Slashdot Mirror

← Back to Stories (view on slashdot.org)

Routing and DNS Security Ignored By ISPs

Posted by Unknown on from the netblock-hijackers dept.

Bismillah (993337) writes "The re-routing of Google's public DNS servers last weekend was yet another example of how easy it is to 'steal the Internet' by abusing today's trust-based networks. Problem is, ISPs don't seem to care about that, or securing DNS which is another attack vector that doesn't require compromising end users' systems. Why isn't more done to secure routing and DNS then?" The route announcement was likely unintentional. The chief scientist at APNIC noted that implementing RPKI would solve the problem, but far too few ISPs bother with it.

7 of 101 comments (clear)

  1. obvious reason by slashmydots · · Score: 2, Insightful

    This article is slightly incorrect. It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs. If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

  2. Re:Time = Money by Anonymous Coward · · Score: 2

    I have reported compromised sites, massive spamming IP addresses, malware hosting, exploit kits, all kinds of stuff to ISPs, obvious phishing-only domains, hosting providers, and registrars for a while now. Probably close to 1000 reports.

    Many companies give a shit.

    Many do not. They are here to make money and could care less if the guy renting the storage unit is cooking meth, so long as they make rent. Doesn't matter if the reputation of the storage unit goes down, or poison spills into the streets. As long as the rent is paid, they don't give a shit.

    GoDaddy (secureserver) is funny. They sometimes care. Sometimes they ignore it, sometimes they claim they aren't the IP owner, sometimes they wait a month to do anything, and sometimes they jump all over it.

    Voxility (Eastern Europe).... forget about it. Basically a botnet VPS.

    OVH, increasingly large IP blocks becoming malware, spammer, and pharmascammer IPs. Decreasingly giving a shit.

    Rackspace jumps all over it.

  3. Why the hell would they want Google DNS to work? by tlambert · · Score: 3, Interesting

    Why the hell would they want Google DNS to work?

    They intermediate DNS all the time,in order to do proxy caching, and to prevent you going to high bandwidth sites without a lot of difficultly, or to land you on a page when you hit a non-existant domain because of a typo, and they try to sell it to you.

    One wireless carrier, on their WiFi hotspot-only options, used to move you off their 4G network and onto their 3G by having intentional "DNS outages" that pointing to Google's DNS worked around. 3G had a data cap for which they got paid, 4G was no data cap, so the benefit to them for you using the DHCP assigned DNS was enormous: large amounts of data charges.

    Even if they aren't screwing with the results for their own reasons, you hitting Google for all your DNS lookups means that they can't cache DNS responses, which means that they have to support more DNS traffic out and responses in on their network than they otherwise would need to.

    None of these are beneficial to their bottom line.

  4. Re:Good by sosume · · Score: 2

    Sure, until the DNS steering comittee becomes headed by the representatives of Iran, North Korea, Pakistan and Jemen.

  5. Re:RPKI by 8-Track · · Score: 2

    Global RPKI deployment stats can be found here; Europe is doing pretty well, growing at a healthy pace: http://certification-stats.rip... As far as router support goes, Cisco and Juniper are doing a good job with support across the platforms: https://www.ripe.net/lir-servi... But with other vendors, RPKI support is pretty much non-existent. Though it's not a requirements to use RPKI data natively on the router, you can also just use validated ROAs from an API, for example: http://localcert.ripe.net:8088...

  6. Re:Time = Money by gmack · · Score: 2

    Groupe Telecom used to be like that since they considered themselves too big to fail (or rather too big to be taken down). I had a decent job until the final months of the job where my boss (Leo Kuvayev before his infamous spammer days) decided to team up with Alan Ralsky and Spam the crap out of some porn sites. Before they started they were assured by their account manager that all complaints would be ignored. After trying to talk them out of it I quit and moved on to another job.

    A few months later I ran into my replacement in an elevator while he was searching for new hosting. It seems Group "Were a billion dollar company" Telecom were forced to change their policy thanks to multiple blacklists that did a lot of damage to their business.

  7. If it's not broke, don't fix it by RR · · Score: 3, Interesting

    I see this attitude all the time with managers. It's like a mantra:

    If it's not broke, don't fix it.

    It's blocking IPv6, it's blocking DNSSEC, it's blocking RPKI, it's blocking Windows XP retirements. There are a lot of improvements that are stymied because change is considered more scary than just living with the problem.

    But it is broke. Computers are hugely complex and buggy. We need the upgrade treadmill just to stay ahead of threats to our computing. Computers are incredibly malleable, and collectively we need major changes. I would be seriously depressed if our current state became the pinnacle of computing.

    --
    Have a nice time.