Verisign insanity - Distributed non-attack

Stephen J. Wilcox steve at telecomplete.co.uk
Tue Sep 16 17:28:50 UTC 2003



Alternatively:

Improve your hits - 
Point the IP to your company webserver
or add an A record to your local DNS servers to resolve to your site

If you want to help your peers to rid their networks of verisign, why not 
announce the IP via BGP anycast ;p

I do like the idea of inundating their systems, my only gripe is that I 
see their server on my transits, which even if I leave things as is I 
assume verisign wont be paying for the extra bandwidth that they now cause 
ISPs across the world to use...

Steve

On Tue, 16 Sep 2003, RoDent wrote:

> 
> After reading the posts on this list about Verisign's insane behaviour
> regarding the .com and .net TLD wildcards, I'd like to make a suggestion:
> 
> Anyone remember the old RC5, distributed.net or Seti at Home projects?
> 
> If Verisign continues with this irrational behaviour I propose developing
> a distributed client that will inundate their wildcard hosts with invalid
> requests, thus making harvesting useful information from any HTTP, or
> SMTP traffic that they hijack nigh impossible.
> 
> I nice distributed effort, a simple win32, and Unix client, and a stats
> based reporting system will make this a project where everyone can vote
> with their IP address.
> 
> I've also taken a look at the BIND code myself, to see how to rid myself
> of these falsely reported A records, but the fact is that unless EVERYONE
> joins in on running such a version of bind, Verisign will still get away
> with it.
> It's ridiculous that I as an administrator have to take steps to correct
> the greedy self-righteousness that is the halmark of their "experiment" in
> an
> effort to get some of the FUNDAMENTALS of DNS behaviour to operate
> as expected.
> 
> Inundating them with requests (such as the small Lynx shell script posted
> earlier), will force bigger ISP's to take a stance against this behaviour as
> well,
>  since they'll be the ones footing the bill in terms of transparent cache
> servers
> being filled with invalid requests, sitting on expensive disc, and expiring
> other
> more cache-worthy documents, and filling up processing queues.
> 
> Effectively this would amount to  "denial of service" attack, but since
> there is
> nothing illegal about making an http request to an invalid hostname,
> Verisign
> will be bringing the denial of service attack upon themselves, and
> unfortunately
> dragging ISP's with them. Why ISP's haven't publically taken a stance
> against
> this yet is fascinating.
> 
> I'm a mild mannered programmer/administrator by day, but blatantly
> monopolistic practices such as this requires decisive mass action, and makes
> my blood boil. There are enough issues to deal with on a day to day basis
> just to combat the loopholes there currently are for spammers.
> 
> Having Verisign give spammers free FROM: domains to spam from has just
> made the task all the more unpleasant...
> 
> If Verisign doesn't retract their mal-implemented "White Paper" and it's
> insiduous
> behaviour from the internet within the next week, I WILL start developing a
> client
> that allows netizens to vote with their IP's and HTTP, or SMTP traffic.
> 
> I will personally put up a 100$ prize for the client that according to
> statistics have
> made the most requests to invalid .com/.net domains within the period
> required
> to get them to stop.
> 
> Cheers,
> Roelf Diedericks
> Systems Programmer
> 
> "I might be on the other end of a 56k modem, but I have a lot of friends
> with
> 56k modems..."
> 
> 






More information about the NANOG mailing list