North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Q: What do ISPs really think about security issues?

  • From: Eric Brunner-Williams
  • Date: Thu Jan 10 14:41:38 2008

Paul (and the list, in the off chance my mail makes it to the list),

In defense of NetSol's practice of "frontrunning" (run whois for some wicked unlikely name, say n digits of pi, observed if unregistered, if not, then go to NetSol's retail registrar site and check that string is available, say in the .com zone, do nothing else, then run the whois again and observe if the string is still available), the following claim has been made:

begin quote:
We are protecting our customers who come to our website, check
availability of a name, and come back a few hours or a day later with
the intention to purchase to find that the name is no longer available,
as it has been taken by a taster. In such cases, the customer typically
blames the registrar. In reality, however, the search information was
sold to the taster by a registry or ISP and was not the registrar's
fault.
end quote.

The "in reality" portion of this assertion is the one I'm interested in -- the assertion that "search information was sold ... by a ... ISP".

At the last open SSAC meeting (ICANN Los Angeles, November 2007), there was considerable interest in "frontrunning", but no one could point to anything other than anecdotal "evidence" for the existence, let alone the scope of "frontrunning, and personally I thought it was like Bigfoot, a non-issue pumped up at the expense of known existing issues. Obviously, I can't tell a hawk from a handsaw.

Can anyone confirm, or deny, that some ISP sells "search information" which is sufficiently timely to support the claim above, that is, that (problematic use of the "add grace period") registration(s) by "domain tasters" can be correlated with the ISP?

Nominally, "frontrunners" are Bad Guys (tm), or at least that was the hum-of-the-SSAC room in LA last November, and also nominally, "tasters" are Bad(ish) Gals (tm), and in general, the assertion is that there are bad actors who pay ISPs for data necessary for bad actions.

Note that I assume there are "bad registrars", as we've now over 1k of the little darlings now, and some are shells for the secondary auction market and the 2pm VGRS drop, and some are shells for other, more novel forms of monitizing a registrar accreditation that do not involve offering registrations to the public.

Eric
(yes, I operate a registrar which neither frontruns nor tastes nor does bulk blind sales nor ... makes money)

Paul Ferguson wrote: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As some of you may know, my primary job these days is tracking down
Bad Guys (tm), identifying threats, etc.

But enough of that.

One of my primary concerns has been, unsuccessfully, engaging the
networking community.

Why is that?

This "issue" is not imagined, nor is it a scare tactic -- it has,
for lack of a better analogy, grown in proportions only proportional
to the lack of engagement from ISPs.

ISPs have really, really been absent from the discussion, for various
reasons.

Is this a topic that the NANOG community would like to discuss in
a serious manner?

I'm just curious, because I'm considering submitting a "lightning
talk" at the upcoming San Jose NANOG, just to gauge & present some
of the major issues that we are seeing that could really use your
assistance.

Any input?

- - ferg

p.s. Oh, highly recommended video short (bigger bonus: Marcus
Ranum cameo):

http://www.youtube.com/watch?v=-5zxOLZ5jXM

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHheNKq1pz9mNUZTMRArb7AJ0ePkj+8rc88Z9V/3DP5OmnFvgdYgCeKSIa
aqw3Qj3Kdl47LZqpjrdk/0E=
=Iray
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/