Verisign insanity - Distributed non-attack
After reading the posts on this list about Verisign's insane behaviour regarding the .com and .net TLD wildcards, I'd like to make a suggestion: Anyone remember the old RC5, distributed.net or Seti@Home projects? If Verisign continues with this irrational behaviour I propose developing a distributed client that will inundate their wildcard hosts with invalid requests, thus making harvesting useful information from any HTTP, or SMTP traffic that they hijack nigh impossible. I nice distributed effort, a simple win32, and Unix client, and a stats based reporting system will make this a project where everyone can vote with their IP address. I've also taken a look at the BIND code myself, to see how to rid myself of these falsely reported A records, but the fact is that unless EVERYONE joins in on running such a version of bind, Verisign will still get away with it. It's ridiculous that I as an administrator have to take steps to correct the greedy self-righteousness that is the halmark of their "experiment" in an effort to get some of the FUNDAMENTALS of DNS behaviour to operate as expected. Inundating them with requests (such as the small Lynx shell script posted earlier), will force bigger ISP's to take a stance against this behaviour as well, since they'll be the ones footing the bill in terms of transparent cache servers being filled with invalid requests, sitting on expensive disc, and expiring other more cache-worthy documents, and filling up processing queues. Effectively this would amount to "denial of service" attack, but since there is nothing illegal about making an http request to an invalid hostname, Verisign will be bringing the denial of service attack upon themselves, and unfortunately dragging ISP's with them. Why ISP's haven't publically taken a stance against this yet is fascinating. I'm a mild mannered programmer/administrator by day, but blatantly monopolistic practices such as this requires decisive mass action, and makes my blood boil. There are enough issues to deal with on a day to day basis just to combat the loopholes there currently are for spammers. Having Verisign give spammers free FROM: domains to spam from has just made the task all the more unpleasant... If Verisign doesn't retract their mal-implemented "White Paper" and it's insiduous behaviour from the internet within the next week, I WILL start developing a client that allows netizens to vote with their IP's and HTTP, or SMTP traffic. I will personally put up a 100$ prize for the client that according to statistics have made the most requests to invalid .com/.net domains within the period required to get them to stop. Cheers, Roelf Diedericks Systems Programmer "I might be on the other end of a 56k modem, but I have a lot of friends with 56k modems..."
On Tue, 16 Sep 2003 17:02:59 +0200 "RoDent" <rodent@mighty.co.za> wrote: | Effectively this would amount to "denial of service" attack, but since | there is nothing illegal about making an http request to an invalid | hostname, Verisign will be bringing the denial of service attack upon | themselves, and unfortunately dragging ISP's with them. Why ISP's | haven't publically taken a stance against this yet is fascinating. While I completely share your concern about Verisign's behaviour, I have a higher level concern about anything seeking to disrupt services on the 'net. For some weeks now, several of the abuse-prevention organisations have been subjected to Distributed Denial-of-Service attacks; the attack on SORBS is still continuing, and very few of the networks carrying this DDoS traffic have lifted a finger to either limit or trace the attacking traffic. Which, I have to say, is *most* disappointing. -- Richard Cox
This is just another example of a virtual monopoly doing whatever them damn well please because .... THEY CAN. Sorry to sound like a broken record, but we in the Inclusive Namespace have been saying this all along. How about a world with 1000's of TLDs all operated by different people with NO restrictions imposed by a monopoly-supporting politburo (ICANN). How about a root network operated under rules designed ONLY to support the technical stability of the network and not under rules that masquerade as such but are really designed to prop up a monopoly of four organizations so that they can corner the market and shut out all others. Imagine such a world. Some people are doing just that. Some people with a LOT of money to spend on such a project. Stay tuned. In a free market namespace (which the ICANN/USG IS *NOT*), with no un-neccessary barriers to entry, competition would weed out the players that did anti-social, predatory things like VRSGN is doing. Either a business changes its practices to be in tune with its customer base or it vanishes. FYI: ADNS had wildcard records in the DNS for the .USA, .EARTH, .Z, .LION and .AMERICA TLDs. They simply pointed to a page that said "This domain has not been registered yet". Those records were removed today because of the controversy surrounding wildcard records at the TLD level. I see a valid use for such records but there is also potential for abuse and perception is sometimes as important as reality. In the Inclusive Namespace, competition is a reality because there are no artificial barriers to entry in the marketplace and players had better listen to the consumer's opinions or else they will not survive. Thats as it should be. So, why isn't the #1 (in terms of traffic) root server network operated that way? ----- Original Message ----- From: "Richard Cox" <Richard@mandarin.com> To: <nanog@merit.edu> Sent: Tuesday, September 16, 2003 10:18 Subject: Re: Verisign insanity - Distributed non-attack
On Tue, 16 Sep 2003 17:02:59 +0200 "RoDent" <rodent@mighty.co.za> wrote:
| Effectively this would amount to "denial of service" attack, but since | there is nothing illegal about making an http request to an invalid | hostname, Verisign will be bringing the denial of service attack upon | themselves, and unfortunately dragging ISP's with them. Why ISP's | haven't publically taken a stance against this yet is fascinating.
