| This 37 message thread spans 2 pages: 37 (  2 ) > > || |
|Free Dynamic DNS Services Pose Massive Security Threats|
Should broadband customers be blocked from free DNS?
| 6:19 pm on May 5, 2008 (gmt 0)|
The recent rash of botnet [webmasterworld.com] issues has uncovered that the source of power for the latest and most widespread strain of malware is the free DNS servers being used to locate their command centers.
Why this is a problem is because these dynamic DNS services allow anyone to freely create a dynamic domain name such as "any-subdomain.example.com" which can be quickly and easily redirected to any new server when the previous botnet command and control center (C&C) is identified and blocked.
Botnets tend to have lots of infected machines that are idle, just waiting to be put into service, therefore closing one command center only shuts down the bot for a few minutes, perhaps even seconds, until the IP address is changed for "any-subdomain.example.com" to point to the next infected server now being used as the botnet C&C.
Best yet, the latest botnet strains have algorithms that allow them to detect new random subdomain names created so when "botnetsubdomain1.example.com" is removed from the free DNS service a new "botnetsubdomain2.example.com" is created, which the botnet can detect, and continues to run.
The names being used are completely randomized so it's not as simple as looking for something like "botnetsubdomain*.example.com" and blocking all variations as it's fairly undetectable.
Therefore, it seems a simple solution to eliminating this threat posed by free dynamic DNS services is to filter out the free variations of the dynamic domain names so that "any-subdomain.example.com" isn't accessible by anyone from a broadband service which would render the entire current variation of the Kraken botnet completely harmless.
So the question then is should broadband services, or all internet services for that matter, block these free dynamic DNS services in order to protect the safety of the internet as a whole and stop hundreds of thousands of machines from communication with their command center in one simple step?
I'd say YES, just like like ISPs currently use RBS to block spammers and known hosts of malware, that it's a reasonable step to providing internet-wide security against this latest and the most difficult to stop (to date) brand of botnet before more copycats emerge and the situation is completely out of control.
| 7:09 pm on May 5, 2008 (gmt 0)|
I have to say that I only know these dynamic DNS services because they seem to spam google by scraping my pages, get indexed for the page and then I find out because google alerts ping me when there's a mention of those domains. When I go there, there is a come-on to register for a free subdomain in the form mydomain.example.com that will redirect to mydomain.com. Wow! Thanks! What a useful service.
Anyway, how did you figure it out and how come nobody else has?
| 7:21 pm on May 5, 2008 (gmt 0)|
I didn't figure it out, the botnet researchers figured it out.
However, they just never followed their findings to this logical conclusion.
I simply posed this possible solution to shut down the entire bot network which seems quite simple compared to sitting around waiting for people to clean up hundreds of thousands of machines while we're all getting spammed and worse.
| 7:46 pm on May 5, 2008 (gmt 0)|
Are you proposing a whitelist of DNS servers or a blacklist?
A whitelist would cause an extreme amount of pain to a lot of webmasters, especially if each ISP had a different whitelist. Anyone who has delt with services like SpamCop will know how hard it is to be added to a whitelist or removed from a black one. After a certain point these list keepers do not care about the little guy and people will be forced to pay a lot for the whitelisted DNS services.
A blacklist would be ineffective because the bots can act as DNS servers and we would have the same fast-flux problem that we have now except it will be one level up. Thousands of domains can be pre-registered and swapped-in the same way as subdomains are now.
This is a genuinely hard problem, much like the spam problem. Personally I think that the solution is in hardening the operating systems and browsers, Vista comes a long way in this respect so we will wait for XP to die out before doing anything that will impact the openness of the internet. Look at the state of SSL certificates now, that is what we have to look forward to if ISP's implement a whitelist for DNS servers.
There is some interesting information on locking down applications on the Google Developers Podcast (the one about Andriod). It is Linux specific and for a mobile but the same principle could be used to make a secure desktop without losing functionality.
| 11:14 pm on May 5, 2008 (gmt 0)|
|Are you proposing a whitelist of DNS servers or a blacklist? |
I'm proposing to blacklist just the small list of "FREE" subdomain dynamic DNS accounts, a very small subset of DNS servers, should be blacklisted.
They add no value and support the latest rampage of 3 separate botnets.
This would have no impact on %99.999999999999999 of the websites out there using dynamic DNS unless it was the free accounts.
|because the bots can act as DNS servers |
That doesn't work because shutting down a bot DNS server knocks the network offline.
You have to read the white papers on how these particular bots work to understand how my suggestion takes over 500K machines out of a botnet right away.
