On-going Internet Emergency and Domain Names

There is a current on-going Internet emergency: a critical 0day
vulnerability currently exploited in the wild threatens numerous desktop
systems which are being compromised and turned into bots, and the domain
names hosting it are a significant part of the reason why this attack has
not yet been mitigated.

This incident is currenly being handled by several operational groups.

This past February, I sent an email to the Reg-Ops (Registrar
Operations) mailing list. The email, which is quoted below, states how DNS
abuse (not the DNS infrastructure) is the biggest unmitigated current
vulnerability in day-to-day Internet security operations, not to mention
abuse.

While we argue about this or that TLD, there are operational issues of the
highest importance that are not being addressed.

The following is my original email message, elaborating on these above
statements. Please note this was indeed just an email message, sent among
friends.

----- Begin quoted message -----

There is a current on-going Internet emergency: a critical 0day
vulnerability currently exploited in the wild threatens numerous desktop
systems which are being compromised and turned into bots, and the domain
names hosting it are a significant part of the reason why this attack has
not yet been mitigated.

Before the readers of the list think that the world is about to end,
please read Gadi's previous predictions here:
http://www.securityfocus.com/archive/1/354200/30/0/threaded

Eventually, crying wolf will get tiring.

This past February, I sent an email to the Reg-Ops (Registrar
Operations) mailing list. The email, which is quoted below, states how
DNS abuse (not the DNS infrastructure) is the biggest unmitigated
current vulnerability in day-to-day Internet security operations, not to
mention abuse.

This isn't 0-day by any measure. Low-ttl, changing-nameserver domains were
in vogue back in 2002 or so. These botnets use DNS as central registry.
Yes, it'd be nice to hit the C&C using our control of DNS, and yes, it'd
be nice if registrars/registries were cooperating. However, DNS isn't the
root of the problem here - tomorrow, they'll use some p2p tracker[less]
protocol to distribute this information.

While we argue about this or that TLD, there are operational issues of
the highest importance that are not being addressed.

I do not think that this reaches 'operational' just yet, unless you are
operating a registry or registrar.

<snip>

This is the weakest link online today in Internet security, which we in
most cases can't mitigate, and the only mitigation route is the domain
name.

I dare to say, that's not the weakest link, and that's not the only
mitigation route.

<snip>

We need to be able to get rid of domain names, at the very least during
real emergencies. I am aware how it isn't always easy to distinguish
what is good and what is bad. Still, we need to find a way.

OK, so, do you officially declare the emergency? Should we all block the
domains listed on http://isc.sans.org/, is that an authoritative site of
botnet hunters? If so, there are couple of surprises for you.
baidu.com listed there is a chinese equivalent of google, who'd get very
upset if its domain name got "revoked". Similarly, alexa.com.

There needs to be due process for these actions. And once we close this
vector, I'm sure that botnets will simply migrate away from DNS to some
other protocol.

-alex

The real problem is that the bad guys are able to deploy new DNS entries
in timespams on the order of 10s of minutes, and we can't manage anything
resembling due process in that timeframe. (And yes, one could easily
imagine a botnet that switches to an entirely new name for the C&C host
every 10 minutes - the herder just needs a function that's fed a time-of-day,
and generate a hash. Run it for 144 values for tomorrow, register those
domains, and distribute the values to your botnet (assuming 10-byte hashes,
you'd need all of one 1500 byte packet per day) - or let the bots do the
hash themselves if you trust their clocks to be somewhere near accurate.

If you want to be *really* obscure, consider the fact that rfc3490 IDN's
provide a very good way to hide the fact that it's a hash...

OK, so, do you officially declare the emergency? Should we all block the

This is an emergecy incident on the scale of WMF, but no, it is indeed
being handled. I am raising the flag on an ever increasing problem with
DNS.

This latest incident illustrates some of our operational problems with the
security of the Internet.

domains listed on http://isc.sans.org/, is that an authoritative site of
botnet hunters? If so, there are couple of surprises for you.
baidu.com listed there is a chinese equivalent of google, who'd get very
upset if its domain name got "revoked". Similarly, alexa.com.

There needs to be due process for these actions. And once we close this
vector, I'm sure that botnets will simply migrate away from DNS to some
other protocol.

YOu shouldn't confuse TCP/IP for the control channel of the botnets which
is IRC, HTTP, etc.

DNS is not going anywhere, patch for the hosts file or not.

> domains listed on http://isc.sans.org/, is that an authoritative site
> of botnet hunters? If so, there are couple of surprises for you.
> baidu.com listed there is a chinese equivalent of google, who'd get
> very upset if its domain name got "revoked". Similarly, alexa.com.
>
> There needs to be due process for these actions. And once we close
> this vector, I'm sure that botnets will simply migrate away from DNS
> to some other protocol.

