[95738] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (Fergie)
Mon Apr 2 23:44:25 2007
From: "Fergie" <fergdawg@netzero.net>
Date: Tue, 3 Apr 2007 03:37:05 GMT
To: patrick@zill.net
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Patrick Giagnocavo <patrick@zill.net> wrote:
>On Apr 2, 2007, at 10:27 PM, Douglas Otis wrote:
>
>> The suggestion was to preview the addition of domains 24 hours in =
>> advance of being published. This can identify look-alike and cousin =
=
>> domain exploits, and establish a watch list when necessary. A previe=
w =
>> provides valuable information for tracking bad actors and for setting=
=
<> up more effective defenses as well.
>>
>
>And just how many humans would this require?
>
>Or are you going to write a 12-kilobyte regex in Perl to do the work =
for you?
>
>Do you know how many trademarks and words that represent companies =
there are in existence?
>
>What about local lingo that might be misleading--like if you weren't =
familiar with college sports and thus "officialNittanyLions.com" =
(contrived example) didn't raise any red flags with you?
>
>I could see perhaps a flag or a standard value to go into TXT (maybe =
part of the exiting SPF conventions) that indicate the age of the =
domain.
>
>Then leave it up to the user as to what to do with that information (a =
=
mail server not allowing emails from domains less than 15 days old for =
example).
>
Good questions, all -- but having said that, there are certainly
ways to approach each of these. And of course, there will obviously
be things that fall through the cracks.
And having said that, something is better than nothing. The value
in matching newly registered domains, the registrants themselves,
the nameservers, MX records, and historical IP addresses as a matrix
operation is incrementally positive as the effort itself becomes also
incremental in the positive.
What I'm saying is this: Historical reputation systems, coupled with
intelligence on known malware domains, observed fast-flux'ers, etc.,
gives some measure of control.
You still have to do an enormous amount of weeding, but again,
this is an endeavor that can be undertaken by private and
commercial organizations, as long as the domain registration
process is changed only slightly, to allow for a minor delay
between toe time that the registration(s) are made, and the time
that they become "live".
As it stands now, everyone gets pretty much blind-sided by domains
that crop up solely for the sake of malfeasance.
I'm not sure I articulated that very well, but there it is. :-)
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.0 (Build 214)
wj8DBQFGEcveq1pz9mNUZTMRAtR8AKDvPCd/yJ4plkMROu/xg69CiHWfuQCfUmpZ
SEW7BxFuIWvenbzn3KxBK38=3D
=3D3prE
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