I'm not discussing all possible scenarios, don't care about those, we have a current threat that when combined controls a minimum of 500K machines and knocking all those spamming machines offline, offline as far as the botnet is concerned, is quite simple for this round of botnet blocking.
FYI, this isn't rocket science as I can block the small list of dynamic DNS servers from my home router to make sure none of my machines are on the botnet, so I'm sure it can be done at a higher level.
[edited by: incrediBILL at 11:25 pm (utc) on May 5, 2008]
| 11:49 pm on May 5, 2008 (gmt 0)|
The solution to this problem is getting people who create this malware and put them to prison for 20-30 years, or better give them the chair - I am generally against capital punishment but in this case I think it is fully deserved.
Restricting freedom of vast majority of law abiding citizens just because a minority does this stuff is very wrong IMO - it's not practical either as you will never get 100% correct whitelisting and bad guys only need one hole to get through. So as I said the solution is to get to the bad guys so that any of them that want to try this sort of stuff should know what they will get and how quickly it will happen.
| 12:09 am on May 6, 2008 (gmt 0)|
|Restricting freedom of vast majority of law abiding citizens just because a minority does this stuff is very wrong IMO |
Normally I would agree with you but in this case the vast majority of normal law abiding citizens, including webmasters, don't know what a free dynamic DNS subdomain is in the first place, will never use one and with %99.99999999 likelihood never need to use one.
I'm not even saying that dynamic DNS is bad, just the free dynamic subdomains used by the botnets.
Most people either have a domain, or a subdomain on some service, but not a dynamic DNS subdomain that can be easily pointed from server to server, nor do they need one, which is the exploit the botnets are using on these services that are typically employed only for black hat or hacker purposes in the first place. Please don't argue what we need DYNAMIC DNS because that's not what this is about, it's about randomly created subdomains on dynamic DNS which we simple don't need.
Most people can afford a $9 domain for a year and don't need random IP location because most people aren't trying to hide from the people trying to stop them from infecting machines, spamming or worse. However, if you want to relocate your domain from ISP to ISP quickly you'll still have dynamic DNS available, just not those FREE dynamic subdomains so no harm, not foul, except the current massive botnets are shut down.
Heck, what next, should we go back to running open relay on all our SMTP servers so spammers can send spam freely using our servers?
I don't think so, and free dynamic DNS subdomains is the DNS equivalent of open relays on SMTP servers which is bad for everyone and are currently being exploited by spammers, the same spammers that would exploit open relay on SMTP servers.
I hope I'm not hearing that people are in favor of spam because that's the only thing that free dynamic DNS subdomains are good for is spam!
[edited by: incrediBILL at 12:16 am (utc) on May 6, 2008]
| 12:16 am on May 6, 2008 (gmt 0)|
I'm confused, what about the genuine users of the free dynamic DNS service? I don't believe that ISPs can make any decisions in terms of "value" (whatever that means) without setting a dangerous precedent. Or am I missing something?
When I had a dynamic IP address from a previous ISP, I used a free dynamic DNS service so I could easily connect to my home machine, there are many others who do the same.
| 12:33 am on May 6, 2008 (gmt 0)|
|what about the genuine users of the free dynamic DNS service? |
You can still use it on YOUR domain, I'm talking about whacking the free subdomains that fall under the domain name of the dynamic DNS service themselves.
How hard would it be for you to register your own domain name for $9 or less per year?
OK, if you need to have a dynamic domain name for your home computer it would be my-home-computer.example.com instead of my-home-computer on the free DNS domain.
Still works, just eliminates the free domains the botnets are using and doesn't really stop anyone from doing dynamic IPs to your home computer, even on a subdomain, as long as you have your own domain name.
See, the problem is that the bot herders don't want to expose themselves and registering domain names requires a level of exposure they would prefer to avoid.
[edited by: incrediBILL at 12:33 am (utc) on May 6, 2008]
| 1:02 am on May 6, 2008 (gmt 0)|
Why should a unique domain name be required simply so I can ssh without knowing my home machine's IP? :)
I just did a Google inurl search for just one of the more poplar free domains offered by one free dynamic DNS provider, and there are 482,000 results found - many hundreds of websites, mostly by geeks running a server from their home connection.
So free dynamic DNS is a genuine service used by many thousands of people, I don't see how the ISPs could unilaterally shut down access to those genuine sites because the service is being abused by others.