YOu shouldn't confuse TCP/IP for the control channel of the botnets
which is IRC, HTTP, etc.

I'm not sure I understand your point. Intarweb Storm Center listed a
number of domain names "involved in these attacks", presumably so the
registrars/registries pull the DNS records. I am pointing out that at
least two of the ones listed are innocent.

What does TCP/IP or IRC or HTTP have to do with anything?

DNS is not going anywhere, patch for the hosts file or not.

Glad you understand that.

> OK, so, do you officially declare the emergency? Should we all block the

This is an emergecy incident on the scale of WMF, but no, it is indeed
being handled. I am raising the flag on an ever increasing problem with
DNS.

One could argue its an ever increasing problem with IP.

This latest incident illustrates some of our operational problems with the
security of the Internet.

Again; one could argue its also an increasing problem with IP. I wonder if
anyone can come up with methods of solving this at the IP layer..

> There needs to be due process for these actions. And once we close this
> vector, I'm sure that botnets will simply migrate away from DNS to some
> other protocol.

YOu shouldn't confuse TCP/IP for the control channel of the botnets which
is IRC, HTTP, etc.

DNS is not going anywhere, patch for the hosts file or not.

And I'm sure they'll migrate away from DNS when it becomes inconvienent.

I'm still pleasantly surprised how many organisations spend large amounts of
money controlling what comes in and almost never try to handle what goes -out-.

Adrian

What really surprises the living crap out of me is that you're
attempting to find a technical solution to what is essentially a
social problem. If you really want to do something to fix this
problem, as you describe it, try suing microsoft for lost
time/man-hours/profits/whatever due to their lax security practices
instead of mucking about with DNS/ICANN/whatever else.

Social problems generally can only be solved by social solutions,
specifically because the moment your technical 'solution' is released,
someone will bypass it. If you'd like examples of technical solutions
for social problems not working, try DeCSS or any one of a number of
anti-drm solutions (social problems: piracy, copyright infringement;
technical solutions defeated recently within 1 week of release into
the wild).

If you need more examples: spam (email, blog, seo), phishing, 419
scams, DDoS 'ransoming.' All of these problems *continue* to work
because they continue to be profitable for the folks committing the
crimes, any technical solution the community *might* come up with will
be bypassed simply because it's in someone's best interest for them to
continue.

You'd do better by trying to study the sociological concepts at work
and attempting to address *THOSE.*

It's been said that if you build your software to be idiot proof, the
universe will simply invent a better idiot.

My 2/100th's of a monetary unit,
Allen Parker

There is a current on-going Internet emergency: a critical 0day
vulnerability currently exploited in the wild threatens numerous desktop
systems which are being compromised and turned into bots,

I feel very strongly that this is just yet-another-Windows-vulnerability.

If I wanted to read about Windows vulnerabilities, then I would be subscribed to whatever list that is.

As such, it really has no place on nanog.

I don't want to have this list clogged every time some moron has his Windows 2000 / IIS v5.x site hacked.

Further, you are suggesting that everyone else pay the freight for what are Microsoft's security problems.

This "Internet Emergency" doesn't appear to be a problem on Linux/OSX/Solaris; nor have I read about Cisco IOS or CatOS, or Juniper's OS having problems either.

I actually signed up to post instead of just lurking, specifically to ask you all to kill this thread.

If the list feels otherwise, and that it is of interest and within nanog guidelines, then I acquiesce, respecting the greater wisdom of the list.

--Patrick

>> There is a current on-going Internet emergency: a critical 0day
>> vulnerability currently exploited in the wild threatens numerous
>> desktop
>> systems which are being compromised and turned into bots,

I feel very strongly that this is just
yet-another-Windows-vulnerability.

If I wanted to read about Windows vulnerabilities, then I would be
subscribed to whatever list that is.

As such, it really has no place on nanog.

I don't want to have this list clogged every time some moron has his
Windows 2000 / IIS v5.x site hacked.

Further, you are suggesting that everyone else pay the freight for what
are Microsoft's security problems.

This "Internet Emergency" doesn't appear to be a problem on
Linux/OSX/Solaris; nor have I read about Cisco IOS or CatOS, or
Juniper's OS having problems either.

I actually signed up to post instead of just lurking, specifically to
ask you all to kill this thread.

If the list feels otherwise, and that it is of interest and within
nanog guidelines, then I acquiesce, respecting the greater wisdom of
the list.

You do realize this post is not about Microsoft or IE 0days, right?

  Gadi.

