Re: VeriSign's rapid DNS updates in .com/.net
At 7/22/04 10:08 AM, Paul Vixie wrote:
the primary beneficiaries of this new functionality are spammers and other malfeasants
I think you're suggesting that such people will register domain names and use them right away (which may be true), and that the lack of a delay enables them to do things they couldn't otherwise do (which isn't). Plenty of spammers register lots of .com domain names and let them sit for a little while before using them; if you're a committed spammer, it's obviously trivial to just get three days ahead of the game. The policy change doesn't allow evildoers to do anything they couldn't already do with a tiny amount of forethought (or by registering a .biz, .org, .info or .us domain, for that matter). But the new policy does allow normal people to do something they couldn't otherwise do: have a working .com/.net Web site and e-mail in a few minutes. That's good for legitimate domain owner happiness. By far the number one question customers ask my (hosting) company when they sign up is "When will it start working?". It's almost embarrassing to tell these poor people "ahem... it probably won't work for a day or so, and it's a bit random -- your friends might find it works before you do, so please don't complain if that happens", etc. It's certainly true that a day's wait isn't the end of the world, but these people are anxious, and it is a source of confusion, bother and worry for them. I welcome the change. -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ "There are many who dare not kill themselves for fear of what the neighbours might say." -- Cyril Connolly
On Thu, 2004-07-22 at 20:24, Robert L Mathews wrote:
At 7/22/04 10:08 AM, Paul Vixie wrote:
the primary beneficiaries of this new functionality are spammers and other malfeasants
I think you're suggesting that such people will register domain names and use them right away (which may be true), and that the lack of a delay enables them to do things they couldn't otherwise do (which isn't).
Actually, this *does* make the spammer's lives a whole lote easier. See my post to Bugtraq from about a year ago titled "Permitting recursion can allow spammers to steal name server resources". It pretty much hinges on the spammers finding an authority that will react quickly to change requests. Worst part is a year after that post I still see this activity taking place. :( HTH, Chris
But the new policy does allow normal people to do something they couldn't otherwise do: have a working .com/.net Web site and e-mail in a few minutes. That's good for legitimate domain owner happiness.
By far the number one question customers ask my (hosting) company when they sign up is "When will it start working?". It's almost embarrassing to tell these poor people "ahem... it probably won't work for a day or so, and it's a bit random -- your friends might find it works before you do, so please don't complain if that happens", etc.
It's certainly true that a day's wait isn't the end of the world, but these people are anxious, and it is a source of confusion, bother and worry for them.
bingo! and the TTL issue is almost entirely NS RRs, as Sam Stickland <sam_ml@spacething.org> pointed out in the article from the usual suspects at mit/lcs, <http://nms.lcs.mit.edu/papers/dns-imw2001.html>. of course, almost all date in the gtlds are NS RRs, so the worry about TTL crank-down holds, though just for silly gtld servers. then again, they're paid to serve. randy
On 22.07 14:46, Randy Bush wrote:
... the TTL issue is almost entirely NS RRs, ... of course, almost all date in the gtlds are NS RRs, so the worry about TTL crank-down holds, though just for silly gtld servers. then again, they're paid to serve.
This assumes rational behavior of a lot of zone admins. YMMV Of course rational behavior may be increased by information and education. Daniel
On Thu, 22 Jul 2004 17:24:07 -0700 "Robert L Mathews" <lists@tigertech.com> wrote: | At 7/22/04 10:08 AM, Paul Vixie wrote: | |> the primary beneficiaries of this new functionality are spammers |> and other malfeasants | | I think you're suggesting that such people will register domain | names and use them right away (which may be true), and that the | lack of a delay enables them to do things they couldn't otherwise | do (which isn't). The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers. One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site. The root DNS is controlled through the registrar, and what contact information is held by the registrars frequently turns out to be at best highly imaginative. In removing the previous delays in updating root DNS, the registrars have removed the last obstacle to making hosting totally-untraceable: and then the only record of a hosting activity will be whatever data is held by the registrar. The only impact of the changes that ICANN made to improve whois-accuracy, has been that the malfeasants are now registering more domains, so that they can rely on the mandated 15-day grace period during which when the registrar is required to keep their domain up even though the provided contact details are totally bogus. The demand for extra domains serves the registrars' business model well. When a contact address is proved to be bogus, and at the end of 15 days the domain complained of is in consequence shut down, it does not seem to occur to most registrars that the other (say) six hundred - perhaps thousands of domains - that were registered by the same person with the identical contact details, must also have bogus contact details and so should be automatically shut down. No, an individual complaint seems to be needed in each case, which means that the malfeasants are given 15 days from the first appearance of EACH domain during which the entire domain is, as it were, bulletproof. -- Richard Cox
The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site.
