Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Mon, 20 Nov 2006 13:49:25 -0500
My point is, and will continue to be, that the EU domain is a legitimate European domain that is run and managed in Europe. EU is an actual extension just like .com, .org, .edu, etc. with over 2 million users, and since we don't have international domain law (to my knowledge) how is it our right to say whether other countries can use an extension or not? If I am living and working in Europe and want to use hawaii.eu why would hawaii.com or hawaii.org, or hawaii.edu have the right to Deny me the right to do so? If hawaii.edu can deny my right to use hawaii.eu doesn't that mean I can also deny their right to use hawaii.edu or is it simply because they are North American based that gives them the right to say what names I can use for my .EU domains? To re-iterate my previous email. When doing some research on this it sure seems to me that the European union has given legitimacy to the the usage of .eu as a domain name: Excerpt from the Web: "With ".eu" companies and citizens from the European Union have an additional choice for their web or email address. Registration for the new Top Level web Domain .eu began on 7 December 2005 with a 4-month "sunrise" period. During this time only the holders of existing trademarks or other prior rights could register. Registrations for .eu is fully open to the public as from 7 April 2006.
From 7 April 2006, any resident within the European Union can register a domain name without the need to search for any prior rights.
If you are interested in a .eu domain name, you are advised to get in touch with an accredited registrar. Eurid maintains a growing list <http://list.eurid.eu/registrars/ListRegistrars.htm?lang=en> of companies that are entitled to offer ".eu" domain names. " Personally, I would think long and hard before I caused a denial of service to any site with a legitmate and recognized .EU extension. -Kevin ________________________________ From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU] Sent: Mon 11/20/2006 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's At what point did we start considering (at best) domain squatters to be legitimate? At what point do I need to start practicing "most privilege" to ensure maximum vulnerability to malicious users, simply because "our European friends" can't clean up their own house? Have we all simply given up information security and decided our time would be spent better running around with McAfree CDs and tweaking our spam filters? -----Original Message----- From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Monday, November 20, 2006 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's But these are legitimate and probably registered (in their country) European registered domains and you are causing them a Denial of Service if you prevent people from reaching them. I would think that our European friends would not be happy with that approach. -Kevin ________________________________ From: Alan Whinery [mailto:whinery () HAWAII EDU] Sent: Sat 11/18/2006 6:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, I just joined this listserv, after hearing this thread referred to by a number of people around the University of Hawaii. I think that there are a couple of points missing. "Type-alikes", typo domains, probably other names, are causes of increasing concern for everyone, especially those that deal with sensitive information, with regard to finance or privacy, or etc. I have not seen any evidence of honeypots, or "mirroring" or etc, in examining the .EU TLD problem, although it certainly is a concern. I first noticed (October 29th) it while doing a survey of all DNS answers passing our main ingress/egress point*. From what I have seen, someone in our network mis-types *.hawaii.eu about once per day, which is a very very small percentage of the total lookups. It's not a new problem -- many high profile web presences have registered their likely typo-domains, consider www.gogole.com, www.gogle.com, which all lead to Google's main search home page. If you're really clumsy, or playful, or something, you might type www.ggoole.com, by mistake, and you find a familiar looking thing. It's a placeholder web page which really doesn't represent an active domain, but neither does it simply say, "this domain name is taken". There are many thousands, possibly millions of such pages on the Internet, and I've always wondered what their real purpose was, until a few months ago. My girlfriend, who is an avid business woman, told me a story about a friend, who paid for a family vacation with money obtained by hosting banner ads on her web site. Initially I was skeptical, and although I had heard about money-for-clicks, I thought that you probably had to be MSN or Yahoo to get the volume necessary, but then sometimes there is hit-volume in the clumsiness of others. Since I am the obvious resource to consult on how to have banner ads pay for our next family vacation, I was directed to research it. The phenomenon is called "Affiliate Marketing" ( http://en.wikipedia.org/wiki/Affiliate_marketing ). If you doubt the value of simply getting your info in front of as many eyes as possible, consider the increasingly intrusive marketing culture, consider SPAM, consider the introduction of promos at the bottom of the screen during TV programming, partly because people with DVR's are fast forwarding through commercial breaks. Consider the stock tips that show up on your fax machine. Why is there so much SPAM-mail in the world? Because it works, that's why. Now pretend that you're an affiliate marketer, and you're scouring the Earth for every opportunity to direct clicks to clients. Voila! www.hawaii.eu. Most of the domain speculation buyers aren't buying domain names because they're looking to sell them later. They're catching stray clicks. Yes, there may be more insidious things afoot, but the statistics of catching a typo from something that will provide any useful steal-able info is very very small. Still, I make use of my LiveDeskTop or whatever it's called in my office to link to my stock trading account, bank, etc, just because I have paranoia about some phisher crouching on a mis-spelled domain and getting into my finances. I never click on, copy or paste anything from an email message, I type it myself, mostly because of the more insidious character substitution lookalikes, which replace letter O with number 0, or letter L (lowcase l) with number 1, etc, but that's different from a typo on my part. What I have proposed here at UH is to set up false SOAs for hawaii.eu in our name server and make an empty DNS zone that causes name lookups to Hawaii.eu to fail. I think that it's a bad idea to simply forward them to the correctly spelled page, because that would pollute browser histories and other caches. This strategy will only work for those that query our DNS servers -- our customers, but they're probably the vast majority of hits on *.hawaii.edu (and .eu). Whether others want to consider this is up to them. This is not an official recommendation by the University Of Hawaii, and I'm not going to give you the URL for my girlfriends (save on stylish personal accessories -- direct to you!) web site, either. Alan Whinery Chief Internet Engineer University Of Hawaii System (Not part of the European Union) * capture all DNS packets which contain answers: tcpdump -s 1500 -w allanswers`date +%F `.cap port 53 and udp and 'udp[14:2] !=0' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFFX5HMo0Fj2RHXjC4RAoz4AJ4tUr3wPEKgjMfwe/CzHs+ITu1MYQCY7dVM 8eWjCABt0qFrl1ns8WbD1A== =Ni14 -----END PGP SIGNATURE-----
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's, (continued)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Graham Toal (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 21)