This topic needs a title

Rich_Kulawiec · December 2, 2016, 11:08am

Cc
Bcc:
Reply-To:
In-Reply-To: <32993.1480633310@segfault.tristatelogic.com>

As you probably know Rich, that's not exactly a novel observation. Vixie
was already saying it a full six years ago, and things have only gotten
worse since then.

Yep. I remember reading that. The only change I would make is that
Paul wrote:

Most new domain names are malicious.

and I think a more accurate/updated/refined statement in 2016 would be:

Almost all new domain names are malicious.

We are busy trying to support a domain name system that is two to
three orders of magnitude larger (as measured by domains) than it
should be or needs to be. And nearly all of what we're supporting
is malicious.

---rsk

Christopher_Morrow · December 2, 2016, 3:31pm

that statement seems ... hard to prove.
also, what does it matter the size of the domain system?
also, perhaps this is an incentives problem from the top down? (if it's
really a problem, I mean).

Dobbins_Roland · December 2, 2016, 4:24pm

Paging Geoff Huston to the white courtesy phone . . .

;>

Barry_Shein · December 2, 2016, 8:21pm

FWIW one of the people involved in the takedown has reported that most
of the 800K domain names were DGA.

Here was my nutshell overview summary synopsis posted elsewhere:

DGA = Domain Generation Algorithm (term in wikipedia.)

So an infected bot and a C&C (command and control computer) have an
algorithm -- on the bot it's in the virus -- to generate seemingly
random domains using seeds such as the current date. Usually more
sophisticated but that's the idea, the goal is that both ends generate
the same seemingly random domain.

So they'll each generate for example xerv1dvm and attach it to a TLD,
it doesn't matter what, xerv1dvm.foo, or it could be .com or whatever.

They resolve it because they also infect the host's DNS resolver
software (or just inject their own, same thing) so it queries a
non-standard root server controlled by the attacker, could just be the
C&C computer, which will return an IP address for the infected bot to
use.

This set up allows these systems to change these parameters as often
as they like, every minute or less if needed tho that's probably not
necessary, every hour might do or even just once a day. Whatever it
takes to stay one step ahead of anyone seeking to interfere with them
such as law enforcement.

TL;DR: There needn't be any (accredited) registrars/registries involved.