LISTSERV - NCSG-DISCUSS Archives

NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU

	LISTSERV Archives
	NCSG-DISCUSS Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show HTML Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: no-ip
From:	Timothe Litt <[log in to unmask]>
Reply To:	Timothe Litt <[log in to unmask]>
Date:	Tue, 8 Jul 2014 12:02:27 -0400
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (4 kB) , text/html (8 kB) , smime.p7s (5 kB)

If you read the comments, you'll note that they didn't even get the
'take-over' right.

In fact, the M$ servers listed as 'authoritative' tried to implement a
selective forwarding/proxy service, since they
didn't have the zone data.  This is non trivial.  The DNS is not
architected for meddling, and as many who have tried to implement load
balancers, typo-trappers, ad inserters and other forms of meddling have
found out, 'there be dragons there'.

Now imagine such an attempt in a DNSSEC-secured domain.  Or one of those
new TLDs.  How about .ru or .cn (hotbeds of crime)?  Or the biggest
source of crime - .com?

Botnets certainly are a menace, and deserve attention.  However,
attacking the DNS seems to be in-vogue as it's the thing best known to
the law enforcement community.  As this case shows, many innocent users
of no-ip had their operations disrupted.  And the fixes aren't trivial
for them.  Consider the one in the comments who uses X.509 certificates
for security (a good thing), and was told 'just get another domain
name'.  And re-issue all certificates to his users.  Oh, and by the way,
if the technical person is traveling when this happens, oops, there's no
way to make the server-side changes.

A more reasonable approach would have been to monitor the traffic to the
botnet hubs and black-hole route the infected IP addresses.  That would
have required some technical sophistication and work.  But it was easier
for LEO/M$ to attack the DNS -  there being no penalty for collateral
damage. 

"When the only tool one has is a hammer, every problem looks like a
nail"; er, um, 'When the only part of the internet that is well known is
the DNS, attacking is the solution to all ills.'  The LEOs/courts know
about the DNS...

All of the DNS community - not just NCSG - should be up in arms about
this.  LEOs need to be educated.  Better methods for going after the
miscreants/criminals need to be developed.  And the DNS needs to be
defended from these sorts of well-intentioned, but technically
incompetent attacks made in the name of fighting crime.  Crime fighters
should adopt the Hippocratic oath... "First, do no harm"

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 08-Jul-14 11:31, Seun Ojedeji wrote:
> Hello Timothe,
>
> Thanks for bringing this up here; when i first read the news of
> Microsoft hijacking no-ip domain. The first technical question that
> came to mind was; Is Microsoft now some form of an hacker because i
> was just wondering how they took-over without any form of
> authorisation from the domain owner. However i guess the section below
> from your url clears it for me
>
>     Under the terms of the court decision, the DNS lookups for the
>     domains were passed to Microsoft's name servers, with the plan
>     being that Redmond would filter out No-IP subdomains linked to
>     malicious activity and let legitimate subdomains resolve as expected.
>
>
> Having cleared the technical sides of the story, the question now is
> whether no-ip should bound to respond to such call from Microsoft
> especially since its not an act from no-ip itself but the users. One
> could liken this to running botnets on systems that exist on a large
> ISP network to attack a particular organisation. Does the victim sue
> the ISP or the users who don't even know they are botnet nodes. 
>
> Cheers!
>
>
> On Tue, Jul 8, 2014 at 3:51 PM, Timothe Litt <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
>     I haven't been following things here for a while, so sorry if this has
>     already been noticed.
>
>     If not, here's a case of judicial interference with the DNS, coupled
>     with incompetent 'solutions'.
>
>     This is highly relevant to the ncsg constituency as many
>     non-commercial
>     users live with dynamic IP addresses, using services such as no-ip to
>     have stable names in the DNS.
>
>     Of course, our terms of membership can be read to exclude these
>     users -
>     but note that there's nothing to prevent a similar action being taken
>     against direct holders of domain names...
>
>     Here's the story:
>     http://www.theregister.co.uk/2014/07/01/sorry_chaps_microsoft_unborks_legitimate_noip_users_domains/
>
>     The comments provide more detail - which for technical readers is
>     tragic.
>
>     --
>     Timothe Litt
>     ACM Distinguished Engineer
>     --------------------------
>     This communication may not represent the ACM or my employer's views,
>     if any, on the matters discussed.
>
>
>
>
>
> -- 
> ------------------------------------------------------------------------
>
>     /Seun Ojedeji,
>     Federal University Oye-Ekiti
>     web:      http://www.fuoye.edu.ng
>     Mobile: +2348035233535
>     //alt email:<http://goog_1872880453>[log in to unmask]
>     <mailto:[log in to unmask]>/
>
>         The key to understanding is humility - my view !
>
>

ATOM RSS1 RSS2

LISTSERV.SYR.EDU