Slashdot Mirror
Routing and DNS Security Ignored By ISPs
Bismillah (993337) writes "The re-routing of Google's public DNS servers last weekend was yet another example of how easy it is to 'steal the Internet' by abusing today's trust-based networks. Problem is, ISPs don't seem to care about that, or securing DNS which is another attack vector that doesn't require compromising end users' systems. Why isn't more done to secure routing and DNS then?"
The route announcement was likely unintentional. The chief scientist at APNIC noted that implementing RPKI would solve the problem, but far too few ISPs bother with it.
This article is slightly incorrect. It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs. If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.
I have reported compromised sites, massive spamming IP addresses, malware hosting, exploit kits, all kinds of stuff to ISPs, obvious phishing-only domains, hosting providers, and registrars for a while now. Probably close to 1000 reports.
Many companies give a shit.
Many do not. They are here to make money and could care less if the guy renting the storage unit is cooking meth, so long as they make rent. Doesn't matter if the reputation of the storage unit goes down, or poison spills into the streets. As long as the rent is paid, they don't give a shit.
GoDaddy (secureserver) is funny. They sometimes care. Sometimes they ignore it, sometimes they claim they aren't the IP owner, sometimes they wait a month to do anything, and sometimes they jump all over it.
Voxility (Eastern Europe).... forget about it. Basically a botnet VPS.
OVH, increasingly large IP blocks becoming malware, spammer, and pharmascammer IPs. Decreasingly giving a shit.
Rackspace jumps all over it.
Probably because ISPs have much more immediate and probable threats to deal with. Let's inject a little bit of reality into the discussion. Correct me if I am wrong, but actual attacks (as opposed to misconfigurations) through routing insecurity on the global Internet number zero. (Unless you count state level attempts at censorship, which is moot in this case where we are asking why ISPs don't do more) This Google hijack was quickly corrected thanks to all the monitoring and response procedures that are in place. Yes, I understand that is a fun 22 minute window for hijinx to ensue. There are also lots of easier ways to enact these hijinx, hence the number of attacks is zero. DNS attacks at the server level are relatively rare compared to all the other ways criminals can get what they are after. Security effort is a scarce resource, just like any other, and it will tend to get spent where the return is highest.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Most don't give a shit as long as the clients are paying the bills.
The hosting company I work for was like this at one point. The company VP (who has been fired since) make the final call and he said, "If they are current on their bill then ignore it." The only way he would shut a site down is if money was owed or the person complaining had some court order.
On and the VP would also send out SPAM his self while I was sitting here trying to stop SPAM in our mail servers. I hated that guy so much.
Why the hell would they want Google DNS to work?
They intermediate DNS all the time,in order to do proxy caching, and to prevent you going to high bandwidth sites without a lot of difficultly, or to land you on a page when you hit a non-existant domain because of a typo, and they try to sell it to you.
One wireless carrier, on their WiFi hotspot-only options, used to move you off their 4G network and onto their 3G by having intentional "DNS outages" that pointing to Google's DNS worked around. 3G had a data cap for which they got paid, 4G was no data cap, so the benefit to them for you using the DHCP assigned DNS was enormous: large amounts of data charges.
Even if they aren't screwing with the results for their own reasons, you hitting Google for all your DNS lookups means that they can't cache DNS responses, which means that they have to support more DNS traffic out and responses in on their network than they otherwise would need to.
None of these are beneficial to their bottom line.
Sure, until the DNS steering comittee becomes headed by the representatives of Iran, North Korea, Pakistan and Jemen.
Not a shill, just educating: in case anyone needs better (and free) DNS for their parents/dumb relatives/noobs continuously getting spyware and malware by clicking on everything they see, OpenDNS is a great start. Their commercial product is useful for small/medium business as well. http://www.opendns.com/
The brilliant simplicity is that even if you get a dropper/adware/malware on your machine, if it can't resolve a malware domain to pull its payload from, it's effectively dead on your machine until your virus scanner catches it.
Global RPKI deployment stats can be found here; Europe is doing pretty well, growing at a healthy pace: http://certification-stats.rip... As far as router support goes, Cisco and Juniper are doing a good job with support across the platforms: https://www.ripe.net/lir-servi... But with other vendors, RPKI support is pretty much non-existent. Though it's not a requirements to use RPKI data natively on the router, you can also just use validated ROAs from an API, for example: http://localcert.ripe.net:8088...
Groupe Telecom used to be like that since they considered themselves too big to fail (or rather too big to be taken down). I had a decent job until the final months of the job where my boss (Leo Kuvayev before his infamous spammer days) decided to team up with Alan Ralsky and Spam the crap out of some porn sites. Before they started they were assured by their account manager that all complaints would be ignored. After trying to talk them out of it I quit and moved on to another job.
A few months later I ran into my replacement in an elevator while he was searching for new hosting. It seems Group "Were a billion dollar company" Telecom were forced to change their policy thanks to multiple blacklists that did a lot of damage to their business.
No this has little to do with end users. This is a big networks issue.
If your VPN endpoint also saw the hijacked route then you'd equally be stuffed.
The answer is Namecoin.
I want to use namecoin but it just isn't there yet needs some more work together the rough edges of first and more devs. If they want it to take off what they need to impliment is dns proxy that intersepts the namecoin quries and passes traditional dns through to your dns server of choice.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
I see this attitude all the time with managers. It's like a mantra:
It's blocking IPv6, it's blocking DNSSEC, it's blocking RPKI, it's blocking Windows XP retirements. There are a lot of improvements that are stymied because change is considered more scary than just living with the problem.