The providers themselves, however, have a great deal of responsibility in terms of their signup process, which clearly needs to be tightened up considerably.
| 1:11 am on May 6, 2008 (gmt 0)|
By dynamic DNS service do you mean domains with a short TTL?
Also what is to stop people setting up free DNS services every day if you keep banning them? Who would keep the ban list in order?
| 1:17 am on May 6, 2008 (gmt 0)|
|Why should a unique domain name be required simply so I can ssh without knowing my home machine's IP? |
Actually, forget getting your own unique domain name because just requiring a small payment for annual forwarding will slow the bot herders down.
Here's a middle ground solution, legit customers with a domain name use my-home-computer.paid.example.com and everything from .paid.example.com is allowed.
Just whack anything unpaid.
Then the bot herder panics, starts using stolen credit cards to pay for these services which result in a massive amount of chargebacks from defrauded card holders.
The massive chargebacks will cause Visa or MC to cancel the DNS service's payment processing account due to all the fraud and it's out of business, problem solved.
Let nature take it's course and all will work out in the end!
|The providers themselves, however, have a great deal of responsibility in terms of their signup process, which clearly needs to be tightened up considerably. |
Understatement of the decade. ;)
Trust me, if the ISPs suddenly block millions of people from their servers they'll wake up and tighten security.
However, I do think it will require a big sledgehammer approach just like it required to stop open relay SMTPs because the status quo will continue unchanged until someone radically changes the playing field.
[edited by: incrediBILL at 1:20 am (utc) on May 6, 2008]
| 1:41 am on May 6, 2008 (gmt 0)|
|Trust me, if the ISPs suddenly block millions of people from their servers they'll wake up and tighten security. |
The genuine users of free dynamic DNS are not responsible for the failure by the providers to enforce their own terms of service. Why should the genuine users be penalized? Like I said, the service is perfectly legitimate.
It is absolutely not the ISPs role to interfere in any way with access to any site under any circumstances short of a court order.
| 2:20 am on May 6, 2008 (gmt 0)|
|It is absolutely not the ISPs role to interfere in any way with access to any site under any circumstances short of a court order. |
ISPs already block lots of things that arguably have legitimate uses such as blocking direct access to SMTP ports (Bell South, MSN, etc.) to stop spam from being sent from home machines, block access to open relay servers to also stop spam and even implement RBL to block spammers IPs.
This is just another case of the needs of the many, to block spammers and stop hundreds of thousands of infected machines from being able to dial home to their botnet C&C, out weigh the needs of a few that are too cheap to plunk down a few $'s a year for a service now given away free.
Many times in the past the AUP violations were enforced by others creating blockades around the 'net until those AUP violations are stopped and this is a clear case where it's needed.
Heck, let the free DNS stay, just require all users to sign up again using rigid registration methods and if you don't re-register all those bogus accounts get whacked in 30 days.
However, like I said before, fixing registration probably won't happen until someone sets up a big blockage in the first place because having only a few clean up their act but not all still leaves a big gaping security hole to be exploited.
Face facts, we can't have it both ways.
We can either quickly and easily shut down a massive problem with a few initial casualties caught in the crossfire or we can allow the massive problem to continue to exist unchecked. Those few casualties will have simple options such as a possible quick and easy re-registration process with stronger validation or a paid process, either way it's workable with minimal harm.
Why would re-registering or being forced to pay a couple of $'s be a problem?
[edited by: incrediBILL at 2:31 am (utc) on May 6, 2008]
| 7:34 am on May 6, 2008 (gmt 0)|
Blocking dynamic dns is not really going to solve this or any other problem.
The herd only needs access to dynamic data. Data that points to, or is the control channel.
So, without dynamic dns, the bot designer resorts to other means of dissemination.
One easy example.
POP3 access against a series of gmail/hotmail/etc accounts. Accounts with a predictable name series that evolves against a known seed. Much like rsa access dongles.
A new gmail account every few days ought to do the trick.
Presto, dynamic access to dynamic data. Again. Without dynamic dns, paid or free.
How about dynamic http/dns?
Again, seed a one time pad of "keywords". Tag web pages with those "keywords". Have the bots search for those "keywords" on a search engine of your choice. Have the bots retrieve the http page, even from google cache. Dynamic access to dynamic data.
How about using the same techniques via bittorrent? Just seed a new file whenever you need to change the data.
So, ask the isp's to blackhole gmail and google. That ought to be ok. No possibility of client complaints there! Small price to pay to keep the net usable. No POP3, no HTTP. There's always FTP, GOPHER, ARCHIE and NNTP. What else could a netizen ask for? Why we could even have Facebook on NNTP 2.0!
