Re: ICANN opens up Pandora's Box of new TLDs

["Christopher Morrow" <morrowc.lists () gmail com>]

On Fri, Jun 27, 2008 at 11:13 PM, Tomas L. Byrnes <tomb () byrneit net> wrote:
> These issues are not separate and distinct, but rather related.
>
> A graduated level of analysis of membership in any of the sets of:
>
> 1: Recently registered domain.

hi, I just registered 'newproduct.com' for my press release, I'm
sending you emails from that domain since you signed up with my
company for new news alerts abotu my great products!

> 2: Short TTL

I'm anticipating high traffic loads, I'm putting my pressrelease
things on akamai/llnw, I want to shift that away quickly when traffic
levels decrease. I made my ttl's short, for that, plus akamai sets my
ttl's on their responses to 5mins.

> 3: Appearance in DShield, Shadowserver, Cyber-TA and other sensor lists.

sure, these are fine folks... they get things wring at times :(

> 4: Invalid/Non-responsive RP info in Whois

oh, whois isn't updated with NS info updates... so for 6-12 hours that
data's not going to reflect 'valid' info while I send out my
notifications.

> Create a pretty good profile of someone you probably don't want to
> accept traffic from.

I agree that correlation across many forms of intell gathering is
good, and probably the way out for folks on the good side of this
battle. My point was that tossing FUD on top of the 'icann made a
mistake, maybe' isn't helping the argument nor discussion.

There should be some work, and maybe there is work happening on this,
done to bring ICANN policies up to speed with respect to dealing with:
1) domain owners who have invalid (chronically bad) info
2) registrars who seem to solely

> Conflation is bad, recognizing that each metric has value, and some
> correlation of membership in more than one set has even more value, as
> indicating a likely criminal node, is good.
>
> YMMV.
>
> I guess, if you have perfect malware signatures, code with no errors,
> and vigilance the Marines on the wire @ gitmo would envy, you can accept
> traffic from everywhere.
>
>
>
> > -----Original Message-----
> > From: Christopher Morrow [mailto:morrowc.lists () gmail com]
> > Sent: Friday, June 27, 2008 7:23 PM
> > To: Roger Marquis
> > Cc: nanog () nanog org
> > Subject: Re: ICANN opens up Pandora's Box of new TLDs
> >
> > On Fri, Jun 27, 2008 at 4:32 PM, Roger Marquis
> > <marquis () roble com> wrote:
> > > Phil Regnauld wrote:
> > > apply even cursory tests for domain name validity. Phishers and
> > > spammers will have a field day with the inevitable namespace
> > > collisions. It is, however, unfortunately consistent with ICANN's
> > > inability to address other security issues such as fast flush DNS,
> > > domain tasting (botnets), and requiring valid domain contacts.
> >
> > Please do not conflate:
> >
> > 1) Fast flux
> > 2) Botnets
> > 3) Domain tasting
> > 4) valid contact info
> >
> > These are separate and distinct issues... I'd point out that
> > FastFlux is actually sort of how Akamai does it's job
> > (inconsistent dns responses), Double-Flux (at least the
> > traditional DF) isn't though certainly Akamai COULD do
> > something similar to Double-Flux (and arguably does with some
> > bits their services. The particular form 'Double-Flux' is
> > certainly troublesome, but arguably TOS/AUP info at
> > Registrars already deals with most of this because #4 in your
> > list would apply... That or use of the domain for clearly
> > illicit ends.
> > Also, perhaps just not having Registrar's that solely deal in
> > criminal activities would make this harder to accomplish...
> >
> > Botnets clearly are bad... I'm not sure they are related to
> > ICANN in any real way though, so that seems like a red
> > herring in the discussion.
> >
> > Domain tasting has solutions on the table (thanks drc for
> > linkages) but was a side effect of some
> > customer-satisfaction/buyers-remorse
> > loopholes placed in the regs... the fact that someone figured
> > out that computers could be used to take advantage of that
> > loophole on a massive scale isn't super surprising. In the
> > end though, it's getting fixed, perhaps slower than we'd all
> > prefer, but still.
> >
> > > I have to conclude that ICANN has failed, simply failed,
> > and should be
> > > returned to the US government.  Perhaps the DHL would at
> > least solicit
> > > for RFCs from the security community.
> >
> > I'm not sure a shipping company really is the best place to solicit...
> > or did you mean DHS? and why on gods green earth would you
> > want them involved with this?
> >
> > -chris