But it is broke. Computers are hugely complex and buggy. We need the upgrade treadmill just to stay ahead of threats to our computing. Computers are incredibly malleable, and collectively we need major changes. I would be seriously depressed if our current state became the pinnacle of computing.
Have a nice time.
Oh please, the USA was far worse than your perceived paranoia about you being censored by some authority outside the USA. Did you know: The US Government seize international domains on the premise of copyright infringement, so yeah, pick your poison. I know which one I'd rather pick and its not the USA option.
Have you paid attentionto the situation in the UK? They are blocking pretty much any site the politicians in power veiw as unsavory and they are one of the more freedom respecting liberal nationsn just wait until China gets a say in what gets the the internet wide BanHammer or the Saudis get to ban any one saying something untasteful about Allah or Mohammad.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Or I could just apt-get install bind9 and run my own dns server with much less hassle then configuring my host file on ever computer and devise on my network.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
"too few ISPs bother with it" [RPKI] because "Cisco Systems is committed[4] to offering this functionality in Cisco IOS. Juniper Networks is working on an implementation[5] for Junos as well", i.e. it doesn't exist yet. DNSSEC exists, but is very challenging to implement and is fragile, though recent BIND implementations have improved that situation considerably. DANE will build on top of that, so there *is* hope for the future, but it is still the future.
You must live in some dumpy, backwards rural area where there's a monopoly.
That's pretty condescending. I live in one of the 10 largest metro areas in the US. My broadband choices at my house consist of Comcast where I can get 100mbit speeds or Frontier which gives 6mbit speeds if I want wired access. That means realistically I have one option if I give a shit about the speed of my internet connection. Not exactly what I'd call real competition. Oh I could cut the cord and go wireless I suppose but that has plenty of problems and I'd lose a lot of connection speed and gain a lot of latency plus I'd have to buy a bunch of new hardware or tether my phone every time I want to go online.
Out here in the real world in most places you have at most two sets of data cables (phone and cable tv) coming to your house. You do not have more options than the number of wires available to you even if you have other companies offering you service. Earthlink doesn't have phone lines to your house - the actual last mile is provided by someone else like AT&T. 75% of the US has exactly one landline cable TV option and a similar percent has precisely one phone option. So essentially most of us are under a duopoly. AT&T/Verizon or Comcast/TWC or something similar.
It is hard to clean these up, most Spam Blacklists require each individual IP to checked and a form filled out. Then SpamRats require that the IP have a reverse DNS lookup naming convention be met for a mail server, even if it is a standard internet customer, with no email server at the IP. If you have a block of IP's that is a large time sync to request each one individually be de-listed!
The UN council on human rights consists of 18 countries including Cuba, Russia, China, and Saudi Arabia. Do you really think an internet council is going to protect free speech? With Iran, China, or North Korea as the chair?
Sure, until the DNS steering comittee becomes headed by the representatives of Iran, North Korea, Pakistan and Jemen.
that would be a good thing.
Iran, Pakistan and North Korea would never even be able to agree on what to have for lunch. Hell, Iran and Pakistan would be at each others throats (Shiite Persians and Suni Arabs, so they'd block each other just because of that) and North Korea is completely ineffectual. It would be deadlock, leaving DNS implementers to their own devices.
Also, where the fsck is Jemen?
Calling someone a "hater" only means you can not rationally rebut their argument.
It's nice to know that /etc/hosts will solve the problem of NSA spying, Snowden, Russian intervention in Ukraine, Crimean secession and so on.
There are 4 rings, so if something is too slow in r3, why not move it to r2 or r1, as opposed to r0?
There is a chance this will change in the (near ?) future.
The US government says they are going to let ICANN 'go global':
http://www.ntia.doc.gov/press-...
New things are always on the horizon
Not that I think RPKI is bad, or it's good what RIPE is doing, but these stats say nothing about validation in the field.
New things are always on the horizon
DNSSEC doesn't really change anything re DNS based blocking. To date I have seen 2 different actions re blocking, the first is seizure (e.g. where the US government has asked/ordered/forced the US-based VeriSign .com registrar to point dodgysite.com to a computer that displays domain seizure message). In this case the new domain records would be signed with DNSSEC and everything would validate.
The second is blocks at the ISP level (e.g. UK courts ordering blocking of pirate sites). Since these domains aren't under the jurisdiction of the relatvent courts/countries (otherwise they would likely have ordered the sites/domains seized or taken down), they can force the ISPs to change their local DNS servers but then the DNSSEC signatures wont validate anymore (e.g. if piratebay.se is ordered blocked, the NSEC records for .se wont match anymore and a properly written DNSSEC validator will identify that piratebay.se is supposed to exist but is returning nxdomain and return an error)
#2 also applies if an ISP unilateraly decides to fiddle with DNS and redirect things (returning something other than nxdomain for a domain that doesn't exist, redirecting a domain to a new IP or returning nxdomain for a domain that does exist) since it cant re-sign the records it changed.
The use of DNSSEC doesn't make it any easier for, say, Saudi Arabia to block content it doesn't like at the DNS level (regardless of what the US may do in terms of giving up its regulation of DNS)