It's hard to say. By some standards (even if not local ones) I'd be
considered mildly knowledgable about DNS, and from what you've
posted I haven't a clue what the real underlying issue is that you're
wibbling on about, beyond botnets bad (OK) + short TTLs bad (uhm,
no) + getting domains without paying bad (OK) + registries won't
pull domains on my say so (seems reasonable).

I'm prepared to concede, despite your previous history, that there
may well be an actual issue (as there are an awful lot of hideously ugly
corners with both DNS the protocol and domain reigsitration the
policy), but you're being incredibly bad at communicating what
you actually think it is.

You may want to try again.

Cheers,
   Steve

Your words made it clear that it was.

Generalizing from "Windows 0day" to "coordinate shutdown of DNS for evil domain in a timely fashion" is just obfuscating that the only reason to do so is because Windows is the way it is.

From your original post, you explicitly defined the "Internet emergency" as

"a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems"

The desktop systems in question were all Windows ones, as I am sure you know.

Up-ending methods of basic Internet admin functions that have evolved over many years, due solely to Windows problems is only going to paper over the underlying problem.

I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit.

Again if the rest of the list wants to continue, then so be it.

--Patrick

What really surprises the living crap out of me is that you're
attempting to find a technical solution to what is essentially a
social problem. If you really want to do something to fix this
problem, as you describe it, try suing microsoft for lost
time/man-hours/profits/whatever due to their lax security practices
instead of mucking about with DNS/ICANN/whatever else.

Wasn't going to comment on this thread as I really can't add much (as I
read the entire thread bemused as I still don't see the prob even when
i learned abou this zero day days ago) but amen to Allen's comment
here. There are multiple issues here and DNS and / or
$insert_favorite_technology isn't the problem.

On completely OT side comment for laughs: why is nobody blaming the
real root problem here ... marketing folk and their insistent drive for
multimedia for sales reasons (e.g.animated cursors and HTML email)

Patrick Giagnocavo wrote:

You do realize this post is not about Microsoft or IE 0days, right?

Your words made it clear that it was.

Generalizing from "Windows 0day" to "coordinate shutdown of DNS for
evil domain in a timely fashion" is just obfuscating that the only
reason to do so is because Windows is the way it is.

As I see it, the problem at hand is the current Windows 0day. What Gadi
is doing is concentrating on a tactic it is using to justify solving
what he sees as a more general problem (DNS abuse) that could be used by an exploit to any operating system. By solving it, this could mitigate future problems.

We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).

Does that sound about right?

Jeff Shultz wrote:

We're looking at the alligators surrounding us. Gadi is trying to convince us to help him in draining the swamp (which may indeed be a positive thing in the long run).

Does that sound about right?

If you drain the swamp the hippo's will be very angry and run at you.

The problem argued here is heavily dependent on how long it would take for the bad guys to adapt. I would assume it's less time than it would take to deploy a global system for DNS abuse mitigation. So "fixing" a single protocol would not take us any significant distance because the next thing would be either:
- XML-RPC
- SOAP
- proprietary name-lookup system
- p2p botnet control
- etc...
(yes, blocking port 80 would be a good start)

I also have yet to observe measurable reduction of spam since more port 25 blocking has been supposedly taken into use.

This is a problem in the policy / edge. It's not something that should be solved in the core. It's immensely easier to blame somebody else (in the case of this thread, registries/registrars) for somebody elses problem (Windows users). It's significantly harder to fix the real issue. But I hope at least part of the loudmouths are up for that.

Pete

He's talking about when DNS protocol is used to either control or
serve as main entry into a botnet (i.e. domain points to various
servers on botnet and quickly changes among them). Previously a
lot of that was (still is?) done using IRC and it generally offers
more superior tools but rudimentary control can be done with DNS
quite easily and unlike IRC or higher-end ports that enterprise
firewalls know quite well how to block, dns protocol is almost
always available from any computer and it also has great way of
providing externally reliable reference to unify thousands of
botnet computers. But DNS here is just a tool, bad guys could
easily build quite complex system of control by using active HTTP
such as XML-RPC, they are just not that sophisticated (yet) or
maybe they don't need anything but simple list of pointers.

Actually, the discussion isn't about the use of the DNS protocol itself as a botnet C&C channel (as you indicate, that's certainly doable), but rather about domains used as pointers to malware which is then distributed via various methods, same for phishing, as well as the use of DNS to provide server agility for botnet controllers irrespective of the actual protocol used for C&C.

If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it.

Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently.

So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure.

... and people have very bad experiences from blacklists not being maintained properly.

net today that has made it into the raging success it is today. It's not
perfect, but it works, and it doesn't have a single point of failure.

