Discussion:
ICANN opens up Pandora's Box of new TLDs
(too old to reply)
Tomas L. Byrnes
2008-06-28 05:27:12 UTC
Permalink
I just know who should be held for further processing @ the gate.

Which is good enough, in this case.

"What is the object of defense? Preservation. It is easier to hold
ground than take it. . . defense is the stronger form of waging war"

Carl Von Clausewitz
-----Original Message-----
Sent: Friday, June 27, 2008 8:33 PM
To: Tomas L. Byrnes
Subject: RE: ICANN opens up Pandora's Box of new TLDs
These issues are not separate and distinct, but rather related.
1: Recently registered domain.
2: Short TTL
3: Appearance in DShield, Shadowserver, Cyber-TA and other
sensor lists.
4: Invalid/Non-responsive RP info in Whois
Create a pretty good profile of someone you probably don't want to
accept traffic from.
Conflation is bad, recognizing that each metric has value, and some
correlation of membership in more than one set has even
more value, as
indicating a likely criminal node, is good.
YMMV.
I guess, if you have perfect malware signatures, code with
no errors,
accept traffic from everywhere.
Not quite, because you still won't know who to send the Marines to
kill.
The Internet is perfect for plausible deniability.
Gadi.
-----Original Message-----
Sent: Friday, June 27, 2008 7:23 PM
To: Roger Marquis
Subject: Re: ICANN opens up Pandora's Box of new TLDs
apply even cursory tests for domain name validity. Phishers and
spammers will have a field day with the inevitable namespace
collisions. It is, however, unfortunately consistent with ICANN's
inability to address other security issues such as fast
flush DNS,
domain tasting (botnets), and requiring valid domain contacts.
1) Fast flux
2) Botnets
3) Domain tasting
4) valid contact info
These are separate and distinct issues... I'd point out
that FastFlux
is actually sort of how Akamai does it's job (inconsistent dns
responses), Double-Flux (at least the traditional DF) isn't though
certainly Akamai COULD do something similar to Double-Flux (and
arguably does with some bits their services. The particular form
'Double-Flux' is certainly troublesome, but arguably
TOS/AUP info at
Registrars already deals with most of this because #4 in your list
would apply... That or use of the domain for clearly illicit ends.
Also, perhaps just not having Registrar's that solely deal in
criminal activities would make this harder to accomplish...
Botnets clearly are bad... I'm not sure they are related
to ICANN in
any real way though, so that seems like a red herring in the
discussion.
Domain tasting has solutions on the table (thanks drc for
linkages) but was a side effect of some
customer-satisfaction/buyers-remorse
loopholes placed in the regs... the fact that someone figured out
that computers could be used to take advantage of that
loophole on a
massive scale isn't super surprising. In the end though,
it's getting
fixed, perhaps slower than we'd all prefer, but still.
I have to conclude that ICANN has failed, simply failed,
and should be
returned to the US government. Perhaps the DHL would at
least solicit
for RFCs from the security community.
I'm not sure a shipping company really is the best place
to solicit...
or did you mean DHS? and why on gods green earth would you
want them
involved with this?
-chris
Gadi Evron
2008-06-28 05:47:05 UTC
Permalink
This is getting off-topic, so let's continue the discussion for a couple
more emails to see if we can bring it back on-topic to network operations,
and then stop if not?
Post by Tomas L. Byrnes
Which is good enough, in this case.
"What is the object of defense? Preservation. It is easier to hold
ground than take it. . . defense is the stronger form of waging war"
Carl Von Clausewitz
Which, while valid in many cases, some of them on the Internet, is in most
online cases--false. This is a statement by someone much lesser than
Clausewitz--me.

It is however, an educated opinion, and chronologically up to date.

Attack is a much easier form of fighting, online (let's leave war out of
it). For the sake of logic I will base this on two discussion points:

In security, all you need to attack is one hole, one vulnerability. As
a defender you need to defend against everything, anywhere. This is why
risk analysis exists, which brings us to another point from Karl--

Changing the words to fit our needs, Clausewitz also believed wars are
won by numbers, if you have more you win (Think the American Civil War).
Strategy starts when you have less numbers, by where you choose to apply
your forces--where it counts. Tying it with the point above is the basics
of risk analysis in military terms.

