2005 OARC Workshop (Redwood City) Meeting notes and (most) slide copies from the 2005 DNS OARC workshop Brett Watson/Michael Graff - OARC - Web site changes We've added Forums to enable members to more easily post security incidents, outage notifications, and even research topics, book/articles reviews, etc. Michael/Brett ran a demo of the new site. Members generally felt that this was a step in the right direction to get more member participation on the site. There was discussion of enabling a post-only mechanism such that member NOCs could open tickets for various incidents in their own system, and have a post made to the OARC site in a particular forum. Members felt that having a separate site to log incidents would prevent them from doing it. There was also discussion of feeding incidents into jabber, but to individual members rather than a conference room. Michael said that feeding to a conference room would be difficult to deal with, with respect to ACLs. Feeding incidents to individual jabber users is the only way to ensure the trust mechanisms (who can see certain incidents/announcements/etc). Brett/Paul encouraged members with jabber accounts to join the member conference room, or to ask for an account if they don't have one. Michael Graff - OARC - Syslog data syndication Michael briefly described a method for feeding "incident data" from members systems into a central OARC repository. This might include SSH failed login attempts, or any type of event that is "logged" on a system. The idea is to generate "trending" of events that might affect the DNS. OARC has developed a strawman client/server protocol to enable this type of data feed. Members didn't have any feedback on the idea. John Kristoff says: If it helps any, I have a simple script that can be run against your message logs that spits out detected SSH brute force attacks. I have some additional log message types (e.g. from ssh.com) to add to the script, but haven't gotten around to it yet. sshdict written in Perl is here. Suzanne Woolf - OARC - Internet Governance Suzanne's slides Question: how many of you have worked closely with your govt's on these issues? (about 5 ppl raised hands) Answer: we all need to be involved, govt's don't get it, and need our help. And they're generally willing to listen to someone that can help them. People of the world are watching us to see if we're doing our job. And we need to be able to talk about what we do and how we do it. Paul Vixie: I'm not as optimistic about all of this as you know. But we do need to show up. Govt's are ignorant, but they're not stupid. They are more opened minded than most think. Kc claffy: would you make a prediction about how you think this space will look in 5 years? You're obviously more optimistic than paul Suzanne Woolf: I think chaos is a real risk, but I think people are averse enough to that, and maybe we have enough critical mass to do something about it. Kc: will the ITU be in charge of namespace in 5 years? Suz: no, I don't think there's a mechanism for that. I don't even see them getting the charter, the USG has said "no". Gadi Evron: I'm not as involved in these areas, but whenever I tried to get involved in the past, I got pissed, because I saw that everyone had their own agenda, their own angle. Suz: they talk a different language, but they can be understood. We have to learn their language. Brian Reid: if OARC were to somehow define a measurement base of what it means for the internet to "work", I think that would be very valuable. Suz: defining terminology and definitions, I agree, would be very valuable. Paul: I think the terminology doesn't actually matter, I think these ppl know what's at stake. I think in 4-5 years we're going to have balkanization# I think this will be in our rear-view mirror "soon" Gadi: is the internet "critical infrastructure"? before everyone hits me# I mean, if the "internet goes down"# will the world really stop? Duane Wessels - CAIDA - DSC and DNS Poisoning Duane's DSC slides Duane's Poisoning slides (there was no discussion re: DSC) DNS Poisoning There was some general discussion regarding stupidity vs. malicious intent with respect to poisoning. Duane felt that most was probably due to laziness/stupidity. Rodney Joffe commented that there is money to be made by malicious registrars and marketers that make money on redirects for invalid domain names or hi-jacking domains, etc. Rodney felt poisoning was probably more due to malicious intent. Andreas Terzis - Johns Hopkins University - On the Use of Anycast in DNS Andreas' slides Lorenzo Colitti - RIPE - Effects of Anycast on K-root Lorenzo's slides Some speculating as to what the graphs are telling us in the slides. (had to move on to the next presentation) Suzanne Woolf - OARC - Anycast Experiment Plan Suzanne's slides George Michaelson - APNIC - RIR delegation reports and address-by-economy measures George's slides Andre Broido has done some similar research, and essentially agreed with all of George's assumptions/positions. David Malone - The Root of the Matter: Hints or Slaves David's slides David Dagon - Georgia Institute of Technology - BOTnet detection (Promised slides never recevied) Jon Crowcroft - University of Cambridge - Communications Research Challenges Jon's slides Kc and Jon bantered about the issue of government owning or not owning the network infrastructure. Jon does not want the government to own/control it but does think that some light regulation/control is necessary for the early period (not sure what time period is optimal). The entity that builds the infrastructure has to get an ROI, so light regulation may be necessary so they are not "forced" to allow open access by other `carriers'. But as time goes on, more regulation may be necessary to foster competition and drive costs down. This is a similar problem faced in water, power, telephone, cable/dsl ISPs, or other public service utilities, etc. David Dagon - Georgia