security relevance [was: ICANN opens up Pandora's Box of new TLDs]
ge at linuxbox.org
Sat Jun 28 03:31:51 UTC 2008
On Fri, 27 Jun 2008, Roger Marquis wrote:
> On Fri, 27 Jun 2008, Christopher Morrow wrote:
>> 1) Fast flux 2) Botnets 3) Domain tasting 4) valid contact info
>> These are separate and distinct issues...
> They are separate but also linked by being issues that only be addressed at
> the registrar level, through TOS. Since some registrars have a financial
> incentive not to address these issues, in practice, they can be implemented
> only by ICANN policy (mandated much like the domain refund period).
These issues can be addressed, from a defensive standpoint alone, at:
1. The root
2. TLDs (the servers)
3. TLDs (registries)
5. ISPs NS
6. Home, end-user
The ability, sanity, cost and effectiveness are the main factors deciding
what is to be done. Does anyone want a domain blocked at the TLD server
under even extreme conditions? I do, but the situation would have to be
*really* extreme, which I have only seen few of in the last 10 years.
Registries have a high level of importance to this fight, especially if
they are to make sure their business is not mostly criminally used--if
they care. Registrars are far more closer to the fight, but with less
potential impact--if they care, and we know some do. Others however are
built to begin with as criminal havens.
>> I'd point out that FastFlux is actually sort of how Akamai does
>> it's job (inconsistent dns responses)
> That's not really fast flux. FF uses TTLs of just a few seconds with
> dozens of NS. Also, in practice, most FF NS are invalid. Not that FF has
> a fixed definition...
You are both right.
FF is a concept. I should know, having been the bastard to expose it to
the public and thus getting it the defensive attention it
needed--and wide(er) exploitation (I am not the one who found out
it exists, that was someone who shall remain anonymous).
The TTL is what is mainly abused. Then it went to the NS level, and I see
no problem with NSs simply returning different answers with every query. I
believe it has in fact been done before by the criminals.
>> Domain tasting has solutions on the table (thanks drc for
>> linkages) but was a side effect of some
>> customer-satisfaction/buyers-remorse loopholes placed in the
> The domain tasting policy was, if I recall, intended to address buyers of
> one to a few domains, not thousands. Would be a simple matter to fix, in a
> functional organization.
>From a security standpoint..
But what it actually does is allow a criminal to register a domain, use it
and dump it. Kind of like a jerk picking up a girl at a pub, if an analogy
is easier for us to use. The main difference being domains don't get hurt,
they just get replaced.
The only difference using tasting when replacing domains is that when
bought with a fake credit card (which has no practical effect on how the
criminals do business) the registrars need to handle it, and that costs
The second, far more recongnized abuse, is financial and has to do
with some registrars operational practices, and/or being
somewhere between sound businesses to bastards, which is
beyond the scope of this post.
>> I'm not sure a shipping company really is the best place to
>> solicit... or did you mean DHS? and why on gods green earth
>> would you want them involved with this?
> Yes, sorry, DHS. :-) At least they are sensitive to security matters and
> would, in theory, not be as easily influenced by politics as was the NSF.
You must be joking.
> Roger Marquis
More information about the NANOG