Verisign insanity - Distributed non-attack

Mailman List Mirror (Read Only)
1

After reading the posts on this list about Verisign's insane behaviour
regarding the .com and .net TLD wildcards, I'd like to make a suggestion:

Anyone remember the old RC5, distributed.net or Seti@Home projects?

If Verisign continues with this irrational behaviour I propose developing
a distributed client that will inundate their wildcard hosts with invalid
requests, thus making harvesting useful information from any HTTP, or
SMTP traffic that they hijack nigh impossible.

I nice distributed effort, a simple win32, and Unix client, and a stats
based reporting system will make this a project where everyone can vote
with their IP address.

I've also taken a look at the BIND code myself, to see how to rid myself
of these falsely reported A records, but the fact is that unless EVERYONE
joins in on running such a version of bind, Verisign will still get away
with it.
It's ridiculous that I as an administrator have to take steps to correct
the greedy self-righteousness that is the halmark of their "experiment" in
an
effort to get some of the FUNDAMENTALS of DNS behaviour to operate
as expected.

Inundating them with requests (such as the small Lynx shell script posted
earlier), will force bigger ISP's to take a stance against this behaviour as
well,
since they'll be the ones footing the bill in terms of transparent cache
servers
being filled with invalid requests, sitting on expensive disc, and expiring
other
more cache-worthy documents, and filling up processing queues.

Effectively this would amount to "denial of service" attack, but since
there is
nothing illegal about making an http request to an invalid hostname,
Verisign
will be bringing the denial of service attack upon themselves, and
unfortunately
dragging ISP's with them. Why ISP's haven't publically taken a stance
against
this yet is fascinating.

I'm a mild mannered programmer/administrator by day, but blatantly
monopolistic practices such as this requires decisive mass action, and makes
my blood boil. There are enough issues to deal with on a day to day basis
just to combat the loopholes there currently are for spammers.

Having Verisign give spammers free FROM: domains to spam from has just
made the task all the more unpleasant...

If Verisign doesn't retract their mal-implemented "White Paper" and it's
insiduous
behaviour from the internet within the next week, I WILL start developing a
client
that allows netizens to vote with their IP's and HTTP, or SMTP traffic.

I will personally put up a 100$ prize for the client that according to
statistics have
made the most requests to invalid .com/.net domains within the period
required
to get them to stop.

Cheers,
Roelf Diedericks
Systems Programmer

"I might be on the other end of a 56k modem, but I have a lot of friends
with
56k modems..."

2

While I completely share your concern about Verisign's behaviour, I have
a higher level concern about anything seeking to disrupt services on the
'net. For some weeks now, several of the abuse-prevention organisations
have been subjected to Distributed Denial-of-Service attacks; the attack
on SORBS is still continuing, and very few of the networks carrying this
DDoS traffic have lifted a finger to either limit or trace the attacking
traffic. Which, I have to say, is *most* disappointing.

3

This is just another example of a virtual monopoly doing whatever them
damn well please because .... THEY CAN.

Sorry to sound like a broken record, but we in the Inclusive Namespace
have been saying this all along.

How about a world with 1000's of TLDs all operated by different people
with NO restrictions imposed by a monopoly-supporting politburo (ICANN).

How about a root network operated under rules designed ONLY to
support the technical stability of the network and not under rules that
masquerade as such but are really designed to prop up a monopoly of
four organizations so that they can corner the market and shut out
all others.

Imagine such a world. Some people are doing just that. Some people
with a LOT of money to spend on such a project. Stay tuned.

In a free market namespace (which the ICANN/USG IS *NOT*),
with no un-neccessary barriers to entry, competition would weed
out the players that did anti-social, predatory things like VRSGN
is doing.

Either a business changes its practices to be in tune with its customer
base or it vanishes.

FYI: ADNS had wildcard records in the DNS for the .USA, .EARTH, .Z,
.LION and .AMERICA TLDs. They simply pointed to a page that said "This
domain has not been registered yet". Those records were removed
today because of the controversy surrounding wildcard records at the
TLD level. I see a valid use for such records but there is also potential
for abuse and perception is sometimes as important as reality. In the
Inclusive Namespace, competition is a reality because there are no
artificial barriers to entry in the marketplace and players had better listen
to the consumer's opinions or else they will not survive. Thats as it should
be. So, why isn't the #1 (in terms of traffic) root server network operated
that way?

4

Obviously the idea of nanog discussing anything which contributes to a denial of service is ridiculous.

What I find even more ridiculous is that ICANN, which (for now) is supposed to be managing this farce simply stands idly by hands in it's pockets fiddling with its board. It's not as if this is a surprise hijack by Verisign, they've been telling the world they were going to do this for a while.

In the meantime, everyone is left scrambling around at a technical level putting in /32 routes and DNS hacks to try and defeat it.

Up to today I've always thought that all the various alt roots were the way to insanity. For the very first time I think what passes for reality in the ICANN world may have become surreal enough that it really can't be any worse than this.

5

You can do this in the current framework as well. Simply don't use .com
or .net. Granted, it would be a lot easier if ICANN were more helpful,
but since that apparently isn't true...

There are many other TLDs out there that operate under the current
system that can be used instead. They may or may not be better, but
personally, I don't think anyone can be worse than Verisign.

The current system protects the monopoly longer - but does not grant total
immunity. They are still (eventually) at the mercy of the market, they
just have more room before that happens and enough people get pissed off.
Hopefully, this stunt did it. Assuming the larger organizations start to
issue press releases and other public announcements (ISPs, large corps),
then things will change. If the ISPs and larger companies go along with
it, then too bad for the rest of us.

6

Do not listen to this man. He is trying to do more damage than Verisign.
Actually.

7

M�ns Nilsson wrote: