On-going Internet Emergency and Domain Names
[In the message entitled "RE: On-going Internet Emergency and Domain Names" on Mar 31, 15:26, Matt Ghali writes:]
On Sat, 31 Mar 2007, Fergie wrote:
So very clever.
If you're not part of the solution... etc.
I feel so worthless standing next to you, the Solver.
Guys. We *all* (everyone reading this) have a role to play in dealing with problems on the Internet. There is *no* "one true solution" to what amounts to criminal activity - not on the Internet, and not in real life. We, collectively, have enabled a new frontier of civilization. The Internet is ever growing and changing, and we, collectively, need to address problems as they come up. The dominant OS vendor is currently part of the issue, certainly. But if that dominant OS vendor were (insert your favorite UNIX OS vendor), the same problems would exist. We are not fighting technology. We are dealing with very well organized, smart, and well-funded people. We need to focus on solutions that we can deploy, which will address the problems at hand, as we discover them. That means we will deploy things that do not solve underlying prolems, but address the symptoms as best we can, to prevent the entire mess from falling down. That means that we must look at short-range solutions to address things in near-real-time, and we need to look at changing the legal system to catch up. We also need to look at the policies which enable people to abuse the systems we have deployed. And we need to look at user education. And fixing the operating systems. And improving infrastructure, so we can deal with 15 Gbps attacks. And... There is no "one true solution" to this. That means you, as network operators, need to look at what makes sense *today*, and *DEPLOY IT*. "Someone else" isn't going to solve these issues, and waiting for them is folly. Do what you can, today, to address the problems you know about. Do what you can, today, to protect your users. Do what you can, today, to stop malicious behaviour from leaving your network. Do what you can, today, to improve your internal organization to ensure that these task can be done without a 6 month delay. Please - we all need to work on this together. But we need to do it now. --
From: dlr@bungi.com (Dave Rand)
...
We are not fighting technology. We are dealing with very well organized, smart, and well-funded people.
We need to focus on solutions that we can deploy, which will address the problems at hand, as we discover them. That means we will deploy things that do not solve underlying prolems, but address the symptoms as best we can, to prevent the entire mess from falling down.
That means that we must look at short-range solutions to address things in near-real-time, ...
There is no "one true solution" to this. That means you, as network operators, need to look at what makes sense *today*, and *DEPLOY IT*.
...
As Dave is certainly aware (as CTO of Trend Micro, which bought MAPS/Kelkea), his daytime employer has a product (called ICSS, and which I had a hand in building) that proposes to let enterprises or ISP's use recursive DNS as a delivery mechanism for security policy (like, "poison this malware domain"). I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's "check-names" facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so. But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution. Some references to ICSS, in case you all missed it. (Note that I am not an employee, shareholder, representative, or agent of Trend Micro and I have no financial stake in ICSS at this point.) http://www.trendmicro.com/en/products/nss/icss/evaluate/overview.htm http://www.eweek.com/article2/0,1895,2020286,00.asp http://www.vnunet.com/itweek/news/2164897/trend-appliance-sniffs-bot-nets http://www.computerwire.com/industries/research/?pid=2E16BA11-5976-42B0-9C13... http://www.computing.co.uk/itweek/news/2164897/trend-appliance-sniffs-bot-ne...
On Sun, 1 Apr 2007, Paul Vixie wrote:
I've got no heartburn about deploying these technologies at a customer level, but my experience with both BIND's "check-names" facilty and VeriSign's sitefinder wildcard (*.COM) have taught me that it's best to creatively rulebreak at the edge, and keep the core pristine. I helped Dave build ICSS and I know that customers of that technology could easily white-out domains used for Gadi's 0-day and that it would be a good thing for them to do so.
The problem that I think you fear is that DNS is 'basic plumbing' (the ICANN-SSAC had some term like this, which sticks in my head as 'basic plumbing'...) and that messing with it where there is low confidence of knowing WHY it's being used is not smart, or hazardous, or probably going to cause larger problems. On this I too agree, unless you can clearly scope your userbase and clearly be accountable for the problems that may arise, messing with basic plumbing is a bad, bad plan. The 'dns core' could be 'provider recursive servers' or 'TLD servers' or 'root servers' or some combination of these. As you move closer to the 'core' the userbase gets wider and more varied, their intent is not divinable in their requests and there's likely a higher chance you'll be doing something 'wrong' with their request if you dont' stick to the 'standards compliant' answer.
But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution.
Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :)
On Sun, 1 Apr 2007, Chris L. Morrow wrote:
On Sun, 1 Apr 2007, Paul Vixie wrote:
But, that's the DNS "edge", I'm not ready to see the DNS "core" gain features like this. Or if they do come, I'd like them to come as a result of consensus driven protocol engineering (like inside the IETF) and take longer than "this week" to be defined. I hope this clarifies the incompatibility between me helping dave build ICSS (an edge solution) and me saying that whiting out malware domain names as a way to stop malware isn't a real (core) solution.
