security relevance [was: ICANN opens up Pandora's Box of new TLDs]

Gadi Evron ge at linuxbox.org
Fri Jun 27 22:31:51 CDT 2008


On Fri, 27 Jun 2008, Roger Marquis wrote:
> On Fri, 27 Jun 2008, Christopher Morrow wrote:
>> 1) Fast flux 2) Botnets 3) Domain tasting 4) valid contact info
>> These are separate and distinct issues...
>
> They are separate but also linked by being issues that only be addressed at
> the registrar level, through TOS.  Since some registrars have a financial
> incentive not to address these issues, in practice, they can be implemented
> only by ICANN policy (mandated much like the domain refund period).

These issues can be addressed, from a defensive standpoint alone, at:
1. The root
2. TLDs (the servers)
3. TLDs (registries)
4. Registrars
5. ISPs NS
6. Home, end-user

The ability, sanity, cost and effectiveness are the main factors deciding 
what is to be done. Does anyone want a domain blocked at the TLD server 
under even extreme conditions? I do, but the situation would have to be 
*really* extreme, which I have only seen few of in the last 10 years.

Registries have a high level of importance to this fight, especially if 
they are to make sure their business is not mostly criminally used--if 
they care. Registrars are far more closer to the fight, but with less 
potential impact--if they care, and we know some do. Others however are 
built to begin with as criminal havens.

>> I'd point out that FastFlux is actually sort of how Akamai does
>> it's job (inconsistent dns responses)
>
> That's not really fast flux.  FF uses TTLs of just a few seconds with
> dozens of NS.  Also, in practice, most FF NS are invalid.  Not that FF has
> a fixed definition...

You are both right.

FF is a concept. I should know, having been the bastard to expose it to 
the public and thus getting it the defensive attention it 
needed--and wide(er) exploitation (I am not the one who found out 
it exists, that was someone who shall remain anonymous).

The TTL is what is mainly abused. Then it went to the NS level, and I see 
no problem with NSs simply returning different answers with every query. I 
believe it has in fact been done before by the criminals.

>> Domain tasting has solutions on the table (thanks drc for
>> linkages) but was a side effect of some
>> customer-satisfaction/buyers-remorse loopholes placed in the
>> regs...
>
> The domain tasting policy was, if I recall, intended to address buyers of
> one to a few domains, not thousands.  Would be a simple matter to fix, in a
> functional organization.

>From a security standpoint..
But what it actually does is allow a criminal to register a domain, use it 
and dump it. Kind of like a jerk picking up a girl at a pub, if an analogy 
is easier for us to use. The main difference being domains don't get hurt, 
they just get replaced.

The only difference using tasting when replacing domains is that when 
bought with a fake credit card (which has no practical effect on how the 
criminals do business) the registrars need to handle it, and that costs 
money.

The second, far more recongnized abuse, is financial and has to do 
with some registrars operational practices, and/or being 
somewhere between sound businesses to bastards, which is 
beyond the scope of this post.

>> I'm not sure a shipping company really is the best place to
>> solicit... or did you mean DHS? and why on gods green earth
>> would you want them involved with this?
>
> Yes, sorry, DHS. :-)  At least they are sensitive to security matters and
> would, in theory, not be as easily influenced by politics as was the NSF.

You must be joking.

> Roger Marquis

 	Gadi.




More information about the NANOG mailing list