On-going Internet Emergency and Domain Names

jeffshultz@wvi.com (Jeff Shultz) writes:

As I see it, the problem at hand is the current Windows 0day. What Gadi
is doing is concentrating on a tactic it is using to justify solving
what he sees as a more general problem (DNS abuse) that could be used by
an exploit to any operating system. By solving it, this could mitigate
future problems.

the more general problem is hard to agree about. i think it's that every
day neustar and afilias and verisign and the other TLD registries handle
many millions of new-domain transactions, most of which will never be paid
for ("domain tasting") and most of which are being held with stolen credit
cards. i don't know if these companies book the revenue ("ship bricks") or
if this is just a hell hole of wasted time and money for them (or, both?)

i do know that a small number of criminals and wastrels among the registrant
and registrar communities are responsible for between 95% and 99.98% of each
day's domain churn, and that most of the domains will never be used or will
only be used for evil. some of the costs of this infrastructure-for-evil
are passed on to the rest of the registrants, and all of the costs of the
evil itself are passed on to the rest of humanity.

now we can try to pour widescale poison on the domains we see used for evil,
and hope that everyone who would like to be protected by that poison is able
to get in on the action; or we can look at the registrars and registrants,
and track their actions, and build a reputation system indicating who has
done evil and who has irresponsibly or greedily profited from enabling evil.

in the first case we have an infinite set of possible choke points; in the
second we have a finite set. in the first case we have to pay the cost on
every DNS lookup, in the second case we have to pay the cost on every DNS
registration event.

We're looking at the alligators surrounding us. Gadi is trying to
convince us to help him in draining the swamp (which may indeed be a
positive thing in the long run).

Does that sound about right?

that sounds exactly wrong. harkening back to my experience with "check-names"
i can tell you that all i did was scare away a few alligators and the swamp
remained. (probably the same was true of the original MAPS RBL.) what we've
got in the DNS registry/registrar market today is as corrupt and abusable as
the California electricity market was back in 2000-2001, and we're seeing the
same kind of windfalls enjoyed by the same kind of assholes now as then. the
system is ripe for policing, which icann has shown that they will not do. i
want to see gadi in "ralph nader" mode, shining a light on all this, making it
harder to profit from building the "infrastructure of evil." if that's what
you meant by swamp-draining, then i apologize for misunderstanding you.

Eugenics has some promise in that area. Desperate times call for desperate
measures.

the more general problem is hard to agree about. i think it's that every
day neustar and afilias and verisign and the other TLD registries handle
many millions of new-domain transactions, most of which will never be paid
for ("domain tasting")

Right.

and most of which are being held with stolen credit cards. i don't
know if these companies book the revenue ("ship bricks") or if this
is just a hell hole of wasted time and money for them (or, both?)

Registrars don't get credit with registries. They have to prepay a
deposit, then for each registration their account gets debited, for
each reversal it gets credited, so they�re basically shipping and
restocking a million bricks a day..

It is my understanding that one or two registrars do nearly all of the
domain tasting, and it's widely assumed that they're their own
"customer" for those registrations. They really do have $6M of
deposit to handle a million registrations. Verisign tolerates tasting
probably because the actual cost of handling a registration is close
to zero, and a few of them aren't cancelled. Afilias has complained
about the load and proposed and I think got an amendment so that
registrars who cancel more than 90% of their registrations don't get
quite all of their money back.

I haven't seen much connection between tasting and malware. Tasted
domains are set up as web sites which consist of nothing but pay per
click ads. Malware domains are much less numerous, the registrar is
not a knowing party (beyond some registrars' reluctance to do
takedowns), and those probably are paid for with stolen plastic.

R's,
John

> We're looking at the alligators surrounding us. Gadi is trying to
> convince us to help him in draining the swamp (which may indeed be a
> positive thing in the long run).
>
> Does that sound about right?

that sounds exactly wrong. harkening back to my experience with "check-names"
i can tell you that all i did was scare away a few alligators and the swamp
remained. (probably the same was true of the original MAPS RBL.) what we've
got in the DNS registry/registrar market today is as corrupt and abusable as
the California electricity market was back in 2000-2001, and we're seeing the
same kind of windfalls enjoyed by the same kind of assholes now as then. the
system is ripe for policing, which icann has shown that they will not do. i
want to see gadi in "ralph nader" mode, shining a light on all this, making it
harder to profit from building the "infrastructure of evil." if that's what
you meant by swamp-draining, then i apologize for misunderstanding you.

So, is the infrastructure in question which is an abuse infrastructure,
the ICANN policy and registry/registrars combination on TLD management and
domain registration/revokation?