The root DNS is controlled through the registrar, and what contact information is held by the registrars frequently turns out to be at best highly imaginative.
aside from your confusion between the root and second level domain names, this is still fud. all they need to do is register foo.bar with delegation to their dns servers, and change a third level domain name at will. randy
On Thu, 22 Jul 2004 15:27:37 -1000 Randy Bush <randy@psg.com> wrote: | all they need to do is register foo.bar with delegation to their | dns servers, and change a third level domain name at will. Er, no. They have of course tried that already! By registering foo.bar with delegation to THEIR dns servers gives full identification of THEIR dns servers, and the host or upstream of those servers can (and often does) start invoking their acceptable use policy. If not, then all the considerations that Paul V. recently cited about neighbours who allow bad things on their network, start to kick in. The scenario I have outlined - now well established, and the mechanism understood - allows the malfeasants to operate on the 'net with zero traceability of their identity or location, based on everything they do being able to be done through zombied Windows PCs or open(ed) proxies. -- Richard Cox
On 7/23/04 5:29 AM, "Richard Cox" <richard@mandarin.com> wrote:
On Thu, 22 Jul 2004 15:27:37 -1000 Randy Bush <randy@psg.com> wrote:
| all they need to do is register foo.bar with delegation to their | dns servers, and change a third level domain name at will.
Er, no. They have of course tried that already!
By registering foo.bar with delegation to THEIR dns servers gives full identification of THEIR dns servers, and the host or upstream of those servers can (and often does) start invoking their acceptable use policy. If not, then all the considerations that Paul V. recently cited about neighbours who allow bad things on their network, start to kick in.
The scenario I have outlined - now well established, and the mechanism understood - allows the malfeasants to operate on the 'net with zero traceability of their identity or location, based on everything they do being able to be done through zombied Windows PCs or open(ed) proxies.
The distribution of spam is only half of the economy at work here. Spam doesn't occur in a vacuum. The other half is the "site(s)" profiting from the spam. ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 113
At 10:05 AM 7/23/2004, Christian Kuhtz wrote:
On 7/23/04 5:29 AM, "Richard Cox" <richard@mandarin.com> wrote:
On Thu, 22 Jul 2004 15:27:37 -1000 Randy Bush <randy@psg.com> wrote:
| all they need to do is register foo.bar with delegation to their | dns servers, and change a third level domain name at will.
Er, no. They have of course tried that already!
By registering foo.bar with delegation to THEIR dns servers gives full identification of THEIR dns servers, and the host or upstream of those servers can (and often does) start invoking their acceptable use policy. If not, then all the considerations that Paul V. recently cited about neighbours who allow bad things on their network, start to kick in.
The scenario I have outlined - now well established, and the mechanism understood - allows the malfeasants to operate on the 'net with zero traceability of their identity or location, based on everything they do being able to be done through zombied Windows PCs or open(ed) proxies.
The distribution of spam is only half of the economy at work here. Spam doesn't occur in a vacuum. The other half is the "site(s)" profiting from the spam.
Let's just be clear that not all sites mentioned in spam are profiting at all. Spammers mention sites unrelated to what they're advertising to: 1) throw off blocklists which attempt to build lists of sites mentioned in spam. 2) purposely hurt the reputation of sites by getting blocklists to mention those sites 3) and possibly cause flash traffic loads to sites that would otherwise not get high loads. Sites mentioned without permission common. Be clear with any attempt to go after sites "profiting" from spam to explain how you will only affect those who are really profiting and have given their permission.
I don't want to digress into a spam-l or asrg standard thread, but I do want to point out the similarity of what I think are ad networks that manage sets of write-engines (aka "zombies") in the blog-spam (http) problem space with the canonical abuse-desk/xdsl swamp meta-thread on nanog. I'm observing rotation of write-side assets (dsl zomb-o-the-moment), and rotation of ad inventory (variation on viagra/paxil/casino/xxx domains. This is in response to the comment that begins
Let's just be clear that not all sites mentioned in spam are profiting ...
Which was in reply to a comment that concluded
Spam doesn't occur in a vacuum. The other half is the "site(s)" profiting ...