Institute of Technology - Karstnet (Promised slides never received) Micah Hoffman - US CERT - BOTS - a Botnet Tracking Web Application Micah's presentation US-CERT is a clearing house of information, primarily for government agencies, but getting more involved with clearing information for public (registrars, dns ops, isp, etc) US-CERT is building a web-based database for tracking botnets, infections, etc. keeping history of past events and information related to the IP addresses used, networks used, etc. Q: how do you protect the database against hacks? Micah: standard system and network hardening, access controls, etc Micah: we want to build a small, trusted community of people with this project like the "old days" with root-ops, Internic, etc, where you can pick up the phone and get in touch with the good guys. Q: you're talking about a human entering this information# what about the information that's posted to the DA list? A: we'd like DA to become a discussion list, and use this system to enter the data on botnets, trends, stats, etc# rather than someone transcribing data from the mailing list. We could also dump data to the list in a machine parsable format like xml, etc, to enable ppl to run scripts on mail and parse data, adding to a database, etc. Paul: what assurance can you give folks in this room that this isn't part of the dreaded DHS empire? Micah: we don't own the data, we're guests/members of Gadi's list Paul: what if Gadi's list (members) decide they are perfectly happy to deal with north korea? What will be our govt's reaction? Micah: I don't think I can answer that. I'm one of the grunts# I can say that we really are just interested in the data and trends, and analyzing the data. Gadi: all parties so far have been very instrumental and balanced in their involvement# US-CERT is a member, the community decides what it wants. But it doesn't belong to US-CERT. The membership runs "da". Gadi Evron - Israeli CERT - Drone Army/Malware Phishing Project (Promised slides never received) Some discussion ensued about whether or not the "number of existing bots on the Internet" was interesting. Gadi said he doesn't really care, take down the botnets and command/control hosts. Others in the room are interested in the numbers. Duane Wessels - CAIDA - dnsflow - Netflow for DNS Duane's slides Minor discussion on some features/options. Brian Reid - ISC - Domain Survey (Promised slides never received) Several folks asked why not do both the forward and reverse zone walks# Brian said that doing the forward zone is untenable to stay within the quarterly report timeframe. Brian wants to keep the survey in "something approximating real time". forward walk would take "a long time". Q: what about IPv6? A: Paul said data is too sparse to do it now, Brian said "at least for now, but maybe we'll never do IPv6"# many other standard comments about IPv6. George Riley - Georgia Institute of Technology - DNSSEC - Client Puzzles George's slides There are false-positives with Bloom Filters, but you can arbitrarily decrease the number of false positives. However, there are never false-negatives. This process might itself become an algorithmic complexity attack if the attacker can guess certain values used in the process. This seems quite solid given the use of random number generation; you can't really attack a good random number generator. A large botnet (hundreds of thousands or one million) might be able to overwhelm the cpu on the server that is computing puzzles We don't keep state on the puzzles solved per client. Puzzles are computed at specific intervals and regenerated at specific intervals. Would obviously have to add the sending of puzzles and reception of answers to the existing protocol. We still can't answer the bandwidth problem, bandwidth is easier to overwhelm than the server. Everyone felt that this was a solid solution, aside from some seemingly outside cases of possible failure modes noted above. kc claffy - CAIDA - Discussion on RFC 1918 updates to AS112 General discussion, no slides Has anyone solved this problem? Kc: given that any solution seems to entail modifying client code# Paul: pointing rfc1918 updates at "localhost" would not require code change, it would require IANA to make changes (and IAB)# then someone would say "but I want to use 1918 in my enterprise, and run my own name server"# Kc: Is the problem big enough to worry about? Paul: it burns a lot of bandwidth Paul: all dns vendors should mandate reasonable defaults in configurations. If you're in 1918 space, you should do nothing unless someone checks the specific check box. kc claffy - CAIDA - Presenting Nevil Brownlee slides on anycast/rtt work Nevil's slides Paul Vixie - ISC - DNSSECbis Lookaside Validation Paul's slides Rick Wesson from Alice's Registry: "when can I do this, all I need to do is write code, right? How soon can I have this" Paul: I don't think there's a role for you in this, Rick. Rick: why not, you want to get this "out there", I have relationships with registrars# Rick: Registrars want to make money, you don't, they'll go for it Paul: I didn't say I don't want the money kc: I don't understand the idea of just "pulling the plug"# Paul: once everything is signed, then there's no need for this, we won't have a big marketing push, we'll just say it's time to shut it down Michael Graff: when verisign starts charging $5000, my personal domain (me) can't afford that, at what point do you stop serving the little guys and they have to pay up? Paul: that would probably cause DLV to last longer, but I know that DLV won't scale to the size of the Internet Lorenzo: what happens when the root key gets compromised? Paul: without automated roll-over, DNSSECbis is doomed to failure# Paul: I'm not saying IETF is wrong for not including this, it's a stop-gap, and it's the best I could do from this standpoint# Tim Deegan - University of Cambridge - Centralized DNS (Promised slides never received)