Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Mon, 20 Nov 2006 13:12:20 -0500
But these are legitimate and probably registered (in their country) European registered domains and you are causing them a Denial of Service if you prevent people from reaching them. I would think that our European friends would not be happy with that approach. -Kevin ________________________________ From: Alan Whinery [mailto:whinery () HAWAII EDU] Sent: Sat 11/18/2006 6:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everybody, I just joined this listserv, after hearing this thread referred to by a number of people around the University of Hawaii. I think that there are a couple of points missing. "Type-alikes", typo domains, probably other names, are causes of increasing concern for everyone, especially those that deal with sensitive information, with regard to finance or privacy, or etc. I have not seen any evidence of honeypots, or "mirroring" or etc, in examining the .EU TLD problem, although it certainly is a concern. I first noticed (October 29th) it while doing a survey of all DNS answers passing our main ingress/egress point*. From what I have seen, someone in our network mis-types *.hawaii.eu about once per day, which is a very very small percentage of the total lookups. It's not a new problem -- many high profile web presences have registered their likely typo-domains, consider www.gogole.com, www.gogle.com, which all lead to Google's main search home page. If you're really clumsy, or playful, or something, you might type www.ggoole.com, by mistake, and you find a familiar looking thing. It's a placeholder web page which really doesn't represent an active domain, but neither does it simply say, "this domain name is taken". There are many thousands, possibly millions of such pages on the Internet, and I've always wondered what their real purpose was, until a few months ago. My girlfriend, who is an avid business woman, told me a story about a friend, who paid for a family vacation with money obtained by hosting banner ads on her web site. Initially I was skeptical, and although I had heard about money-for-clicks, I thought that you probably had to be MSN or Yahoo to get the volume necessary, but then sometimes there is hit-volume in the clumsiness of others. Since I am the obvious resource to consult on how to have banner ads pay for our next family vacation, I was directed to research it. The phenomenon is called "Affiliate Marketing" ( http://en.wikipedia.org/wiki/Affiliate_marketing ). If you doubt the value of simply getting your info in front of as many eyes as possible, consider the increasingly intrusive marketing culture, consider SPAM, consider the introduction of promos at the bottom of the screen during TV programming, partly because people with DVR's are fast forwarding through commercial breaks. Consider the stock tips that show up on your fax machine. Why is there so much SPAM-mail in the world? Because it works, that's why. Now pretend that you're an affiliate marketer, and you're scouring the Earth for every opportunity to direct clicks to clients. Voila! www.hawaii.eu. Most of the domain speculation buyers aren't buying domain names because they're looking to sell them later. They're catching stray clicks. Yes, there may be more insidious things afoot, but the statistics of catching a typo from something that will provide any useful steal-able info is very very small. Still, I make use of my LiveDeskTop or whatever it's called in my office to link to my stock trading account, bank, etc, just because I have paranoia about some phisher crouching on a mis-spelled domain and getting into my finances. I never click on, copy or paste anything from an email message, I type it myself, mostly because of the more insidious character substitution lookalikes, which replace letter O with number 0, or letter L (lowcase l) with number 1, etc, but that's different from a typo on my part. What I have proposed here at UH is to set up false SOAs for hawaii.eu in our name server and make an empty DNS zone that causes name lookups to Hawaii.eu to fail. I think that it's a bad idea to simply forward them to the correctly spelled page, because that would pollute browser histories and other caches. This strategy will only work for those that query our DNS servers -- our customers, but they're probably the vast majority of hits on *.hawaii.edu (and .eu). Whether others want to consider this is up to them. This is not an official recommendation by the University Of Hawaii, and I'm not going to give you the URL for my girlfriends (save on stylish personal accessories -- direct to you!) web site, either. Alan Whinery Chief Internet Engineer University Of Hawaii System (Not part of the European Union) * capture all DNS packets which contain answers: tcpdump -s 1500 -w allanswers`date +%F `.cap port 53 and udp and 'udp[14:2] !=0' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFFX5HMo0Fj2RHXjC4RAoz4AJ4tUr3wPEKgjMfwe/CzHs+ITu1MYQCY7dVM 8eWjCABt0qFrl1ns8WbD1A== =Ni14 -----END PGP SIGNATURE-----
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's, (continued)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Pace, Guy (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Graham Toal (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 21)