[95780] in North American Network Operators' Group
Re: ICANNs role [was: Re: On-going ...]
daemon@ATHENA.MIT.EDU (Simon Waters)
Tue Apr 3 14:30:51 2007
From: Simon Waters <simonw@zynet.net>
To: nanog@nanog.org
Date: Tue, 3 Apr 2007 19:29:30 +0100
In-Reply-To: <20070403133139.I62659@calis.blacksun.org>
Errors-To: owner-nanog@merit.edu
On Tuesday 03 April 2007 18:35, Donald Stahl wrote:
>
> The problem here is that the community gets screwed not the guy paying
> $8.95. If he was getting what he paid for- well who cares. The problem is
> everyone else.
At the risk of prolonging a thread that should die....
Gadi forwarded a post suggesting DNSSEC is unneeded because we have security
implemented elsewhere (i.e. SSL).
Thus how does it affect me adversely if someone else registers a domain, if I
don't rely on the DNS for security?
Much of the phishing I see is hosted on servers that have been compromised, I
guess that is cheaper than the $8.95 for a domain.
If there is evidence that domain tasting is being used for abusive practices,
I'm sure the pressure to deal with it will increase. Much as I think the
practice is a bad thing, I don't see it as a major security issue.
The reason domain registration works quickly, is that it was a real pain when
they didn't (come on it wasn't that long ago). People registering domains
want it up and running quickly, as humans aren't good at the "I'll check it
all in 8 hours/2 days/whatever". I'm sure prompt
registration/activation/changes of domains is in general a good thing,
resulting in better DNS configurations.
Sure it is possible domains will be registered for abusive activity, and
discarded quickly, with a difficult path in tracing such. But if there is
some sort of delay or grace period it won't make a difference. When domains
took days to register spammers waited days. I don't suppose phishers are any
less patient.
Validation of names, addresses, and such like is impractical, and I believe
inappropriate. There is a method for such validations (purchase of SSL
certificates), and even there the software, methods, and tools are pitiful.
Why should the domain registrars be expected to do the job (or do it
better?), when it could be equally argued that ISPs are is a better position
to police the net.
The credit card companies are good at passing chargeback fees to the vendor,
so be assured if people are using fraudulent credit card transactions, the
domain sellers will have motivation to stop selling them domains.
The essential problem with Internet security is that there is little come back
on abusers. There have been obvious and extensive advanced fee fraud run from
a small set of IP addresses in Europe, using the same national telecomm
provider as a mail relay, and it took 4 years to get any meaningful action (I
assume the recent drying up of such things was a result of action, the
fraudster may just have retired with their ill gotten gains for all I know!).
There are specific technical, and market issues, but without any real world
policing, the abusers will keep trying, till either they succeed or go bust.
If they succeed they may well go on to become part of more organized abuse.
The other problem is that their is no financial incentive for ISPs to do
the "right thing". Where as domain registrars can cancel a domain, and get
another sale from the same abuser - so they have a financial incentive to
clean up. If ISPs close an account, the person will likely just switch ISP.
A classic example I commented on recently was "Accelerate Biz", unrepentant
spammers (at least their IP address range is from here, either that or so
thoroughly incompetent they might as well be). Their inbound email service is
filtered by "Mail Foundry", but despite being an "antispam" provider, Mail
Foundry have no financial incentive to stop providing services to these
spammers. Till companies (ISPs included) are fined for providing such
services, so it isn't profitable, we'll be spammed.
Port 25 SYN rate limiting isn't that much harder than ICMP ;)
Simon, speaking in a personal capacity, views expressed are not necessarily
those of my employers.