The worst thing about the exploit -- Have you done your part?

Ben Croswell ben.croswell at gmail.com
Sat Jul 26 13:38:22 UTC 2008 

I completely understand your point on this.
At work I keep getting asked about patching, firewalls, etc.  The scary
thing for our risk folks is no matter how locked down we make our
infrastructure we can't prevent other DNS servers from getting owned in
regards to our domains.  Which leads right to phishing and other malicious
activities.
I also see a lot of people calling for DNSSEC to fix the underlying issue,
but unless I am mistaken DNSSEC won't fix the issue unless we have close to
100% adoption rate.

-- 
-Ben Croswell

On Sat, Jul 26, 2008 at 9:28 AM, Alan Clegg <Alan_Clegg at isc.org> wrote:

> BIND-USERS,
> One issue about this exploit that I think a lot of people may be
> overlooking is the fact that it does not directly impact the OWNER of
> the DNS records in question, but the CONSUMERS of that data.
>
> As the owner of "my-cheap-rail-tickets-online.com", you can patch
> everything you own, insure that your firewalls are perfect, and hire
> five extra DNS admins, but it's not going to help you keep your clients
> healthy and happy.
>
> Your clients are the mom-n-pop users -- the folks at the end of the
> ISP's feeding chain.  The people that don't the difference between the
> US state code for Tennessee and the country code for Tunisia.  The folks
> using "Billy Bob's Bait-and-Tackle (and Internet Stuff)" as a provider.
>
> Your business depends on Billy Bob getting his recursive servers fixed
> so that your customers can still get to your website (or the websites of
> your co-located customers, etc.)
>
> Does that scare anyone?  It scares me.. a lot.
>
> How do we get out and inform Billy Bob that something that has been
> working just fine for years is suddenly not quite so perfect and that
> his customers might be affected.
>
> Additionally, Billy Bob's customers are going to be affected in ways
> that don't directly affect his operations, so it's hard to get him to
> understand why he needs to do anything.  His customers will still be
> sending him the check every month even if their login information for
> "my-cheap-rail-tickets" was siphoned off to someone in a foreign land.
>
> By being on this list, you have proven that you actually are interested
> in the DNS infrastructure.  If you look around, you won't see Billy Bob
> here, and yet, he affects YOUR customers, and by that, your profit
> margin (or reputation).
>
> What can we as the bind-users community do about Billy Bob?
>
> Have you contacted your local ISPs (or tested their servers since they
> well may be open recursors?)  Have you pounded the pavement and talked
> to folks at your local users groups and tech gatherings about the problem?
>
> I'm willing for anyone to use my slides (http://alan.clegg.com/800113)
> as the basis for spreading the word.  Make presentations.  Tell your
> friends.  Tell your colleagues.  TELL YOUR COMPETITION.
>
> I'm planning to have a video of me giving the presentation on-line soon
> so that the nuances of the presentation are more clear, but if you have
> any questions regarding it before then, please send me mail (off-list).
>
> The storm is coming.. have you done your part?
>
> AlanC
>
>
>
>

More information about the bind-users mailing list