[95793] in North American Network Operators' Group
Re: summarising [was: Re: ICANNs role]
daemon@ATHENA.MIT.EDU (Douglas Otis)
Tue Apr 3 21:14:17 2007
In-Reply-To: <4612D547.1090608@spacething.org>
Cc: Gadi Evron <ge@linuxbox.org>, nanog@merit.edu
From: Douglas Otis <dotis@mail-abuse.org>
Date: Tue, 3 Apr 2007 18:13:18 -0700
To: Sam Stickland <sam_mailinglists@spacething.org>
Errors-To: owner-nanog@merit.edu
On Apr 3, 2007, at 3:29 PM, Sam Stickland wrote:
>
> Maybe it would make sense for someone to reiterate what types of
> abuse DNS is facilitating? I believe what Gadi was getting at was
> mainly the ability to use fake details to register a domain, and
> then very rapidly cycling the A records through a wide range of
> hosts, attempting to avoid detection. As opposed to there actually
> being fundamental flaws open to abuse in a system that maps names
> to IP addresses.
Despite doubts several stated about creating a fairly comprehensive
view of the Internet landscape, dedicated systems working in unison
do keep fairly close tabs on what is what. Threat information is
then pushed to the edge (as some would call it). The abuse of
registries has been able to thwart the effectiveness in dealing with
much of the threat landscape as it undergoes a transformation every
few minutes. The latency in distributing threat information prevents
its protection from being as effective as it should be when facing
undefined threats within a rapidly transforming environment.
No one wants to wait for security checks while browsing. This
information must be preprocess and "at the ready", or the Internet
starts to feel rather slow and broken. By slowing down registry
updates and even providing a preview of upcoming changes will allow
security to become much faster in providing comprehensive answers,
and make browsing seem unimpaired (as it should be).
There is no need for rapidly unannounced updates by the registries.
Getting a commerce site set up in milliseconds all to often benefits
those wishing to abuse this immediacy. Would it really be that hard
to say "Confirm the operation of DNS for this website at this time
tomorrow."? Just because this information can be published within a
few milliseconds, does not make doing so a good idea. It would be a
better for security reasons to offer this information for review
first well before it goes "live".
The price for pushing protective information to the edge by just one
company fighting this blitz krieg is simply astounding. In addition,
there are costs incurred by the reduced protection caused as well.
Whether it is click fraud, botnets C&Cs, phishing sites, etcetera,
etcetera. Slowing registries and offering a preview can dramatically
shift the balance in this faltering struggle. There are many
security concerns that can make extremely good use of this
information without depending upon some centralized policing that
never seems to be sufficient or effective as to be noticeable.
It is not obvious how the daily 5 million domain name churn driven by
an astounding high level of fraud and identity thief can be slowed.
Perhaps we will all soon need a cryptographic fob instead of a wrist
watch to accompany our other pieces of identification. Stabilizing
the landscape can better ensure system owners have a better idea when
they are entering dangerous territory. This alone should help them
keep their systems as safe as possible in the face of unknown
threats. Tracking all this information may seem daunting, but is
there any other practical alternative?
-Doug