DNS Hijacking by Cox

Tue Jul 24 14:53:17 UTC 2007

On Mon, 23 Jul 2007, Joe Greco wrote:

>
> > Quoting Joe Greco <jgreco at ns.sol.net>:
> > The procedures and
> > paths of action you wish the largers ISPs to take are just not
> > practical.
>
> No, they're just a little more difficult.  I realize that it's more
> complex to inject a blackhole host route into the IGP of your average
> large ISP than it is to wreak a little configuration havoc on some
> recursers.  That doesn't make the easier solution correct.
>

actually.... this really depends upon the management/admin
responsibilities in question, and on the level of damange you are willing
to wreak.

a simple blackhole route (generally not in the IGP, but iBGP though that
does depend upon the local preferences of the operator I suppose) is much
easier for some folks to do, it has the side effect of having large blast
radius on vhost-type ip addresses.

a 'simple' dns redirection is 'easier' if you are the dns-admin, often the
dns-admin and routing-admin are not in the same place in the company and
they don't 'trust' each other for these sorts of things. Doing the work in
the DNS server does have the nice side effect that you can block the
domain regardless of ip changes and without the problem associated with
vhost-type ip addresses.

With all of the solutions proposed and possible there are risks, costs and
benefits. Weighing those out and keeping in mind Cox (IN THIS EXAMPLE) has
+5million users and will have to take a very low cost solution.

So, backing up again.... given a set of options, and a set of risks with
those options and keeping in mind that false positives will happen
eventually (this clearly being a case of that) is this worth 35 messages
to discuss a false positive?

-Chris