You just lost my respect for the remainder of this thread.

... and people have very bad experiences from blacklists not being
maintained properly.

Black lists are a horrid idea, I'd love to hear of other solutions to the
DNS as an abuse infrastructure.

  Gadi.

If ISPs cannot be forced into running a 24/7/365 response function,
I don't see the registry/registrars doing it.

Maybe if a body with the proper authority to penalize the ISP's were
in order this wouldn't be an issue. Look at BGP dampening and route
flaps for instance, something goes awry, the router is penalized.
A quick check, all goes well, if not, an added penalty is given.
Perhaps if some of these business were forced to get their acts in
order, many of these issues would not be occurring.

Solving this at the DNS level is just silly, if you want to solve
it it either you get to the core (block IP access, perhaps by BGP
blacklisting) or go to level 8, ie the human level, and get these
infected machines off the net permanently.

Solving this at the DNS issue is a better idea than having to hope
that - by contacting someone clueful on level 8 - they'll 1) even
understand what you mean, 2) understand how to address the issue.

If you meant contacting the owner of the infected machine good luck.
If you meant contacting the provider of the owner of the ISP, even
better luck.

Its far easier to accomplish some form of DNS filtering to block out
infected machines, and even servers propagating infections.

I've contacted who knows how many administrators of infections on
their networks. Typically the response is "Contact our abuse team."
Which is understandable being someone wants to keep in tune with
policy, but heck some of these companies' policies are more of a
facade if you ask me. Within the next month, I will be posting the
networks, contacts, etc., of the dirtiest brute force pushing
networks I've seen. If needed, I will re-post some of the absurd
responses I've seen like one from NASA... And no its no April
Fools joke... So a NASA address is brute forcing a machine of
mine... I contact the admin listed on a whois and it gets sent
to a CISSP gentleman... His response "We were doing some pen
testing on our networks..."

What? They were pentesting on their network yet I managed to get
hit up in the mix. Right... Its not like the network connecting
to mines was typed in accidentally, my network was in the 208.x.x.x
range, theirs... Not even close.

So Gadi, to accomplish what you want you need to propose to the
ISPs all over the net that what you're trying to do is so
important that some entity publishing a realtime blacklist is
important enough that all major ISPs should subscribe to a BGP
blackhole list from there. Also that this is important enough to
seriously violate the distributed structure of the net today that
has made it into the raging success it is today. It's not
perfect, but it works, and it doesn't have a single point of
failure.

Single point of failure? I'm sure many can point out multiple
points of failures. One thing I've been doing with my brute forcer
blacklist (if you want to call it this) is blocking entire net
blocks from accessing attacked machines. When admins contact me
wondering why their clients cannot connect, the answer is simple
for me. After a quick lookup of the bruteforcer list, I simply
tell them that one(or many) hosts on their network have been
ssh brute forcing some of my servers. Therefore their ENTIRE
range was blocked. Quite frankly, I don't care if I have to
block up to /6's (I've got one or two of APNIC's), I will do
whatever it takes to make sure my networks stay clean and
secure.

... and people have very bad experiences from blacklists
not being maintained properly.

Funny you should mention... Nothing in this world has ever
from the onset been a perfect invention/creation. Does this
mean that if one implementation failed, the entire design
is flawed.

You do realize this post is not about Microsoft or IE 0days, right?

I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit.

Again if the rest of the list wants to continue, then so be it.

In the end, phishing and scams work because people are stupid (or possibly ignorant- but then again with all the warnings they've received you'd have to be stupid to still be ignorant at this point). Period. End of discussion.

Every time we come up with another "solution" - the universe comes up with a bigger idiot.

Honestly- I, as well as everyone I know, receives a million warning messages from banks, web sites, etc. warning people not to trust email claming to be from said institution. And yet, every single day, thousands upon thousands of people keep falling for it. Where do you draw the line?

Since we seem to love analogies:

Imagine you have a high voltage outlet and people keep sticking their fingers in it and getting electrocuted. So you put up a sign that says "Danger- high voltage," and people continue sticking their fingers in it. Then you warn them about it personally, and you have segments on the tv news and articles in the papers and people STILL do it.

At what point do you just have to walk away and let nature take it's course?

Everybody in the world has been _repeatedly_ warned about phishing and other scams, and yet just like 419 scams, they KEEP falling for it.

Nobody stops to think. Enough is enough already.

Do I think certain policies should be changed? Sure. Domain tasting is an idea that I can not believe benefits anyone but a scammer (or a domain advertiser- which is no better). There are plenty of other examples but in the end, no matter what we do, users are going to continue to do mind-bogglingly stupid things.

-Don

*Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable.