On-going Internet Emergency and Domain Names

>
> Stop trying to fix things in the core - it won't work, honest - and start
> trying to fix things closer to the edge where the actual problem is.

Thing is, the problem IS in the core. DNS is no longer just being abused,
it is pretty much an abuse infrastructure. That needs to be fixed if
security operations on the Internet at their current effectiveness
(which is low as it is) are to be maintained past Q4 2007-Q2 2008.

And as I said tongue in cheek before - so is IP. Where do you draw the line?

> I view this kind of thing as an operational issue insomuch as it might
> affect my network - but malware writers are botnet operators are smarter
> than they once were and aren't nearly as "spray your mark everywhere as
> quickly as possible" as exploits used to be.

As to malware:
Protect against malware on your network, this isn't what this is
about. It's about your network's security being reliant on someone half
way across the world taking care of it.

For the few I'm currently responsible for; you can be absolutely certain
my network security is reliant on me, not someone else.

I'm trying to push out the "You've got to be responsible for what you send
just as much as what you receive" out to clients who only seem to take
notice after their first spam blacklisting, or sneaky malware infection.

Have you tried pursuing the root cause of all of this horribleness -
badly written software?

Adrian

> at the other end, authority servers which means registries and registrars
> ought, as you've oft said, be more responsible about ripping down domains
> used by bad people. whether phish, malware, whatever. what we need is
> some kind of public shaming mechanism, a registrar wall of sheep if you
> will, to put some business pressure on the companies who enable this kind
> of evil.

I have done public shaming in the past, as you know. I'd rather avoid it
if policy/technology can help out.

technology can help someone protect their own assets. policy can help other
people protect their assets. public shaming can motivate other people protect
their own assets. YMMV.

Conversationally though, how would you suggest to proceed on that front?

a push-pull. first, advance the current effort to get registrars and
dynamic-dns providers to share information about bad CC#'s, bad customers,
bad domains, whatever. arrange things so that a self-vetting society of
both in-industry and ombudsmen have the communications fabric they need to
behave responsibly. push hard on this, make sure everybody hears about it
and that the newspapers are full of success stories about it.

then, whenever there's a phish or malware domain whose dyndns provider or
dns registrar is notified but takes no action, put it on the wall of shame.
something akin to ROKSO would work. (in fact, spamhaus could *do* this.)
make sure that the lack of responsible takedown is a matter of public record
and that a sustained pattern of such irresponsibility is always objectively
verifiable by independent observers who can each make independent judgements.

> fundamentally, this isn't a dns technical problem, and using dns
> technology to solve it will either not work or set a dangerous precedent.
> and since the data is authentic, some day, dnssec will make this kind of
> poison impossible.

Not for the bad guys, unfortunately.

by "this kind of poison" i meant something that would be used by good guys
to "whiteout" the domains needed/used by bad guys. it'll be inauthentic
data, and if dnssec is ever launched, this kind of data will be transparently
obviously inauthentic, and will just not be seen by the client population.
so, yes, dnssec will end up helping the bad guys in that particular way.

Gadi Evron wrote:

Thing is, the problem IS in the core. DNS is no longer just being abused,
it is pretty much an abuse infrastructure. That needs to be fixed if
security operations on the Internet at their current effectiveness
(which is low as it is) are to be maintained past Q4 2007-Q2 2008.

Imminent death of the Internet predicted. News at 11.

This fearmongering is getting to the scale of democrazy exports.

Pete

Gadi Evron wrote:
>
> Thing is, the problem IS in the core. DNS is no longer just being abused,
> it is pretty much an abuse infrastructure. That needs to be fixed if
> security operations on the Internet at their current effectiveness
> (which is low as it is) are to be maintained past Q4 2007-Q2 2008.
>
>
Imminent death of the Internet predicted. News at 11.

This fearmongering is getting to the scale of democrazy exports.

No fear, no uncertainty.

This is not about the death of the Internet. Wake up and start reading
your email elsewhere.

at the other end, authority servers which means registries and registrars
ought, as you've oft said, be more responsible about ripping down domains
used by bad people. whether phish, malware, whatever. what we need is some
kind of public shaming mechanism, a registrar wall of sheep if you will, to
put some business pressure on the companies who enable this kind of evil.

I've posted here a few times about this, but... in almost all cases of
domain names used in a bad way (in malware or to further malware's
intents) the domain is purchased on a stolen CC. The registrar knows this
most often with in days of the purchase, they don't seem to turn off the
domain though. Why is that? Why do they not terminate the domain or
atleast terminate control of it by the 'bad actors'?

It seems that if the registrars would terminate control in a timely
fashion that would do what 'we' want, yes? remove the ease of use of this
tool for the bad actors...

fundamentally, this isn't a dns technical problem, and using dns technology
to solve it will either not work or set a dangerous precedent. and since

if the local side of the problem (an enterprise let's say) wants to use
the dns-tool in their toolbox, 'ok'. I'm not sure that at the provider
level it's as simple as that since there is an aggregation of security
policies there and often the policies conflict (you can look at xxx vs you
can't look at xxx).

Summary:

The US Department of Homeland Security (DHS) ...
wants to have the key to sign the DNS root zone
solidly in the hands of the US government.
This ultimate master key would then allow
authorities to track DNS Security Extensions
(DNSSec) all the way back to the servers that
represent the name system's root zone on the
Internet. The "key-signing key" signs the zone
key, which is held by VeriSign.

http://www.heise.de/english/newsticker/news/87655

Paul Vixie wrote:

on any given day, there's always something broken somewhere.

in dns, there's always something broken everywhere.

The catch-phrases you come up with are delightful. Catchy and deeply useful.

Would that more folk would take them to heart, for their implications.

since malware isn't breaking dns, and since dns not a vector per se, the
idea of changing dns in any way to try to control malware strikes me as
a way to get dns to be broken in more places more often.

Although there are times to consider pursuing an ugly-but-expeditious path, you've made the point that the effects are long-term, while the symptoms might only be short-term.

Given the complexity of the abuse space, it's worth thinking in terms of basic benefit in the change, while using the immediate situation merely as a motivator: Is the change something that makes sense on its own, independent of the current abuse manifestation? If so, then go ahead and do it. If not, the odds are high that it will only be part of a process of adding warts to warts.

fundamentally, this isn't a dns technical problem, and using dns technology
to solve it will either not work or set a dangerous precedent. and since
the data is authentic, some day, dnssec will make this kind of poison
impossible.

I was sitting at a bar, one Saturday, many years ago. Behind the bartender was a sign that said "Free beer tomorrow". We were in an alcohol-paranoid state, so I asked the bartender about the sign, since I knew they'd be closed on Sunday. His comment was that tomorrow never comes.

Someday, indeed.

d/

Hi,

Summary:

Confusion resulting from hearsay and extrapolations.

The "key-signing key" signs the zone key, which is held by VeriSign.

Except that the root zone hasn't been signed and there are no plans I am aware of do so (and I think I'd probably know). In one possible scenario, VeriSign would hold the zone signing key which would be signed by the key signing key. Who holds the KSK hasn't been established.

However, in reality, nothing would change. Even if the root were to be signed, who signs it doesn't really matter -- the USG already must approve any changes made to the root zone.

Rgds,
-drc

I'm not clear what "this realm" actually is.

Rgds,
-drc

From: Dave Crocker <dcrocker@bbiw.net>
To: Paul Vixie <paul@vix.com>, nanog@merit.edu, Gadi Evron <ge@linuxbox.org>
Subject: Re: On-going Internet Emergency and Domain Names

offlist.

actually, not, according to the headers shown above.

Paul Vixie wrote:
> a push-pull. first, advance the current effort to get registrars and
> dynamic-dns providers to share information about bad CC#'s, bad customers,
> bad domains, whatever. arrange things so that a self-vetting society of
> both in-industry and ombudsmen have the communications fabric they need to
> behave responsibly. push hard on this, make sure everybody hears about it
> and that the newspapers are full of success stories about it.

IP Address blacklists are a sufficiently solid staple of email anti-abuse
effort, that I suspect similar approaches, for other information tidbits,
would be quite useful.

as the inventor of the internet's first ip address blackhole list (not
"blacklist"), i agree that it's a solid staple, but i'm not sure it was
the most effective 10-year plan we could have made at the time, had we
been making 10-year plans.

This is less about "shaming" and more about filtering. In this case,
filtering at DNS registration time, ISP account setup, or the like.

agreed. i'd be happy to see the DNS registration "front end" (one of its
"edges") gain some kind of reputation filtering. i just don't want to see
"core"-level filtering like we did in e-mail, unless it's at the customer-
facing ("edge") level, like Trend ICSS offers.

The difficulties, here, are to a) establish a credible organization for
creating and maintaining the list(s), b) getting folks to submit data to
it, and c) getting folks to use it.

those are Gadi's three areas of strength and i'd help him if he did this.

Since there is quite a lot of track-record on doing this -- both well and
poorly -- the challenge here is all about implementation, rather than
design, of the service.

having designed a reputation system inadequately once upon a time, i think
it's important to get both the design and implementation right.

> > Stop trying to fix things in the core - it won't work, honest - and
> > start trying to fix things closer to the edge where the actual problem
> > is.
>
> Thing is, the problem IS in the core. DNS is no longer just being abused,
> it is pretty much an abuse infrastructure. That needs to be fixed if
> security operations on the Internet at their current effectiveness
> (which is low as it is) are to be maintained past Q4 2007-Q2 2008.

And as I said tongue in cheek before - so is IP. Where do you draw the
line?

Agreed, Really, with this block this, block that, block the other additude so
many people have nowadays, soon enough, unless we make the effort to stop the
problems

> > I view this kind of thing as an operational issue insomuch as it might
> > affect my network - but malware writers are botnet operators are
> > smarter than they once were and aren't nearly as "spray your mark
> > everywhere as quickly as possible" as exploits used to be.
>
> As to malware:
> Protect against malware on your network, this isn't what this is
> about. It's about your network's security being reliant on someone half
> way across the world taking care of it.

For the few I'm currently responsible for; you can be absolutely certain
my network security is reliant on me, not someone else.

I applaud you for your efforts, as well as to anyone else's on this list who
makes efforts.

I'm trying to push out the "You've got to be responsible for what you send
just as much as what you receive" out to clients who only seem to take
notice after their first spam blacklisting, or sneaky malware infection.

Indeed, end users see their computer infected with something and they act
innocent whenever something goes wrong with it, Users often times REFUSE to
take responsibility if their computer becomes a problem. Users simply don't
see the importance of keeping their computer secured.

Have you tried pursuing the root cause of all of this horribleness -
badly written software?

Good point, Software companies that create badly written code then put it out
on the market should be more-so held accountable, Until these companies are
held FULLY responsible for exploits and such, you're going to keep seeing
things like "Months of bugs", it's because software companies keep rushing
software out to the market to sell it,

they're not concerned about security if you can make a month of bugs from one
of their products, they're more concerned about the income and don't do
enough security testing and QA before the software leaves their shop, and
end-users will more than likely not ask about security of the software,
because all they want to do is chat with their aunt bella somewhere.

It's badly written software that is one of the main vectors of botners and
such, we shouldn't be going after DNS

> ICANN has not shown any interest or ability to affect change in
> this realm.

I'm not clear what "this realm" actually is.

Abuse and Security (non infrastructure). ICANN, as far as I understand,
manages the business side of things. If I am wrong, I'd be happy to learn
more.

Can you share with us what your thoughts are?

  Gadi.

Hi,

> Summary:

Confusion resulting from hearsay and extrapolations.

> The "key-signing key" signs the zone key, which is held by VeriSign.

Except that the root zone hasn't been signed and there are no plans I
am aware of do so (and I think I'd probably know). In one possible
scenario, VeriSign would hold the zone signing key which would be
signed by the key signing key. Who holds the KSK hasn't been
established.

However, in reality, nothing would change. Even if the root were to
be signed, who signs it doesn't really matter -- the USG already must
approve any changes made to the root zone.

And of course, it can only approve "Willing changes".

I would also like to point out as to echo one of my other posts: If we get
block happy, they (The people abusing the exploits) WILL simply move to
another port, andother protocol, so unless we're willing to block every port,
every protcool, to ensure that it cannot become a vector, I suggest we STOP
and think tactically: Will blocking these protocols stop these people? Or
will they just move to exploit another port and/or protocol?

Sadly, if blocking ports and protocols becomes the only method to control
things like this from occurring, I sadly will have to agree with Pete's post,
as soon we're going to have all 65535 ports on all protocols (TCP, UDP, etc)
blocked.

Kradorex Xeron wrote:

Sadly, if blocking ports and protocols becomes the only method to control things like this from occurring, I sadly will have to agree with Pete's post, as soon we're going to have all 65535 ports on all protocols (TCP, UDP, etc) blocked.
  

65536 ports for UDP...

Pete

ge@linuxbox.org (Gadi Evron) writes:

> Stop trying to fix things in the core - it won't work, honest - and start
> trying to fix things closer to the edge where the actual problem is.

Thing is, the problem IS in the core.

nope. read what he wrote-- "it won't work, honest". the problem is on the
front-end, an "edge", specifically in the way domain tasting works. does
anyone really believe that there will ever again be a million domains added
to the DNS in a 24-hour period? (of course not.) then why do verisign and
the other TLD registries have to cope with many millions of updates per day?
if we solve THAT problem, which is difficult and barely tractible, then the
"dns core" will go on as before, working just fine all the while.

DNS is no longer just being abused, it is pretty much an abuse
infrastructure.

do you mean DNS or do you mean every Internet technology including IP, UDP,
TCP, ICMP, BGP, etc; plus most non-Internet-specific technologies including
ASCII, Unicode, 32-bit, 64-bit, and binary?