In security and information warfare, whlle numbers are "nice to have" and
make operations larger and more sophisticated--they are not necessary, our
rivals may be just a kid the same as they can be a nation-state. The cost
of entry is low, anonymity is potentially (under the right conditions)
assured.

In my article for the Georgetown Journal of International Affairs on the
war in Estonia, I mentioned how Martin van Creveld said decades ago how we
will be facing "organizations" rather than just countries. He was laughed
at and later obviously vidincated (think terrorism as one example).

Today it's much worse than that, and I state the game can be played by
individuals, ad-hoc groups and populations (not necessarily under any
flag or leadership, think Estonia).

Gadi.
Post by Tomas L. Byrnes
-----Original Message-----
Sent: Friday, June 27, 2008 8:33 PM
To: Tomas L. Byrnes
Subject: RE: ICANN opens up Pandora's Box of new TLDs
These issues are not separate and distinct, but rather related.
1: Recently registered domain.
2: Short TTL
3: Appearance in DShield, Shadowserver, Cyber-TA and other
sensor lists.
4: Invalid/Non-responsive RP info in Whois
Create a pretty good profile of someone you probably don't want to
accept traffic from.
Conflation is bad, recognizing that each metric has value, and some
correlation of membership in more than one set has even
more value, as
indicating a likely criminal node, is good.
YMMV.
I guess, if you have perfect malware signatures, code with
no errors,
accept traffic from everywhere.
Not quite, because you still won't know who to send the Marines to
kill.
The Internet is perfect for plausible deniability.
Gadi.
-----Original Message-----
Sent: Friday, June 27, 2008 7:23 PM
To: Roger Marquis
Subject: Re: ICANN opens up Pandora's Box of new TLDs
apply even cursory tests for domain name validity. Phishers and
spammers will have a field day with the inevitable namespace
collisions. It is, however, unfortunately consistent with ICANN's
inability to address other security issues such as fast
flush DNS,
domain tasting (botnets), and requiring valid domain contacts.
1) Fast flux
2) Botnets
3) Domain tasting
4) valid contact info
These are separate and distinct issues... I'd point out
that FastFlux
is actually sort of how Akamai does it's job (inconsistent dns
responses), Double-Flux (at least the traditional DF) isn't though
certainly Akamai COULD do something similar to Double-Flux (and
arguably does with some bits their services. The particular form
'Double-Flux' is certainly troublesome, but arguably
TOS/AUP info at
Registrars already deals with most of this because #4 in your list
would apply... That or use of the domain for clearly illicit ends.
Also, perhaps just not having Registrar's that solely deal in
criminal activities would make this harder to accomplish...
Botnets clearly are bad... I'm not sure they are related
to ICANN in
any real way though, so that seems like a red herring in the
discussion.
Domain tasting has solutions on the table (thanks drc for
linkages) but was a side effect of some
customer-satisfaction/buyers-remorse
loopholes placed in the regs... the fact that someone figured out
that computers could be used to take advantage of that
loophole on a
massive scale isn't super surprising. In the end though,
it's getting
fixed, perhaps slower than we'd all prefer, but still.
I have to conclude that ICANN has failed, simply failed,
and should be
returned to the US government. Perhaps the DHL would at
least solicit
for RFCs from the security community.
I'm not sure a shipping company really is the best place
to solicit...
or did you mean DHS? and why on gods green earth would you
want them
involved with this?
-chris
Gadi Evron
2008-06-28 05:49:27 UTC
Permalink
I forgot to change the subject line, apologies.
This is getting off-topic, so let's continue the discussion for a couple more
emails to see if we can bring it back on-topic to network operations, and
then stop if not?
Post by Tomas L. Byrnes
Which is good enough, in this case.
"What is the object of defense? Preservation. It is easier to hold
ground than take it. . . defense is the stronger form of waging war"
Carl Von Clausewitz
Which, while valid in many cases, some of them on the Internet, is in most
online cases--false. This is a statement by someone much lesser than
Clausewitz--me.