Dynamic dns might be handy in this application. But, by no means is it the only means.
| 8:29 am on May 6, 2008 (gmt 0)|
The question is why isn't the signup process for these dynamic-dns + free subdomain services protected by capacha etc ?
Or maybe just suspend the services until the Kraken botnet is disabled.
| 8:29 am on May 6, 2008 (gmt 0)|
Block these and another method will spring up. Real domains are virtually free compared to the profits of running a bot net and with so many compromised machines it would be easy to have someone kindly make the purchase for you.
Free hosting providers may find they have new customers who just have pages of IP addresses.
P2P behaviour between infected bot machines could pass IP addresses.
Back-end caching of infected machine IPs could allow pinging outward from a new control center to inform them of its existence.
Forums and messageboards could suddenly have posts on them which reveal new command IP addresses.
The list goes on, and on, and on.
Oh, and by the way... if your business depends upon giving out these free dynamic DNS accounts... are you going to take measures to piss off someone with a huge botnet able to wipe you out so hard you won't know what's hit you?
| 10:04 am on May 6, 2008 (gmt 0)|
Incredibill, i think you over-simplify the beauty of dynamic dns services. I know of at least a few dozen friends who use it so they can easily VPN into their home network and access desktops remotely.
Its a tool that allows great functionality where ISP's fail. If you want to get rid of the DyDNS services then mandate the crapcast, i mean comcast give everyone static IP's.
A lot more people than you are probably aware of ARE technically savvy people who use these DyDNS services for many reasons.
I for one learned how to build my first unix box, apache system and setup a vpn myself doing this :)
| 10:40 am on May 6, 2008 (gmt 0)|
|Why would re-registering or being forced to pay a couple of $'s be a problem? |
It isn't, what about nihaorr1.com?
That was either purchased or stolen, it didn't seem to stop them.
| 12:35 pm on May 6, 2008 (gmt 0)|
|ISPs already block lots of things that arguably have legitimate uses such as blocking direct access to SMTP ports (Bell South, MSN, etc.) to stop spam from being sent from home machines, block access to open relay servers to also stop spam and even implement RBL to block spammers IPs. |
Although they're trying to be helpful I don't think it should be the task of a delivery company to play justice and I wouldn't like ISP's gaining more and more power.
Neither my mailman should bother with the content of my snail mails nor the telephone company should tap my calls.
The solutions should be sought by protection on the OS level, correct standardization and eventually laws, but again, not at the cost of innocent ones.
| 1:37 pm on May 6, 2008 (gmt 0)|
ISPs are not the police. They can decline to offer a particular service (protocol) such as SMTP, but they must never be given the responsibility or authority to make judgment calls on access to particular websites.
|the needs of a few that are too cheap to plunk down a few $'s a year for a service now given away free |
Following on from your suggestion, I know of a blogging platform owned by a very large search engine which is overrun by automated signups and fake spam blogs, offering dubious downloads and such. The blogs are all subdomains of blogsp.. I mean example.com, so I assume it is OK in your book that individual ISPs take matters into their own hands and block access to this service?
Of course, there are a few legitimate users of the service, but they are merely people who are too cheap to plunk down a few $'s a year for a service now given away free, so no great loss. ;)
| 1:43 pm on May 6, 2008 (gmt 0)|
|Neither my mailman should bother with the content of my snail mails |
If you're sent a ticking package, or an envelope dripping white powder, your mail should be inspected, conveniences not rights are lost when evil hits society, you don't hear people complaining about having to lock their houses or cars, that's loss of convenience not freedom.
I believe the reaction and steps to be taken should be proportional to the level of threat paused, and possible abuse of power can be dealt with on many other legitimate levels.
| 1:59 pm on May 6, 2008 (gmt 0)|
Wait - spambots use the internet! Lets just turn it off!
Problem solved :/
| 2:04 pm on May 6, 2008 (gmt 0)|
While it's true that free dynamic DNS is used by the bad guys, the bad guys deploy their own entire solutions (read some more on RBN). There is nothing stoppign th ebad guys from gettign their own somainname and do what we know as "fast flux". They even change the DNS servers fast onto the botnet itself.
This needs to be fought at the registries/registrars: detect it and kill the domains that abuse this, as well as make sure domains cannot be obtained anonymously.
| 3:34 pm on May 6, 2008 (gmt 0)|
|Of course, there are a few legitimate users of the service, but they are merely people who are too cheap to plunk down a few $'s a year for a service now given away free, so no great loss. |
Even blogsp... er example.com has an option where you can use your own domain.
