Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Reveals How ISPs Responded to SiteFinder

Posted by michael on from the routing-around-verisign dept.

penciling_in writes "During the 2+ weeks for which Site Finder was operational, a number of ISPs took steps to disable the service. A study just released reveals the details and analysis, including specific networks disabling Site Finder during its operational period. For example, the study reports China blocked the traffic at its backbone, and Taiwan's Chunghwa Telecom and Korea's DACOM also disabled the service. US ISPs have been slower to act, but US ISP Adelphia disabled the service September 20-22 before re-enabling it on September 23." That link is a summary; or cut straight to the study itself.

9 of 172 comments (clear)

  1. So it comes down to this by The+One+KEA · · Score: 4, Interesting

    Most major ISPs and institutions successfully blocked a "service" which only resulted in widespread disruption in the way the Internet works. It didn't necessarily stay blocked, as in the case of Adelphia, but it was blocked rather quickly. I like the graphs showing SiteFinder traffic; they're very easy to read and they show the drops quite clearly.

    Looking through the study, I found something interesting: most of the blockages of SiteFinder were outside the U.S. Interesting.....

    --
    SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
  2. Denmark by pointwood · · Score: 4, Interesting

    I know the biggest Danish ISP (TDC) blocked it pretty quickly. TDC have >80% of all DSL connections in DK.

  3. Wasted some of my time by Anonymous Coward · · Score: 5, Interesting

    Sitefinder did not seem to redirect images. I was trying to debug an image server I set up and keep getting a 404 when trying to load a test image. After spending about an hour looking at httpd.conf, I realized that I had mistyped the url. The 404s were coming from sitefinder. My server was set up correctly from the very start.

  4. Telenor by Anonymous Coward · · Score: 3, Interesting
    I left a note for Norway's biggest ISP and phone company, Telenor, with details of what had happened and a polite request that they undo it at their name servers. I was very pleased to see an email come in from the hostmaster himself, saying they were aware of the problem and that he would get back to me on it. A few days later (actually, this was after VeriSign had agreed to succumb to ICANN's demand) I got a new mail from him again, saying he had given the notice for the patches to be applied.

    This is a company that isn't exactly the most liked in Norway, but I was very pleased with their handling of the problem and the responses.

    And it shows that most admins are not willing to tolerate absurd changes like this.

  5. Re:AAARRRGGG!!! by dissy · · Score: 5, Interesting

    > I don't get the big deal with this.

    Well, when people code DNS clients and librarys, they generally do so by following the RFC.

    The RFC states that when a domain does not exist, the name server returns the code NXDOMAIN.

    So, logically, if you get a NXDOMAIN code back, the domain does not exist.
    Verisign changed this RFC defined rule, and every single DNS using application is now broken, as they assume the information in the RFC spec is correct, and it is not so any longer.

    There are many different things that broke because of this, which as an end-user of the internet you probably wont notice much of.
    People that run service on the internet however do need to know how such servers are suppost to act. Verisign changed the rules without so much as telling anyone.

    RFC stands for request for comments. You submit one, and _request comments_
    Only after that phase is the RFC out of draft and so people start concidering to use it. This is how a standard is born via RFC. Verisign did not submit a new RFC requeting a change to the original one.

    It would be like a web server chaning the numerical error codes.
    404 means page not found. 900 is not defined.
    Sending a 900 code when page isnt found would break every existing client.
    This is what verisign did for DNS

  6. How I responded to it by Anonymous Coward · · Score: 3, Interesting

    I don't work for an ISP but I do have about 1500 staff users, plus another 9-10 thousand K-12 students who use the network too. The day this happened, I added some IP-based blocks to our web proxies to deny all access to sitefinder, then made the deny info throw back something that essentially said "That domain does not exist. Check the spelling and try again". Then I filtered outgoing packets on the mail servers to prevent leakage there.

    When the first BIND patch with delegation-only rolled out, that went on our resolvers and the real problem went away. Now the spammers couldn't make up arbitrary crap in .com and .net, and my old deny page was no longer necessary.

    Anyone in the organization who heard about the fuss and tried to play with sitefinder had a window of about 12 hours before the changes took effect. Since then, it's been walled off.

    Chances are, the bigger the organization is, the slower they move on changes like this. There's just too much bureaucracy to go through before you can do something like replacing your resolvers with new code.

  7. Spam Solution by RuB1X · · Score: 3, Interesting

    Copied from here

    But there is(was) a solution, perhaps mail servers should check to see if the sender domain for a particular piece of email resolves to the Ip above.If it does, forward the email toVerisign, any of the email addresses on this page should do :

    http://www.verisign.com/corporate/about/contact/in dex.html?sl=060104

    If the email sender domain resolves to the bogus Verisign wildcard entry, then its only fair that the email gets forwarded back to them, as it?s obviously spam and it resolves to their address.

    Just in case Verisign turns it back on, be ready.

    --
    I mean, what's the point of living...if you don't have a dick?
  8. Criminal Skills by g051051 · · Score: 5, Interesting

    My company uses SmartFilter. One day, it started blocking access to Site Finder. The reason code it returned indicated that sitefinder.verisign.com had been classified as "Criminal Skills". That sure seems appropriate to me.

    My personal solution was to add it to my junkbuster config, so it would never show, and never register as a hit on their web page.

  9. My solution for my small ISP by jroysdon · · Score: 3, Interesting
    We bound VeriSign's SiteFinder IP to one of our webservers and added it into our routing table:
    eth0:2 Link encap:Ethernet HWaddr 00:10:4B:21:48:CF
    inet addr:64.94.110.11 Bcast:255.255.255.255 Mask:255.255.255.255
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:11 Base address:0xde00
    Then we served up a wildcard page for *.com and *.net:
    <VirtualHost 63.172.195.4>
    DocumentRoot /var/www/html/wildcard
    ServerName wildcard.artoo.net
    ServerAlias *.net
    ServerAlias *.com
    CustomLog logs/access_log.wildcard combined
    </VirtualHost>
    The page directs users to complain to Congress, ICANN, and the FTC if they don't like the way VeriSign is hijacking the internet.

    Like I said, we're a really small ISP, but it appears we caught 281 typo's (excluding anything that was referred from Slashdot).

    It's pretty amazing to look at the common sites that folks typo.