Eric
On Fri, 23 Jul 2004, Richard Cox wrote:
The key here is not registration but change. Currently, while spammers and other malfeasants have the ability to send out through compromised proxies and zombied PCs, there is little that can be done to identify them until they require a response, and then the return path provides some traceability via the IP addresses used, at least for nameservers.
One of the latest spammer exploits involves relying on compromised PCs for hosting of websites and DNS: which, coupled with the ability to update the root DNS in close-to-real-time, means that the entire hosting operation including nameservers can be based on compromised boxes, often with an encrypted/obfuscated link back to the real point of control, and that is significantly harder to track. This becomes of rather greater significance if the hosting is for a phishing site.
That is one of the main reasons why I don't like that Verisign has removed ability to find data on how list of nameservers for domain and more ip address of nameserver might have been changed. The only thing we can see is what whois shows (=bulk zone data) which is just one time/day snapshot while spammer may have changed the ip address of nameserver many times during the day to point to different zombie PCs. I hope Matt can get through to correct people and deltas will be available for those already doing bulk zone downloads.
The demand for extra domains serves the registrars' business model well. When a contact address is proved to be bogus, and at the end of 15 days the domain complained of is in consequence shut down, it does not seem to occur to most registrars that the other (say) six hundred - perhaps thousands of domains - that were registered by the same person with the identical contact details, must also have bogus contact details and so should be automatically shut down. No, an individual complaint seems to be needed in each case, which means that the malfeasants are given 15 days from the first appearance of EACH domain during which the entire domain is, as it were, bulletproof.
It seems that by these policies registries are actively helping out spammers while claiming to be neutral party. But in reality they know full well who the registrant of the domain is and that they deliberately breaking ICANN rules but they do not close their account and allow them to register more domains with false data. This "neutral party" excuse also leads to most domain registries refusing spam compaints, again they know exactly who it is that registers these domain and can definetly see they are spammer, but they will not do anything about it because spammers are good customers who register lots of domains. This situation not helping in trying to stop this epidemic. -- William Leibzon Elan Networks william@elan.net
Richard wrote:
... the return path provides ...
This was where I ended up also. As Barry and others have discussed on the asrg, the write-side is throw-away assets. The "return path" is where the persistence of the names used is greater and the value to the scheme is realized. and Randy wrote:
all they need to do is register foo.bar with delegation to their dns servers, and change a third level domain name at will.
Yeah. But that's where registrars and registries can interpose on the scheme. The static 2LD with a twinkling constelation of 3LDs is still vulnerable. A run of twinkling 2LDs is harder for registrars and/or registries to break, cross registries and registrars. There may be fewer points of failure in the NS-set used for a particular campaign. Eric
I welcome the change.
so do i. but more importantly, i agree with daniel that the next thing that's going to happen as a result is that there will be pressure toward lower ttl's. and i further agree with daniel that lower ttl's would be bad. so, let's increase dynamicism of domain addition, but let's please not also increase dynamicism of delegation change and domain deletion. -- Paul Vixie
Paul Vixie wrote:
so do i. but more importantly, i agree with daniel that the next thing
that's going to happen as a result is that there will be pressure toward lower ttl's. and i further agree with daniel that lower ttl's would be bad. so, let's increase dynamicism of domain addition, but let's please not also increase dynamicism of delegation change and domain deletion.
What would be your suggestion to achieve the desired effect that many seek by lower TTL's, which is changing A records to point to available, lower load servers at different times? I did read the point that lower TTL's should only be used when appropriate but if most high-traffic sites use low TTL's, the point about the rest is moot. (with the exception of the root-servers) The load will be seen on ISP resolvers, specially on consumer networks. Pete
so, let's increase dynamicism of domain addition, but let's please not also increase dynamicism of delegation change and domain deletion.
dear customer, you can have wheat bread today, but rye takes a day. here is a url which explains the reasons in obscure technical terms. right; bloody likely. we are here to serve the customer. the black hats use the same services that the good customers use. do not cut off nose to spite face. and, as i said a few years back, in the long run, the spammers i fear are the big business bulk mailers. it is they who fill my post box at discounted postal rates. and they look a lot like 'legitimate' customers. randy
participants (11)
-
Chris Brenton
-
Christian Kuhtz
-
Daniel Karrenberg
-
Daniel Senie
-
Eric Brunner-Williams in Portland Maine
-
Paul Vixie
-
Petri Helenius
-
Randy Bush
-
Richard Cox
-
Robert L Mathews
-
william(at)elan.net