North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

security relevance [was: ICANN opens up Pandora's Box of new TLDs]

  • From: Gadi Evron
  • Date: Fri Jun 27 23:32:02 2008
On Fri, 27 Jun 2008, Roger Marquis wrote:
On Fri, 27 Jun 2008, Christopher Morrow wrote: 
1) Fast flux 2) Botnets 3) Domain tasting 4) valid contact info
These are separate and distinct issues...


They are separate but also linked by being issues that only be addressed at
the registrar level, through TOS.  Since some registrars have a financial
incentive not to address these issues, in practice, they can be implemented
only by ICANN policy (mandated much like the domain refund period).


These issues can be addressed, from a defensive standpoint alone, at:
1. The root
2. TLDs (the servers)
3. TLDs (registries)
4. Registrars
5. ISPs NS
6. Home, end-user

The ability, sanity, cost and effectiveness are the main factors deciding what is to be done. Does anyone want a domain blocked at the TLD server under even extreme conditions? I do, but the situation would have to be *really* extreme, which I have only seen few of in the last 10 years.

Registries have a high level of importance to this fight, especially if they are to make sure their business is not mostly criminally used--if they care. Registrars are far more closer to the fight, but with less potential impact--if they care, and we know some do. Others however are built to begin with as criminal havens.

I'd point out that FastFlux is actually sort of how Akamai does
it's job (inconsistent dns responses)


That's not really fast flux.  FF uses TTLs of just a few seconds with
dozens of NS.  Also, in practice, most FF NS are invalid.  Not that FF has
a fixed definition...

You are both right.

FF is a concept. I should know, having been the bastard to expose it to the public and thus getting it the defensive attention it needed--and wide(er) exploitation (I am not the one who found out it exists, that was someone who shall remain anonymous).

The TTL is what is mainly abused. Then it went to the NS level, and I see no problem with NSs simply returning different answers with every query. I believe it has in fact been done before by the criminals.

Domain tasting has solutions on the table (thanks drc for
linkages) but was a side effect of some
customer-satisfaction/buyers-remorse loopholes placed in the
regs...


The domain tasting policy was, if I recall, intended to address buyers of
one to a few domains, not thousands.  Would be a simple matter to fix, in a
functional organization.

From a security standpoint..
But what it actually does is allow a criminal to register a domain, use it and dump it. Kind of like a jerk picking up a girl at a pub, if an analogy is easier for us to use. The main difference being domains don't get hurt, they just get replaced.

The only difference using tasting when replacing domains is that when bought with a fake credit card (which has no practical effect on how the criminals do business) the registrars need to handle it, and that costs money.

The second, far more recongnized abuse, is financial and has to do with some registrars operational practices, and/or being somewhere between sound businesses to bastards, which is beyond the scope of this post.

I'm not sure a shipping company really is the best place to
solicit... or did you mean DHS? and why on gods green earth
would you want them involved with this?


Yes, sorry, DHS. :-)  At least they are sensitive to security matters and
would, in theory, not be as easily influenced by politics as was the NSF.

You must be joking.

Roger Marquis

Gadi.