Right, ICSS should be used (in your example) as close to the 'edge' as possible... or that's the intent of it, right? Let enterprise folks use these things, they have attentive helpdesk/admin folks to unscrew what the changes in basic plumbing have screwed up :)
I agree with everything else you said, and being the guy who made up the term I believe in using DNS for detecting botnets in enterprise networks, etc. But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'. Gadi.
On 1-Apr-2007, at 22:30, Gadi Evron wrote:
But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'.
If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice. Joe
On Mon, 2 Apr 2007, Joe Abley wrote:
On 1-Apr-2007, at 22:30, Gadi Evron wrote:
But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'.
If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice.
You got me there. I will add: "You can NEVER make the Pirates go away" but; "You can make sure they never enter your seas" Enough analogies though. :)
Joe
You got me there. I will add: "You can NEVER make the Pirates go away" but; "You can make sure they never enter your seas"
At which point, they take to land. The real issue at heart here is that some people wish to pursue evil means, and will change tactics and seek out weaknesses wherever they may find them. Today it might be weak verification of domain registry infrastructure, tomorrow it might be exploiting some p2p network. As has been repeated already, creating a fix in one technology will just force the would-be criminal to use another. The only real solution here is to make fewer criminals, and your only chances of that are to have more effective means of prosecuting them. In that aspect, I'm afraid we are quite a long way off, and will still always be a reactive process as opposed to a proactive process. The only hope is that it would deter future riffraff (though you could argue, such as with the pirate analogy, they will just find new avenues of attack).
On Mon, 2 Apr 2007, Andy Johnson wrote:
weaknesses wherever they may find them. Today it might be weak verification of domain registry infrastructure, tomorrow it might be exploiting some p2p network.
so, what exactly is the problem with registrations? One of the problems I see is with a seeming lack of follow-through on fraudulently purchased domains. Another is a seemingly long time to remove domains that are 'up to no good'. Taking out of this problem space the 'domain tasting' or 'domain kiting' issue (which is really a use of loopholes there for consumer protection...) If you look at the domain registration system as a legacy process, what would you do differently if re-inventing it? That, it seems to me, is likely the best path forward. Take your opinions/options and get them codified into new policy for registries/registrars to follow. With every relatively static and relatively open set of policies eventually bad-actors will find a set of loopholes or vulnerabilities to get their job done. It seems that re-evaulating the polcies/procedures/requirements would be useful in this matter. -Chris
so, what exactly is the problem with registrations? One of the problems I see is with a seeming lack of follow-through on fraudulently purchased domains. Another is a seemingly long time to remove domains that are 'up to no good'.
Agreed with on both points. See below for view of the problem.
If you look at the domain registration system as a legacy process, what would you do differently if re-inventing it? That, it seems to me, is likely the best path forward. Take your opinions/options and get them codified into new policy for registries/registrars to follow. With every relatively static and relatively open set of policies eventually bad-actors will find a set of loopholes or vulnerabilities to get their job done. It seems that re-evaulating the polcies/procedures/requirements would be useful in this matter.
Absolutely, we should always be re-evaluating our policies to verify they are up to meeting todays demands. The unfortunate side of this is, it may end up increasing costs. If we cut down on the automation of domains, and had more respect for what ends up in the TLD/root servers, perhaps it would cut down (note: cut down does not imply eradicate) DNS abuse. The process should be more akin to requesting more IP space. If we treat DNS space as an unlimited resource, and give it away for a couple of bucks per year, its much easier to abuse. However, if you had to justify your usage and naming, and have a human actually process that request, perhaps it would cut down on bogus registrations. Though, as I've mentioned already, once DNS becomes sufficiently difficult to abuse, said bad-actors will just pursue other methods, and we will be left with an overzealous registration process that costs entirely too much.
You got me there. I will add: "You can NEVER make the Pirates go away" but; "You can make sure they never enter your seas"
Enough analogies though. :) The Flying Spaghetti Monster is not at all happy about this talk of stopping pirates. He will likely smite you all with his noodly appendage.
RAmen. -Don
On 1-Apr-2007, at 22:30, Gadi Evron wrote:
But building a wall to protect your port from attacks by pirates will not make the pirates go away, and unfortunately, we can't convince everybody to build walls and our security is nwoadays dependent on others'.
If you consider the possibility that you can never make the pirates go away, building walls sounds like sensible advice.
It is uncommon for one single solution to be entirely correct to the point of not benefitting from other steps. Everybody locks their doors and windows at home ... right? (maybe not) We maintain a police department to deter bands of thugs from roaming the streets breaking into every house they pass. You may have an alarm system installed at your house, to notify someone when something is amiss. You may even harden your house in other ways (better locks, laminate on the windows, etc) to make it harder to penetrate. Not one of these steps is by itself a major deterrent to crime, but when taken together, it is reasonably effective at making a would-be intruder go elsewhere. The Internet is a new challenge, and Gadi is right in saying that security is dependent on others, since your neighbor's resources can be turned on you. However, the smart money is still on taking more steps than just relying on policing the core, or the community, or whatever. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
participants (8)
-
Andy Johnson
-
Chris L. Morrow
-
dlr@bungi.com
-
Donald Stahl
-
Gadi Evron
-
Joe Abley
-
Joe Greco
-
Paul Vixie