I can testify as to some registrars (enom, godaddy, tucows, etc.) being
very responsive and some registries (read .info) being very
cooperative.

OBVIOUSLY this is not the case for everyone.

I can testify as to ICANN folks being clued-in and helpful as far as they
can under current policies which make ICANN itself being very much
non-existent when it comes to security and abuse.

  Gadi.

a message of 39 lines which said:

I can testify as to some registrars (enom, godaddy, tucows, etc.) being
very responsive and some registries (read .info) being very
cooperative.

OBVIOUSLY this is not the case for everyone.

If "being cooperative" means "shoot immediately any
presumed-to-be-innocent each time a random vigilante asks you so", I
hope that the ".fr" registry is uncooperative.

I rarely post, but that is clearly a problem. The Americans seem to believe in the presumption of guilt and the infallibility of accusation. As an American born and bred I can hardly be accused of bias.

Clearly spam is a serious problem in terms of draining network resources, but organizations like Spamhaus don’t even do an investigation.

Maybe this new American mentality explains Guantanamo Bay.

Roderick S. Beck
Hibernia Atlantic
30 Dongan Place, NY, NY 10040
http://www.hiberniaatlantic.com
Landline: 1-212-942-3345
Wireless: 1-212-444-8829.
rod.beck@hiberniaatlantic.com
rodbeck@erols.com
``Unthinking respect for authority is the greatest enemy of truth.’’ Albert Einstein.

I wouldn't have even replied to this email, but you accused Spamhaus of
being an American organization! How dare you? They sit inh the UK!

How dare they, though, start the war in Iraq?!

  Gadi.

I rarely post, but that is clearly a problem. The Americans seem to
believe in the presumption of guilt and the infallibility of
accusation. As an American born and bred I can hardly be accused of
bias.

Clearly spam is a serious problem in terms of draining network
resources, but organizations like Spamhaus don't even do an
investigation.

Even if this were on-topic, don't you think it would a good idea to
make at least a cursory attempt to get your facts straight? Spamhaus
is located in the UK, I personally know multiple Spamhaus volunteers
who spend vast amounts of time resarching their blacklist entries,
and they put large dossiers on their web site to document them.

ObOperations: Spamhaus publishes a drop list of IP ranges intended for
your router that I heartily recommend. It is much smaller than their
mail blacklist, chosen to include only network ranges with no
socically redeeming value at all.

R's,
John

Hi John,

No where in that email did I say Spamhaus was an American organization.

So let’s not be petty.

As for Spamahaus’ professionalism, I would be point that some organizations that use opt-in list still get hit by Spamhaus either because the end users complained after apparently

1. forgetting that they had opted into the list
2. or they changed their mind.

Many of the biggest publishing houses now run their email operations overseas precisely because they are tired of dealing with Spamhaus complaints

The question is how is to achieve accountability.

I don’t think volunteer organizations are ideal from an accountability point of view.

Regards,

Roderick S. Beck
Hibernia Atlantic
30 Dongan Place, NY, NY 10040
http://www.hiberniaatlantic.com
Landline: 1-212-942-3345
Wireless: 1-212-444-8829.
rod.beck@hiberniaatlantic.com
rodbeck@erols.com
``Unthinking respect for authority is the greatest enemy of truth.’’ Albert Einstein.

My apologies to all for feeding the trolls...

I rarely post, but that is clearly a problem. The Americans seem to believe
in the presumption of guilt and the infallibility of accusation. As an
American born and bred I can hardly be accused of bias.

Clearly spam is a serious problem in terms of draining network resources,
but organizations like Spamhaus don't even do an investigation.

Maybe this new American mentality explains Guantanamo Bay.

I'm sorry, you must be confused. This is NANOG, which purports to be
a technical discussion regarding network operations in North America.
Down the hall you'll find plenty of mailing lists maintained by the
Democrat Party - your odd, incorrect, and factually-flawed "blame
America(ns) for everything" diatrabes will be better received by that
audience. If that doesn't work, I suggest a daily dose of DailyKos
and some tinfoil to wrap around your head. Thanks.

On the other hand, most volunteer organizations are thought of as being more
trustable than corporations or governments, precisely because while often
a corporation or government is wielded as a tool to further some end of
the leadership (usually money, power, or both), it's a lot harder to do
that with volunteers - they tend to be more self-policing.

It's a lot easier to read Spamhaus's motives for any given action (even if
you don't agree with their methods), and make your own decision regarding
their trustworthyness, than it is to figure out why DHS wants control of
the DNSSEC key-signing-key.