It is however, an educated opinion, and chronologically up to date.
Attack is a much easier form of fighting, online (let's leave war out of it).
In security, all you need to attack is one hole, one vulnerability. As a
defender you need to defend against everything, anywhere. This is why risk
analysis exists, which brings us to another point from Karl--
Changing the words to fit our needs, Clausewitz also believed wars are won by
numbers, if you have more you win (Think the American Civil War). Strategy
starts when you have less numbers, by where you choose to apply your
forces--where it counts. Tying it with the point above is the basics of risk
analysis in military terms.
In security and information warfare, whlle numbers are "nice to have" and
make operations larger and more sophisticated--they are not necessary, our
rivals may be just a kid the same as they can be a nation-state. The cost of
entry is low, anonymity is potentially (under the right conditions) assured.
In my article for the Georgetown Journal of International Affairs on the war
in Estonia, I mentioned how Martin van Creveld said decades ago how we will
be facing "organizations" rather than just countries. He was laughed at and
later obviously vidincated (think terrorism as one example).
Today it's much worse than that, and I state the game can be played by
individuals, ad-hoc groups and populations (not necessarily under any flag or
leadership, think Estonia).
Gadi.
Post by Tomas L. Byrnes
-----Original Message-----
Sent: Friday, June 27, 2008 8:33 PM
To: Tomas L. Byrnes
Subject: RE: ICANN opens up Pandora's Box of new TLDs
These issues are not separate and distinct, but rather related.
1: Recently registered domain.
2: Short TTL
3: Appearance in DShield, Shadowserver, Cyber-TA and other
sensor lists.
4: Invalid/Non-responsive RP info in Whois
Create a pretty good profile of someone you probably don't want to
accept traffic from.
Conflation is bad, recognizing that each metric has value, and some
correlation of membership in more than one set has even
more value, as
indicating a likely criminal node, is good.
YMMV.
I guess, if you have perfect malware signatures, code with
no errors,
accept traffic from everywhere.
Not quite, because you still won't know who to send the Marines to
kill.
The Internet is perfect for plausible deniability.
Gadi.
-----Original Message-----
Sent: Friday, June 27, 2008 7:23 PM
To: Roger Marquis
Subject: Re: ICANN opens up Pandora's Box of new TLDs
apply even cursory tests for domain name validity. Phishers and
spammers will have a field day with the inevitable namespace
collisions. It is, however, unfortunately consistent with ICANN's
inability to address other security issues such as fast
flush DNS,
domain tasting (botnets), and requiring valid domain contacts.
1) Fast flux
2) Botnets
3) Domain tasting
4) valid contact info
These are separate and distinct issues... I'd point out
that FastFlux
is actually sort of how Akamai does it's job (inconsistent dns
responses), Double-Flux (at least the traditional DF) isn't though
certainly Akamai COULD do something similar to Double-Flux (and
arguably does with some bits their services. The particular form
'Double-Flux' is certainly troublesome, but arguably
TOS/AUP info at
Registrars already deals with most of this because #4 in your list
would apply... That or use of the domain for clearly illicit ends.
Also, perhaps just not having Registrar's that solely deal in
criminal activities would make this harder to accomplish...
Botnets clearly are bad... I'm not sure they are related
to ICANN in
any real way though, so that seems like a red herring in the
discussion.
Domain tasting has solutions on the table (thanks drc for
linkages) but was a side effect of some
customer-satisfaction/buyers-remorse
loopholes placed in the regs... the fact that someone figured out
that computers could be used to take advantage of that
loophole on a
massive scale isn't super surprising. In the end though,
it's getting
fixed, perhaps slower than we'd all prefer, but still.
I have to conclude that ICANN has failed, simply failed,
and should be
returned to the US government. Perhaps the DHL would at
least solicit
for RFCs from the security community.
I'm not sure a shipping company really is the best place
to solicit...
or did you mean DHS? and why on gods green earth would you
want them
involved with this?
-chris
Loading...