"the internet, and technology in general, is no longer just being abused,
it is pretty much an abuse infrastructure." <--- i'd agree with *that*.
(but this is not the first time I've been irritated that I can't choose which
other humans to share the galaxy with and which ones I'd like to kick out.)

ge@linuxbox.org (Gadi Evron) writes:

>
> > Stop trying to fix things in the core - it won't work, honest - and start
> > trying to fix things closer to the edge where the actual problem is.
>
> Thing is, the problem IS in the core.

nope. read what he wrote-- "it won't work, honest". the problem is on the
front-end, an "edge", specifically in the way domain tasting works. does
anyone really believe that there will ever again be a million domains added
to the DNS in a 24-hour period? (of course not.) then why do verisign and
the other TLD registries have to cope with many millions of updates per day?
if we solve THAT problem, which is difficult and barely tractible, then the
"dns core" will go on as before, working just fine all the while.

> DNS is no longer just being abused, it is pretty much an abuse
> infrastructure.

do you mean DNS or do you mean every Internet technology including IP, UDP,
TCP, ICMP, BGP, etc; plus most non-Internet-specific technologies including
ASCII, Unicode, 32-bit, 64-bit, and binary?

"the internet, and technology in general, is no longer just being abused,
it is pretty much an abuse infrastructure." <--- i'd agree with *that*.
(but this is not the first time I've been irritated that I can't choose which
other humans to share the galaxy with and which ones I'd like to kick out.)

I stand corrected, the Internet is obviously the problem and botnets are
the very seriosu symptom, but consider:

This is not a DNS server being abused, it is the infrastructure. The
"network", centralized and de-centralized.

So yes, DNS has become an infrastructure for abuse even if the Internet
itself is not very safe.

  Gadi.

The US Department of Homeland Security (DHS) ...
wants to have the key to sign the DNS root zone
solidly in the hands of the US government.
This ultimate master key would then allow
authorities to track DNS Security Extensions
(DNSSec) all the way back to the servers that
represent the name system's root zone on the
Internet. The "key-signing key" signs the zone
key, which is held by VeriSign.

Very interesting because it is the second story on the list this weekend
which highlights that DNS domain registries (and ultimately the root
zone) are a single point of failure on the Internet. Wouldn't the holder
of these keys be the only ones able to spoof DNSSEC? And if the criminal
community ever cracks DHS (through espionage or bribery) to acquire
these keys, what would be the result.

I just don't see how adding another single point of failure to the DNS
system, in the form of a master key, helps to strengthen the DNS
overall. It is probably time to start looking at alternative naming
systems. For instance, we have a much better understanding of P2P
technology these days and a P2P mesh could serve as the top level finder
in a naming system rather than having a fixed set of roots. We have a
better understanding of webs of trust that we could apply to such a
mesh.

Given that the existing DNS is built around two disctinct classes of IP
address, i.e. stable ones that always lead to a root nameserver, and
unstable ones which lead to other Internet hosts, could we not design a
more flexible naming system around that concept? Could we not have more
than 13 stable IP addresses in the net? Could we not leverage something
like route servers in order to find the root of a local naming
hierarchy?

Now that well-educated and technically sophisticated criminal groups are
attacking the DNS on multiple fronts, we need to be looking at
alternatives to DNS for naming hosts. We need to get such alternative
systems out into the wild where they can be tested. To date, we have
seen some small amount of innovative thinking around DNS that has been
tested. For instance, alternative roots which have failed in the wild
and anycasting which has been a great success. But these things do not
address the core technical problems of the whole DNS system.

--Michael Dillon

a message of 46 lines which said:

It is probably time to start looking at alternative naming
systems. For instance, we have a much better understanding of P2P
technology these days and a P2P mesh could serve as the top level
finder in a naming system rather than having a fixed set of roots.

The only serious (?) proposal I've seen until now, CoDoNS
(Beehive: CoDoNS), uses
DNSSEC, so it has the same dependency on the US government.

better understanding of webs of trust that we could apply to such a
mesh.

You mix up *resolution* of names (which could be done by a P2P mesh
like CoDoNS, replacing the root name servers) and *registration* of
names, which have to be hierarchical if you want to preserve unicity
of names. And this is the important point of control (the root name
servers are not controlled by the US government, unlike the
registration root).

So, you've not solved the problem.

The Racines Libres have failed?

There are so many out there that we cannot count them any longer.

I think the only failure is the "single point of failure root".

They have failed to be trustworthy.

It is so easy, get a copy of a trustworthy root-zone and run
your own root. From time to time compare your root to the
others and fix any diffs.

Better take the authoritative servers and fix your root-zone.

I have never seen a personal root-server attacked.
The single point of failure root gets attacked once per hour,
because every hour it is 8 o'clock in the morning on some place
and all those windows boxes get switched on.

Cheers
Peter and Karin Dambier