Inside ICANNWatch  
Submit Story
Lost Password
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)

    Security The Rise of a malicious resolution authority
    posted by tbyfield on Tuesday May 13 2008, @08:34PM

    Jart writes "With an interest in Internet Security the recent research paper recently by David Dagon, Niels Provos, et al., suggests we take an acute interest in ICANN[:]

    “291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, we urge the security community to consider the corruption of the resolution path as an important problem.” [See (]http://www.citi.umich.edu/u/provos/papers/ndss08_d ns.pdf[).]

    If you connect this to what now is the "auto" generation and registration of new malware and rogues domains via certain registrars. [See (]http://hostexploit.com[).]

    As an emerging problem must [this] be a top priority for ICANN? However, I have not seen any particular reference, perhaps I am missing this? Or rather all of us should be paying much more attention to the who, what, and actions of ICANN?"

    [tbyfield adds: Indeed. Dagon, Provos, et al. state in the paper's abstract:
    We study and document an important development in how attackers are using Internet resources: the creation of malicious DNS resolution paths. In this growing form of attack, victims are forced to use rogue DNS servers for all resolution. To document the rise of this "second secret authority" on the Internet, we studied instances of aberrant DNS resolution on a university campus. We found dozens of viruses that corrupt resolution paths, and noted that hundreds of URLs discovered per week performed drive-by alterations of host DNS settings. We used the rogue servers discovered in this analysis to document numerous live incidents on the university network. To measure this problem on the larger Internet, we generated DNS requests to most of IPv4, using a unique label query for each request. We found 17 million hosts responding, and further tracked the resolution path they used to reach our NS. Unable to find plausible harmless explanations for such a large number of open recursive hosts, we queried 600,000 of these open resolvers for "phishable" domains, such as banks and anti-virus companies. We found that 2.4% of this subsample would reply with incorrect answers, which extrapolates to 291,528 hosts on the Internet performing either incorrect or malicious DNS service. With DNS resolution behavior so trivially changed, numerous malware instances in the wild, and so many other hosts providing incorrect and misleading answers, we urge the security community to consider the corruption of the resolution path as an important problem.
    If ICANN had taken a very different path than its post-9/11 "security theater"—which unfortunately involved Bruce Schneier, a strong advocate, if not coiner, of that phrase—they'd be in a better position to encourage responses to this kind of problem. But even if they'd done a stellar job, an unwieldy organization with a problematic relationship to consensus would never be able to keep pace with the systematic 'molecular' probing of network weaknesses. For an overview of how ICANN views its relationship to security—and what "security" entails—try this:
    icann.org > [top menu bar] Site Index > "S" > Security and Stability Advisory Committee (SSAC)
    Compare Dagon, Provos, et al.:
    We study and measure a growing threat against this service whereby individual infected computers are directed to use "rogue" DNS services instead of those provided by their network. This trend differs from traditional DNS attacks, such as poisoning, since it targets individual users instead of servers.
    Not pretty.]

      ICANNWatch Login  


    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

      Related Links  
    · ICANN
    · Jart
    · http://www.citi.umich.edu/u/pr ovos/papers/ndss08_d ns.pdf
    · http://hostexploit.com
    · More Security stories
    · Also by tbyfield
    This discussion has been archived. No new comments can be posted.
    The Rise of a malicious resolution authority | Log in/Create an Account | Top | 3 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Commentary on Loopholes
    by Fergie on Tuesday May 13 2008, @10:10PM (#16987)
    User #4118 Info | http://fergdawg.blogspot.com/
    In this same vein, it is important to understand that the entire Domain Registry process is being exploited utterly and completely by criminals.

    There is no question on this issue,

    The latest, interesting commentary on this is provided by "RBN Exploit" -- a blog dedicated to ferreting out the Russian & Ukrainian criminals that are (among other things) exploiting the entire Internet ecosystem for illicit financial gain.

    http://rbnexploit.blogspot.com/2008/05/rbn-partner s-official-sponsors-of-icann.html


    - ferg

    [ Reply to This | Parent ]
    The more things change
    by fnord (reversethis-{moc.oohay} {ta} {k2yorg}) on Wednesday May 14 2008, @10:16PM (#16988)
    User #2810 Info
    As it happens, Paul Twomey is the subject of a CircleID news [circleid.com] article today regarding internet security. The main threat recognized by ICANN since before its inception apparently remains Intellectual Property theft. He should get out more. -g
    [ Reply to This | Parent ]

    Search ICANNWatch.org:

    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com