Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["John C. A. Bambenek" <bambenek () CONTROL CSL UIUC EDU>]

Do you know what a Denial of Service attack is? What you're describing isn't
one.  I'm charged to keep my users protected from hackers, spam, malicious
users, or other web nuisances.  Describing that activity as a denial of
service attack is odd, at best.

No one is saying we take .eu offline.  We're saying we're isolating .eu faux
domains and preventing the accidently typo from becoming a security breach.

There can be legit uses of .eu.  There can even be legit uses of .eu that
maps to a different .edu.  However, domain squatters who can easily do MITM
all day long are not in the category of legit.  At best, they're domain
squatters, but they can change their tactics with about 5 seconds of work.
And that assumes they're being "honest" to begin with.

It's my network, it's my right to control what comes in and out. If you want
to let in Dutch hackers, that's your business.  If you want to consider a
firewall a Denial of Service device, well, that pretty much neuters the
entire body of information security research, tools, and policies.  Now, if
I start trying to knock these domains offline with illegitimate means, then
we can talk about Denial of Service.  Until that moment, please learn what a
DoS is.

And as a side note, if the EU has trying to give legitimacy to the .eu TLD,
they're doing a lousy job.

-----Original Message-----
From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, November 20, 2006 12:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

My point is, and will continue to be, that the EU domain is a legitimate
European domain that is run and managed in Europe.  EU is an actual
extension just like .com, .org, .edu, etc. with over 2 million users, and
since we don't have international domain law (to my knowledge)  how is it
our right to say whether other countries can use an extension or not? If I
am living and working in Europe and want to use hawaii.eu   why would
hawaii.com or hawaii.org, or hawaii.edu have the right to Deny me the right
to do so?   If hawaii.edu can deny my right to use hawaii.eu doesn't that
mean I can also deny their right to use hawaii.edu or is it simply because
they are North American based that gives them the right to say what names I
can use for my .EU domains?

To re-iterate my previous email. When doing some research on this it sure
seems to me that the European union has given legitimacy to the the usage of
.eu as a domain name:


Excerpt from the Web:

"With ".eu" companies and citizens from the European Union have an
additional choice for their web or email address.

Registration for the new Top Level web Domain .eu began on 7 December 2005
with a 4-month "sunrise" period. During this time only the holders of
existing trademarks or other prior rights could register. Registrations for
.eu is fully open to the public as from 7 April 2006.

> From 7 April 2006, any resident within the European Union can register a
domain name without the need to search for any prior rights.

If you are interested in a .eu domain name, you are advised to get in touch
with an accredited registrar. Eurid maintains a growing list
<http://list.eurid.eu/registrars/ListRegistrars.htm?lang=en>  of companies
that are entitled to offer ".eu" domain names. "

Personally, I would think long and hard before I caused a denial of service
to any site with a legitmate and recognized .EU extension.

-Kevin


________________________________

From: John C. A. Bambenek [mailto:bambenek () CONTROL CSL UIUC EDU]
Sent: Mon 11/20/2006 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's



At what point did we start considering (at best) domain squatters to be
legitimate?

At what point do I need to start practicing "most privilege" to ensure
maximum vulnerability to malicious users, simply because "our European
friends" can't clean up their own house?

Have we all simply given up information security and decided our time would
be spent better running around with McAfree CDs and tweaking our spam
filters?

-----Original Message-----
From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, November 20, 2006 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

But these are legitimate and probably registered (in their country) European
registered domains and you are causing them a Denial of Service if you
prevent people from reaching them.  I would think that our European friends
would not be happy with that approach.

-Kevin


________________________________

From: Alan Whinery [mailto:whinery () HAWAII EDU]
Sent: Sat 11/18/2006 6:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

I just joined this listserv, after hearing this thread referred to by a
number of people around the University of Hawaii. I think that there are a
couple of points missing.

"Type-alikes", typo domains, probably other names, are causes of increasing
concern for everyone, especially those that deal with sensitive information,
with regard to finance or privacy, or etc.

I have not seen any evidence of honeypots, or "mirroring" or etc, in
examining the .EU TLD problem, although it certainly is a concern. I first
noticed (October 29th) it while doing a survey of all DNS answers passing
our main ingress/egress point*. From what I have seen, someone in our
network mis-types *.hawaii.eu about once per day, which is a very very small
percentage of the total lookups.

It's not a new problem -- many high profile web presences have registered
their likely typo-domains, consider www.gogole.com, www.gogle.com, which all
lead to Google's main search home page.

If you're really clumsy, or playful, or something, you might type
www.ggoole.com, by mistake, and you find a familiar looking thing. It's a
placeholder web page which really doesn't represent an active domain, but
neither does it simply say, "this domain name is taken".

There are many thousands, possibly millions of such pages on the Internet,
and I've always wondered what their real purpose was, until a few months
ago. My girlfriend, who is an avid business woman, told me a story about a
friend, who paid for a family vacation with money obtained  by hosting
banner ads on her web site. Initially I was skeptical, and although I had
heard about money-for-clicks, I thought that you probably had to be MSN or
Yahoo to get the volume necessary, but then sometimes there is hit-volume in
the clumsiness of others. Since I am the obvious resource to consult on how
to have banner ads pay for our next family vacation, I was directed to
research it. The phenomenon is called "Affiliate Marketing" (
http://en.wikipedia.org/wiki/Affiliate_marketing ).

If you doubt the value of simply getting your info in front of as many eyes
as possible, consider the increasingly intrusive marketing culture, consider
SPAM, consider the introduction of promos at the bottom of the screen during
TV programming, partly because people with DVR's are fast forwarding through
commercial breaks. Consider the stock tips that show up on your fax machine.
Why is there so much SPAM-mail in the world?
Because it works, that's why.

Now pretend that you're an affiliate marketer, and you're scouring the Earth
for every opportunity to direct clicks to clients. Voila!
www.hawaii.eu. Most of the domain speculation buyers aren't buying domain
names because they're looking to sell them later. They're catching stray
clicks.

Yes, there may be more insidious things afoot, but the statistics of
catching a typo from something that will provide any useful steal-able info
is very very small. Still, I make use of my LiveDeskTop or whatever it's
called in my office to link to my stock trading account, bank, etc, just
because I have paranoia about some phisher crouching on a mis-spelled domain
and getting into my finances. I never click on, copy or paste anything from
an email message, I type it myself, mostly because of the more insidious
character substitution lookalikes, which replace letter O with number 0, or
letter L (lowcase l) with number 1, etc, but that's different from a typo on
my part.

What I have proposed here at UH is to set up false SOAs for hawaii.eu in our
name server and make an empty DNS zone that causes name lookups to Hawaii.eu
to fail. I think that it's a bad idea to simply forward them to the
correctly spelled page, because that would pollute browser histories and
other caches. This strategy will only work for those that query our DNS
servers -- our customers, but they're probably the vast majority of hits on
*.hawaii.edu (and .eu). Whether others want to consider this is up to them.
This is not an official recommendation by the University Of Hawaii, and I'm
not going to give you the URL for my girlfriends (save on stylish personal
accessories -- direct to you!) web site, either.

Alan Whinery
Chief Internet Engineer
University Of Hawaii System
(Not part of the European Union)

* capture all DNS packets which contain answers:

tcpdump -s 1500 -w allanswers`date +%F `.cap port 53 and udp and 'udp[14:2]
!=0'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFFX5HMo0Fj2RHXjC4RAoz4AJ4tUr3wPEKgjMfwe/CzHs+ITu1MYQCY7dVM
8eWjCABt0qFrl1ns8WbD1A==
=Ni14
-----END PGP SIGNATURE-----