Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>]

At what point did we start considering (at best) domain squatters to be
legitimate?

At what point do I need to start practicing "most privilege" to ensure
maximum vulnerability to malicious users, simply because "our European
friends" can't clean up their own house?

Have we all simply given up information security and decided our time would
be spent better running around with McAfree CDs and tweaking our spam
filters?

-----Original Message-----
From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, November 20, 2006 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

But these are legitimate and probably registered (in their country) European
registered domains and you are causing them a Denial of Service if you
prevent people from reaching them.  I would think that our European friends
would not be happy with that approach.

-Kevin


________________________________

From: Alan Whinery [mailto:whinery () HAWAII EDU]
Sent: Sat 11/18/2006 6:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

I just joined this listserv, after hearing this thread referred to by a
number of people around the University of Hawaii. I think that there are a
couple of points missing.

"Type-alikes", typo domains, probably other names, are causes of increasing
concern for everyone, especially those that deal with sensitive information,
with regard to finance or privacy, or etc.

I have not seen any evidence of honeypots, or "mirroring" or etc, in
examining the .EU TLD problem, although it certainly is a concern. I first
noticed (October 29th) it while doing a survey of all DNS answers passing
our main ingress/egress point*. From what I have seen, someone in our
network mis-types *.hawaii.eu about once per day, which is a very very small
percentage of the total lookups.

It's not a new problem -- many high profile web presences have registered
their likely typo-domains, consider www.gogole.com, www.gogle.com, which all
lead to Google's main search home page.

If you're really clumsy, or playful, or something, you might type
www.ggoole.com, by mistake, and you find a familiar looking thing. It's a
placeholder web page which really doesn't represent an active domain, but
neither does it simply say, "this domain name is taken".

There are many thousands, possibly millions of such pages on the Internet,
and I've always wondered what their real purpose was, until a few months
ago. My girlfriend, who is an avid business woman, told me a story about a
friend, who paid for a family vacation with money obtained  by hosting
banner ads on her web site. Initially I was skeptical, and although I had
heard about money-for-clicks, I thought that you probably had to be MSN or
Yahoo to get the volume necessary, but then sometimes there is hit-volume in
the clumsiness of others. Since I am the obvious resource to consult on how
to have banner ads pay for our next family vacation, I was directed to
research it. The phenomenon is called "Affiliate Marketing" (
http://en.wikipedia.org/wiki/Affiliate_marketing ).

If you doubt the value of simply getting your info in front of as many eyes
as possible, consider the increasingly intrusive marketing culture, consider
SPAM, consider the introduction of promos at the bottom of the screen during
TV programming, partly because people with DVR's are fast forwarding through
commercial breaks. Consider the stock tips that show up on your fax machine.
Why is there so much SPAM-mail in the world?
Because it works, that's why.

Now pretend that you're an affiliate marketer, and you're scouring the Earth
for every opportunity to direct clicks to clients. Voila!
www.hawaii.eu. Most of the domain speculation buyers aren't buying domain
names because they're looking to sell them later. They're catching stray
clicks.

Yes, there may be more insidious things afoot, but the statistics of
catching a typo from something that will provide any useful steal-able info
is very very small. Still, I make use of my LiveDeskTop or whatever it's
called in my office to link to my stock trading account, bank, etc, just
because I have paranoia about some phisher crouching on a mis-spelled domain
and getting into my finances. I never click on, copy or paste anything from
an email message, I type it myself, mostly because of the more insidious
character substitution lookalikes, which replace letter O with number 0, or
letter L (lowcase l) with number 1, etc, but that's different from a typo on
my part.

What I have proposed here at UH is to set up false SOAs for hawaii.eu in our
name server and make an empty DNS zone that causes name lookups to Hawaii.eu
to fail. I think that it's a bad idea to simply forward them to the
correctly spelled page, because that would pollute browser histories and
other caches. This strategy will only work for those that query our DNS
servers -- our customers, but they're probably the vast majority of hits on
*.hawaii.edu (and .eu). Whether others want to consider this is up to them.
This is not an official recommendation by the University Of Hawaii, and I'm
not going to give you the URL for my girlfriends (save on stylish personal
accessories -- direct to you!) web site, either.

Alan Whinery
Chief Internet Engineer
University Of Hawaii System
(Not part of the European Union)

* capture all DNS packets which contain answers:

tcpdump -s 1500 -w allanswers`date +%F `.cap port 53 and udp and 'udp[14:2]
!=0'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFFX5HMo0Fj2RHXjC4RAoz4AJ4tUr3wPEKgjMfwe/CzHs+ITu1MYQCY7dVM
8eWjCABt0qFrl1ns8WbD1A==
=Ni14
-----END PGP SIGNATURE-----