Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

But these are legitimate and probably registered (in their country) European registered domains and you are causing 
them a Denial of Service if you prevent people from reaching them.  I would think that our European friends would not 
be happy with that approach.
 
-Kevin
 

________________________________

From: Alan Whinery [mailto:whinery () HAWAII EDU]
Sent: Sat 11/18/2006 6:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

I just joined this listserv, after hearing this thread referred to by a
number of people around the University of Hawaii. I think that there are
a couple of points missing.

"Type-alikes", typo domains, probably other names, are causes of
increasing concern for everyone, especially those that deal with
sensitive information, with regard to finance or privacy, or etc.

I have not seen any evidence of honeypots, or "mirroring" or etc, in
examining the .EU TLD problem, although it certainly is a concern. I
first noticed (October 29th) it while doing a survey of all DNS answers
passing our main ingress/egress point*. From what I have seen, someone
in our network mis-types *.hawaii.eu about once per day, which is a very
very small percentage of the total lookups.

It's not a new problem -- many high profile web presences have
registered their likely typo-domains, consider www.gogole.com,
www.gogle.com, which all lead to Google's main search home page.

If you're really clumsy, or playful, or something, you might type
www.ggoole.com, by mistake, and you find a familiar looking thing. It's
a placeholder web page which really doesn't represent an active domain,
but neither does it simply say, "this domain name is taken".

There are many thousands, possibly millions of such pages on the
Internet, and I've always wondered what their real purpose was, until a
few months ago. My girlfriend, who is an avid business woman, told me a
story about a friend, who paid for a family vacation with money obtained
 by hosting banner ads on her web site. Initially I was skeptical, and
although I had heard about money-for-clicks, I thought that you probably
had to be MSN or Yahoo to get the volume necessary, but then sometimes
there is hit-volume in the clumsiness of others. Since I am the obvious
resource to consult on how to have banner ads pay for our next family
vacation, I was directed to research it. The phenomenon is called
"Affiliate Marketing" ( http://en.wikipedia.org/wiki/Affiliate_marketing ).

If you doubt the value of simply getting your info in front of as many
eyes as possible, consider the increasingly intrusive marketing culture,
consider SPAM, consider the introduction of promos at the bottom of the
screen during TV programming, partly because people with DVR's are fast
forwarding through commercial breaks. Consider the stock tips that show
up on your fax machine. Why is there so much SPAM-mail in the world?
Because it works, that's why.

Now pretend that you're an affiliate marketer, and you're scouring the
Earth for every opportunity to direct clicks to clients. Voila!
www.hawaii.eu. Most of the domain speculation buyers aren't buying
domain names because they're looking to sell them later. They're
catching stray clicks.

Yes, there may be more insidious things afoot, but the statistics of
catching a typo from something that will provide any useful steal-able
info is very very small. Still, I make use of my LiveDeskTop or whatever
it's called in my office to link to my stock trading account, bank, etc,
just because I have paranoia about some phisher crouching on a
mis-spelled domain and getting into my finances. I never click on, copy
or paste anything from an email message, I type it myself, mostly
because of the more insidious character substitution lookalikes, which
replace letter O with number 0, or letter L (lowcase l) with number 1,
etc, but that's different from a typo on my part.

What I have proposed here at UH is to set up false SOAs for hawaii.eu in
our name server and make an empty DNS zone that causes name lookups to
Hawaii.eu to fail. I think that it's a bad idea to simply forward them
to the correctly spelled page, because that would pollute browser
histories and other caches. This strategy will only work for those that
query our DNS servers -- our customers, but they're probably the vast
majority of hits on *.hawaii.edu (and .eu). Whether others want to
consider this is up to them. This is not an official recommendation by
the University Of Hawaii, and I'm not going to give you the URL for my
girlfriends (save on stylish personal accessories -- direct to you!) web
site, either.

Alan Whinery
Chief Internet Engineer
University Of Hawaii System
(Not part of the European Union)

* capture all DNS packets which contain answers:

tcpdump -s 1500 -w allanswers`date +%F `.cap port 53 and udp and
'udp[14:2] !=0'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFFX5HMo0Fj2RHXjC4RAoz4AJ4tUr3wPEKgjMfwe/CzHs+ITu1MYQCY7dVM
8eWjCABt0qFrl1ns8WbD1A==
=Ni14
-----END PGP SIGNATURE-----