I even bought the domain in case I need to use it so feel free to block *.example.com and I'll use the domain already sitting on a server on standby.
I'm currently using that domain for other things, but it can be deployed in minutes.
However, there's a big difference as that service is just full of spam, it's not the same as the botnet actually doing the spamming.
|i think you over-simplify the beauty of dynamic dns services. I know of at least a few dozen friends who use it so they can easily VPN into their home network and access desktops remotely. |
I know those uses, didn't say they weren't legit, but you can use a subdomain off your own domain with those same dynamic services. There's no reason why you must use a subdomain off the dynamic dns services domain itself, unless you're just cheap, that's all we're talking about.
|here is nothing stoppign th ebad guys from gettign their own somainnamep |
Except it's not as easily scalable and exposes them to an actual registrar.
Besides, did I say this was the end-all-be-all solution?
No, this solution just stops the current rash of hundreds of thousands of problem children machines from communicating with each other.
Besides, just because someone can get around certain types of security is no reason not to employ that security method. Security is done in layers and you keep piling layers on top of layers because removing a single layer opens and old vulnerability which will be quickly exploited.
For instance, the dumb botnets probing my site to infect it still use the default Perl user agent "libwww-perl" which is easy to block to stop those attacks. However, a smarter version of the botnet bothers to set the user agent so his Perl script claims it's MSIE "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" which makes it harder to stop as it appears to be a real browser.
Does that mean I stop blocking "libwww-perl" just because it's easily changed?
Nope, it's just another security layer.
|There is nothing stoppign th ebad guys from gettign their own somainname and do what we know as "fast flux". They even change the DNS servers fast onto the botnet itself. |
Fast Flux is exactly what we're discussing here and the list of DNS servers built into the current code infecting machines is less than 10.
I did research this topic before posting ;)
| 3:34 pm on May 6, 2008 (gmt 0)|
|Neither my mailman should bother with the content of my snail mails |
In the U.S., they do [postalinspectors.uspis.gov].
| 3:53 pm on May 6, 2008 (gmt 0)|
|The solutions should be sought by protection on the OS level, correct standardization and eventually laws, but again, not at the cost of innocent ones. |
True, but that will take years and the current threat will still be out there spamming away.
What I suggest will take less than a few hours to stop the current widespread threat.
| 7:50 am on May 7, 2008 (gmt 0)|
|about randomly created subdomains on dynamic DNS |
I have a friend who runs a small business website from a server at home.
The ISP doesn't offer a static ip at a sensible price, so I set up his router to update a (free) <myfriendsbusinessname>.dyndns.org DNS record whenever the dynamic ip changes, and the www.<myfriendsbusinessname>.com DNS record is a CNAME to <myfriendsbusinessname>.dyndns.org.
The upshot? www.<myfriendsbusinessname>.com always resolves to my friend's dynamic IP.
incrediBILL's proposal would appear to stop this from working - correct?
I'm sure my friend isn't the only one doing this.
| 9:05 am on May 7, 2008 (gmt 0)|
Your friend could still run his store like this, even for free, if these services locked down their account creation utilities to stop automated services from registering bogus account used by the botnets.
However, if these services fail or refuse to fix their services to stop abuse, I'm suggesting a block on the free accounts being abused.
The upshot here is at least one free dns service (i assume several) would jump on the bandwagon and secure their free account creation so everyone would have options.
Worse case you can still do what you're doing for free using your domain name with a service like yi.org, it's both free AND it's your own domain name. However, if you wish to stay with that other service it's about $30/yr for using your own domain, fairly minimal.
See, there are alternatives that eliminate the subdomains being abused and allow you to use those services for free with your own domain, so shop around and you'll find a better solution than you already use for the same low $0 price.
| 5:15 pm on May 7, 2008 (gmt 0)|
Just came across this thread and thought I'd chime in. We are a dynamic dns provider and I'll tell you first hand that we (as well as the other large ones) do a way better job at fighting this abuse that any other company. We see this day in and day out, we work with authorities, we notify ISPs, etc. If you blacklist us - watch out - the botnets will just move to more stealthy protocols and then what are you going to do ? At least now we have some control / visibility : )
We require captchas on signup. We have algorithms that stop abusive signups and scavenging of names. I bet you will find that if you report any type of illegal activity relating to a ddns domain you will find that we (and others) take action immediately.
| This 37 message thread spans 2 pages: 37 (  2 ) > > |