(And "volunteer" doesn't imply "unaccountable" - anybody who's been following
the US news will likely have heard that the US Dept of Justice seems to have
this big unaccountable gap in their e-mail trail regarding the firing of
some attorneys...)

Having just read and deleted somewhere between 100 and 400 messages on
this, I don't really want to add to the noise. I hope there's some
signal here.

One thing is clear, that Gadi wants DNS completely re-vamped. He says
that it as an infrastructure for abuse.

Come on! DNS is a lookup mechanism. It is the infrastructure for
EVERYTHING. So, yes, it is the infrastructure for the abuse. It is
ALSO the infrastructure for doing things right. It may even be the
infrastructure for the solution. [Vixie thinks it's DNSSEC - but the
problem is, the data being inserted IS authentic data, filed in a
registry.]

More likely, though, as this is a social problem, the solution is
completely outside the technical realm. ICANN is working on the "domain
tasting" issue, as a quick lookup shows. PIR has proposed a "restock
fee". An independent report to ICANN advises that Versign should do the
same thing. Will this stop domain tasting? It will, at least, make it
less profitable. Will this stop the "pirates"? No, of course not, as
said at last fifty times in this thread. But if this catches on world-
wide, they may choose a different mode of ingres into our lives than
this "fast-flux" route.

Will legislation solve anything? Probably not. Who legislates for the
entire world? Although I did note that the WTO did smack the USA down
for some things recently, and they had to sit there and take it. [Well,
with some ineffective loud complaints.] So maybe there is someone who
can really enforcce international law. I wouldn't know. [Who DOES make
international law? Is it just treaty and precedent? Ooops, OT!]

Gadi wants a separate root server that he can trust. I think we've
already seen the evil of separate roots, except those who claim it's our
saviour. I fail to see the relevance, here, at all. Besides, the root
is in so many countries today, why aren't we trusting it? [Except for
the poorly run or separated copies.]

Gadi wants to be able to blacklist domain names immediately when called
for by ... oh, wait, we haven't figured that out yet. It would have to
be someone who is always right before I would accept it. And He hasn't
said a thing about domain names yet.

I kind of liked Doug Otis' suggestion of a mandatory waiting period for
all domain registrations. Even if we didn't take the time to check all
registered domains for illegal payment methods or known name-terrorists
[;-)], it would certainly end the fast-flux capability. Of course,
everyone would complain; but if it were universal, it would be accepted.

Would someone come up with a way around it? Have they come up with a
way around the firearm waiting period? Of course. But it's harder.

But it's also not clear that, long-term [once they get bored with
fast-flux, or the easily mined value of it has gone] it really has any
merit.

I don't want to say that none of Gadi's own ideas have merit, because
they do. [As long as one doesn't make a spectacular leap from one of
those to a totally unrelated idea with no visible support.] Perhaps
there should be someone somewhere to whom the bewildered DNS user
[everybody!] can turn when there is a domain [not DNS, but a domain]
that is being abused. The someone could look into it and see whether
it's purely an abuse domain, and if so, recommend that it be terminated.

As much as I like this idea, it has the possibility for turning into the
Inquisition. It would need checks and balances - for none of us mere
humans could possibly find out all the uses of a domain, or how it was
paid for, or all the things for which it is used. So we would have to
go with the best information we can find, and that may not be enough.
Ther would have to be checks and balances and appeals and all the
trappings of the more civilised sort of justice that allow people and
companies accused of violations of the law to keep doing it for years
before a resolution is found. But this is what frustrates all of us,
Gadi no less than any.

And speaking of such companies, before "fixing" DNS, shouldn't we be
forcing the company whose software generates a whole industry in fixing
its bugs to correct itself? Why is that not the issue?

There were too many other issues that I had wanted to address, but I
think this is getting too long already. I do want to repeat, this is a
social problem, and needs social solutions, most likely ones that take a
bite out of the easy money causing the various abuses discussed in this
thread.

Gadi,

4 days and 56 messages later... no pieces of the sky have hit me on the head yet. Trolling NANOG-L is as productive as ever. How long until you troll us again? Will it be another "INTERNET EMERGENCY!!!!" or just a provocative statement that starts a 50-message OT argument about botnets? NANOG-L would be more useful to those of use who actually operate networks if you would stop it.

Gadi Evron wrote:

Gadi,

4 days and 56 messages later... no pieces of the sky have hit me on the head
yet. Trolling NANOG-L is as productive as ever. How long until you troll us
again? Will it be another "INTERNET EMERGENCY!!!!" or just a provocative
statement that starts a 50-message OT argument about botnets? NANOG-L would be
more useful to those of use who actually operate networks if you would stop it.

At least this time you send a comprehensible note to the list rather than
"can't you die already" in private.