If you read the comments, you'll note
that they didn't even get the 'take-over' right.
In fact, the M$ servers listed as 'authoritative' tried to
implement a selective forwarding/proxy service, since they
didn't have the zone data. This is non trivial. The DNS is not
architected for meddling, and as many who have tried to implement
load balancers, typo-trappers, ad inserters and other forms of
meddling have found out, 'there be dragons there'.
Now imagine such an attempt in a DNSSEC-secured domain. Or one of
those new TLDs. How about .ru or .cn (hotbeds of crime)? Or the
biggest source of crime - .com?
Botnets certainly are a menace, and deserve attention. However,
attacking the DNS seems to be in-vogue as it's the thing best
known to the law enforcement community. As this case shows, many
innocent users of no-ip had their operations disrupted. And the
fixes aren't trivial for them. Consider the one in the comments
who uses X.509 certificates for security (a good thing), and was
told 'just get another domain name'. And re-issue all
certificates to his users. Oh, and by the way, if the technical
person is traveling when this happens, oops, there's no way to
make the server-side changes.
A more reasonable approach would have been to monitor the traffic
to the botnet hubs and black-hole route the infected IP
addresses. That would have required some technical sophistication
and work. But it was easier for LEO/M$ to attack the DNS - there
being no penalty for collateral damage.
"When the only tool one has is a hammer, every problem looks like
a nail"; er, um, 'When the only part of the internet that is well
known is the DNS, attacking is the solution to all ills.' The
LEOs/courts know about the DNS...
All of the DNS community - not just NCSG - should be up in arms
about this. LEOs need to be educated. Better methods for going
after the miscreants/criminals need to be developed. And the DNS
needs to be defended from these sorts of well-intentioned, but
technically incompetent attacks made in the name of fighting
crime. Crime fighters should adopt the Hippocratic oath...
"First, do no harm"
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
On 08-Jul-14 11:31, Seun Ojedeji wrote: