|ICANN Issues Initial Report On Fast Flux|
|The overseer of the Internet's addressing system is soliciting ideas for how to fix a problem that is enabling spammers and fraudulent Web sites to flourish. The Internet Corporation for Assigned Names and Numbers (ICANN) has issued an initial report on fast flux, a technique that allows a Web site's domain name to resolve to multiple IP (Internet protocol) addresses. |
Fast flux allows an administrator to quickly point a domain name to a new IP address, for example if the server at the first address fails or comes under a denial-of-service attack. It is legitimately used by content distribution networks such as Akamai to balance loads, improving performance and lowering data transmission costs.
But the technique has also been embraced by hackers and cybercriminals, who use it to make it harder for ISPs (Internet service providers) and law enforcement officials to close down phishing Web sites and other sites illegally hawking goods such as pharmaceuticals.
I think this problem should be moved further down the list of issues raised by hackers and spammers. I'd like to see "fake headers" become impossible in emails for example. Hackers don't even need the server to resolve to another IP when they can just inject whatever domain/site name they wish as the sender.
I still receive spam emails that suggest my long deceased grandfather is still emailing me and wants me to pick up the latest hallmark card he sent me. Of course the link is an exe, it's a hacking attempt, but the headers of the email resolve to Hallmark. THAT kind of bs needs to be fixed first.
To me, the key to 'fast flux' hosting is to take things out at the DNS level not the host level. That means that registries have to become a lot more responsive to complaint - at present it is very hard to get them to take action against illegal use of a domain name. I would like to see a system by which registries are obliged to take down a domain with evidence of illegal use within an hour of the evidence being submitted.
|the headers of the email resolve to Hallmark. THAT kind of bs needs to be fixed first. |
IMHO forged email headers are a minor issue.
Do you really look at email headers before deciding to run an executable attached to an email? If Hallmark really did send you an .exe you still should't trust it I hope - so isn't the executable attachment a far bigger deal than the forged header line(s)?
BTW, I could send you a postcard on which I'd written "From: Barack Obama, 1600 Pennsylvania Avenue" but in addition to that there'd like be a postmark saying "Innsbruck, Austria" [I'm doing a bit of skiing this week].
Would you believe my forged "From:" lines, or the post office's postmark?
Just like "From:" and "Received:" in your email header... it's easy once you know how :-)
Perhaps I'm misunderstanding the problem but...
The issue is how to quickly close down bad websites, is it not. So, rather than worrying about the IP address to which the domain resolves, surely they should simply blacklist/erase the domain name. If the domain name is erased, that's it, job done.
Provided this can be achieved quickly (hours not days) and mistakes can be corrected (days not weeks) then that should more or less solve that part of the problem. However, phishing attacks will simply use multiple IP addresses directly i.e. without bothering to register silly domain names like "security-check-acmebank.com"
Am I missing something?
|simply blacklist/erase the domain name. If the domain name is erased, that's it, job done. |
|Provided this can be achieved quickly (hours not days) |
Kaled, you are entirely correct. Unfortunately it seems most registries are fighting hard against actually having any oversight over domain use.
Surely, domain name registrars are just middlemen/brokers - they are not actually in charge. If ICANN decide that a domain name should be suspended, they should have the power to do so immediately. They should merely inform the registrar, not ask permission.
However, as I said before, procedures should be put in place to swiftly correct mistakes.
|The issue is how to quickly close down bad websites, is it not |
...but who will get to define "bad"?
ICANN? The US Supreme Court? The RIAA?
Determining if a domain name is dedicated to phishing is pretty trivial. In any case, that issue has to be solved whichever end of the problem ICANN chooses to attack (domain name or IP address).
Frankly, I'd be inclined to tell the banks to sort out the problem themselves. A secure USB credit-card scanning device could be designed quickly, would be small and cheap, and could even be integrated into new computers. This would also improve security for online shopping, although that's another area where banks have been utterly pathetic.
PS. I don't want to hear comments about making card cloning easier, etc. Whilst a new chip might be required for credit cards, the problem as a whole is easy to solve and could be totally secure.
|I'd be inclined to tell the banks to sort out the problem themselves |
Funnily enough, that's pretty much what Bruce Schneier suggested back in 2005 [schneier.com].
IMHO he's a guy who actually does know what he's talking about...