While I completely share your concern about Verisign's behaviour, I have a higher level concern about anything seeking to disrupt services on the 'net. For some weeks now, several of the abuse-prevention organisations have been subjected to Distributed Denial-of-Service attacks; the attack on SORBS is still continuing, and very few of the networks carrying this DDoS traffic have lifted a finger to either limit or trace the attacking traffic. Which, I have to say, is *most* disappointing.
-- Richard Cox
On Tue, 16 Sep 2003, John Palmer wrote:
In a free market namespace (which the ICANN/USG IS *NOT*), with no un-neccessary barriers to entry, competition would weed out the players that did anti-social, predatory things like VRSGN is doing.
Either a business changes its practices to be in tune with its customer base or it vanishes.
You can do this in the current framework as well. Simply don't use .com or .net. Granted, it would be a lot easier if ICANN were more helpful, but since that apparently isn't true... There are many other TLDs out there that operate under the current system that can be used instead. They may or may not be better, but personally, I don't think anyone can be worse than Verisign. The current system protects the monopoly longer - but does not grant total immunity. They are still (eventually) at the mercy of the market, they just have more room before that happens and enough people get pissed off. Hopefully, this stunt did it. Assuming the larger organizations start to issue press releases and other public announcements (ISPs, large corps), then things will change. If the ISPs and larger companies go along with it, then too bad for the rest of us.
This is just another example of a virtual monopoly doing whatever them damn well please because .... THEY CAN.
Sorry to sound like a broken record, but we in the Inclusive Namespace have been saying this all along.
How about a world with 1000's of TLDs all operated by different people with NO restrictions imposed by a monopoly-supporting politburo (ICANN).
Then things would be a million times worse. At least thankfully we have a monopoly regulator which _can_ force Verisign to undo the damage. Your world would only promote registrars doing whatever they please. Thankfully, for yet another reason, you aren't in control.
--On Tuesday, September 16, 2003 10:42:02 -0500 John Palmer <nanog@adns.net> wrote: Do not listen to this man. He is trying to do more damage than Verisign. Actually. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead.
--On 16 September 2003 16:18 +0100 Richard Cox <Richard@mandarin.com> wrote:
While I completely share your concern about Verisign's behaviour, I have a higher level concern about anything seeking to disrupt services on the 'net.
Obviously the idea of nanog discussing anything which contributes to a denial of service is ridiculous. What I find even more ridiculous is that ICANN, which (for now) is supposed to be managing this farce simply stands idly by hands in it's pockets fiddling with its board. It's not as if this is a surprise hijack by Verisign, they've been telling the world they were going to do this for a while. In the meantime, everyone is left scrambling around at a technical level putting in /32 routes and DNS hacks to try and defeat it. Up to today I've always thought that all the various alt roots were the way to insanity. For the very first time I think what passes for reality in the ICANN world may have become surreal enough that it really can't be any worse than this. -- Rob.
participants (8)
-
Aaron Dewell
-
bdragon@gweep.net
-
John Palmer
-
Måns Nilsson
-
Petri Helenius
-
Richard Cox
-
Rob Pickering
-
RoDent