On Thu, Jun 27, 2013 at 01:38:48PM +0000, Michele Neylon :: Blacknight wrote:
Furio
If you're going to make statements about 3rd parties you should try to restrict yourself to facts and not make broad sweeping statements.
Not sure about "broad sweeping". I gave my opinions for what they are worth. The facts are out there, several links have been given already and I do not see the need to go through them in a list post.
On 27 Jun 2013, at 14:13, furio ercolessi <furio+as@spin.it> wrote:
Therefore the responsibility for terminating C&C domains lies on the registries, not on the DNS providers (that may not even exist).
Not necessarily.
If registries are going round the place pulling domains it causes headaches for registrars - and the registries don't have a contract / agreement with the registrant
While this may be different with ccTLDs you haven't specified that you're only referring to cctlds ..
Sorry, yes, I was referring to cctlds. More generally one could refer to the domain registration system, including registrars and registries but specifically excluding the DNS provider. [ Still, for very serious issues involving cybercrime it could be reasonable to have a nucleus of competence coordinating remedies within the registries, since there are wide differences between different registrars (in skills, resources, ethics etc), and registrars tend to not listen to abuse reports from users and security organizations. (There are exceptions for sure!) ]
And I don't see how a domain can resolve without a DNS provider - that makes zero sense.
In fastflux there is a DNS server somewhere but you would not be able to locate it from DNS records. All you can find from the NS delegations of the domain and the corresponding A records are machines running malware without their owner knowing it. That malware is basically a DNS proxy that sends the query to the real server and passes the answer back. All the involved NS domains are cybercrime domains. Killing those machines does not accomplish any result as far as the botnet operation is concerned, while killing the domains may result in a major disruption of the botnet.
The .AT and .LV cases have been two rather dramatic cases where the registries were sitting there doing nothing for a very long time, while the word spread among criminals that they were a 'safe haven'.
That's highly defamatory.
I don't think the managers of either ccTLD would appreciate anyone referring to them using that tone.
I am sorry if they get offended, but I think I described fairly well the net outcome as observable from outside. 'Doing nothing' reflects an absence of observable actions, not a lack of actions. There could have been a large amount of internal discussions and meetings, possibly board meetings too, which did not produce any observable action with respect to abuse mitigation for rather long times. Again, this is the past, and I do not think anyone working in these organizations should be personally blamed. It is quite common and normal that structured organizations are unable to address effectively an unexpected issue on a short timescale, and I can see that there could be very good reasons for this. But it is also my belief that, when this happens, applying a pressure to have things fixed as quickly as possible is healthy for the system as a whole, particularly when the positive and negative effects are integrated over time. Applying pressure is not a pleasant thing for both parties involved, as any parent reprimanding his/her child would know - but it is a healthy thing for everybody when you look at it on a larger timescale and on a larger perspective.
Similar problems have then occurred in .PL and .RU as well.
Again - broad sweeping statements.
I'd take you more seriously if you referred to the current state of play and not some past issues that have been addressed
Broad sweeping? It is a one-line summary of a rather huge cybercrime problem on these ccTLDs. This is peripheral to the current discussion - it may deserve a separate thread, but I am not sure if this would be the proper forum for this discussion as no RIPE resource would be involved. furio ercolessi