ICANN opens up Pandora's Box of new TLDs

Gadi Evron ge at linuxbox.org
Fri Jun 27 22:33:08 CDT 2008


On Fri, 27 Jun 2008, Tomas L. Byrnes wrote:
> These issues are not separate and distinct, but rather related.
>
> A graduated level of analysis of membership in any of the sets of:
>
> 1: Recently registered domain.
>
> 2: Short TTL
>
> 3: Appearance in DShield, Shadowserver, Cyber-TA and other sensor lists.
>
> 4: Invalid/Non-responsive RP info in Whois
>
> Create a pretty good profile of someone you probably don't want to
> accept traffic from.
>
> Conflation is bad, recognizing that each metric has value, and some
> correlation of membership in more than one set has even more value, as
> indicating a likely criminal node, is good.
>
> YMMV.
>
> I guess, if you have perfect malware signatures, code with no errors,
> and vigilance the Marines on the wire @ gitmo would envy, you can accept
> traffic from everywhere.

Not quite, because you still won't know who to send the Marines to kill. 
The Internet is perfect for plausible deniability.

 	Gadi.

>
>
>
>> -----Original Message-----
>> From: Christopher Morrow [mailto:morrowc.lists at gmail.com]
>> Sent: Friday, June 27, 2008 7:23 PM
>> To: Roger Marquis
>> Cc: nanog at nanog.org
>> Subject: Re: ICANN opens up Pandora's Box of new TLDs
>>
>> On Fri, Jun 27, 2008 at 4:32 PM, Roger Marquis
>> <marquis at roble.com> wrote:
>>> Phil Regnauld wrote:
>>> apply even cursory tests for domain name validity. Phishers and
>>> spammers will have a field day with the inevitable namespace
>>> collisions. It is, however, unfortunately consistent with ICANN's
>>> inability to address other security issues such as fast flush DNS,
>>> domain tasting (botnets), and requiring valid domain contacts.
>>>
>>
>> Please do not conflate:
>>
>> 1) Fast flux
>> 2) Botnets
>> 3) Domain tasting
>> 4) valid contact info
>>
>> These are separate and distinct issues... I'd point out that
>> FastFlux is actually sort of how Akamai does it's job
>> (inconsistent dns responses), Double-Flux (at least the
>> traditional DF) isn't though certainly Akamai COULD do
>> something similar to Double-Flux (and arguably does with some
>> bits their services. The particular form 'Double-Flux' is
>> certainly troublesome, but arguably TOS/AUP info at
>> Registrars already deals with most of this because #4 in your
>> list would apply... That or use of the domain for clearly
>> illicit ends.
>> Also, perhaps just not having Registrar's that solely deal in
>> criminal activities would make this harder to accomplish...
>>
>> Botnets clearly are bad... I'm not sure they are related to
>> ICANN in any real way though, so that seems like a red
>> herring in the discussion.
>>
>> Domain tasting has solutions on the table (thanks drc for
>> linkages) but was a side effect of some
>> customer-satisfaction/buyers-remorse
>> loopholes placed in the regs... the fact that someone figured
>> out that computers could be used to take advantage of that
>> loophole on a massive scale isn't super surprising. In the
>> end though, it's getting fixed, perhaps slower than we'd all
>> prefer, but still.
>>
>>> I have to conclude that ICANN has failed, simply failed,
>> and should be
>>> returned to the US government.  Perhaps the DHL would at
>> least solicit
>>> for RFCs from the security community.
>>
>> I'm not sure a shipping company really is the best place to solicit...
>> or did you mean DHS? and why on gods green earth would you
>> want them involved with this?
>>
>> -chris
>>
>>
>
>




More information about the NANOG mailing list