[dns-operations] Fwd: root-servers.net and gtld-servers.net bit-flipped variants

[Kim Davies]

(Just sending to dnsops as it seems all the right people are on this list.)

I don't know if this is still something that would interest us. He would like us to continue to provide him packet captures if we take over the domains to enable ongoing research.

I am less worried about the actual resources to do this, it is probably largely set and forget, but I imagine there are some liability questions. Have we dealt with similar things with DITL captures?

Any thoughts?

kim

Begin forwarded message:

From: Nick Freeman <nick.freeman at security-assessment.com<mailto:nick.freeman at security-assessment.com>>
Subject: Re: root-servers.net<http://root-servers.net> and gtld-servers.net<http://gtld-servers.net> bit-flipped variants
Date: October 15, 2013 5:03:14 PM PDT
To: Kim Davies <kim.davies at icann.org<mailto:kim.davies at icann.org>>
Cc: Sebastian Castro <sebastian at nzrs.net.nz<mailto:sebastian at nzrs.net.nz>>, Gregory Patrick <gpatrick at verisign.com<mailto:gpatrick at verisign.com>>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Kim,

I am happy to put together a research proposal. Is there a template or
any format you would prefer to receive it in? The resources required
from ICANN would be:

a) a VM to be authoritative for the 'bit-flipped' servers, running tcpdump
b) a (preferably automated) method to deliver me a the PCAP file once
a week for processing.

Hopefully this wouldn't require too much work to be accepted.
Alternatively, I am happy to hold on to the domains until they are due
to expire.

I will give you access to the reporting interface once I have tidied
it up a bit. I believe that, while the 'bit-flip' incidents happen
quite rarely, the potential impact when one does occur can be serious
- - and would be worth conducting further research on.


Best regards
Nick

On 16/10/13 11:58, Kim Davies wrote:
Hi Nick,

Thanks for your email, and also for agreeing to take over the
domains. I would like to keep the domains until I have completed
my upcoming presentation at Kiwicon (November 9th) - the week
after that would be ideal for making the transfer.

Of course, they are your domains so it is up to you how you wish to
do this.

Something I am hoping for is that, while handing over the
domains, to continue carrying out the research. If possible, I
would like to receive a data feed (pcaps, ideally) of the
requests for the bit-flipped domains, so I can continue trying to
correlate events (heat waves, increased cosmic ray activity,
radiation issues etc) with servers being victims of bit flip
attacks. I would of course be happy to share my findings from
this with you. Would this be possible please?

Based on what we have been told so far, our only intention so far
was basically to hold the domain registrations but not do anything
with them. i.e. probably hold them undelegated. Anything that would
involve standing up servers or other facilities has not been
discussed within our organisation.

Whether it makes sense for ICANN to do so will depend on what such
research is expected to result in, and whether that is in line with
our mission. If you have a specific research proposal in mind on
what you'd like us to do I can propose it internally. Likely such
activity would be sponsored by our Security department, rather than
IANA where I am based.

Secondly, do you have any plans on contacting the registrants of
the remaining 6 root-server bitflips?

I had no plans, but as with above, that is merely due to a lack of
data on what the risks are and whether they are substantial enough
to warrant significant actions by ICANN in this area. Even though
we regulate aspects of the domain name system, we have no power to
take these domains away from valid registrants under current
policy, so anything along these lines would involve appealing to
the existing registrant to come to some arrangement.

And finally - I ask only due to the number of domains - is there
any possibility of part of the cost of the domain registration
being returned to me? I used GoDaddy as a registrar as they had
what I found as the best bulk deal - but 101 domains still comes
to over NZD1000 per annum. I completely understand if this is not
possible but if it is, it would be appreciated.

Given your thoughts above about this not being a simple handover
but an ongoing commitment by ICANN, I think it makes the most sense
to put together a proposal, and if you wish to have reimbursement
as part of it, I would suggest including it.

My discussions internally have basically been on the level this is
cost neutral to us in the short term, and I received agreement it
made sense on that basis. If I need to obtain budget for this
activity, and dedicate ongoing resources to manage services such as
packet collection, I will need to have a further conversation to
determine if we are able to make more of a commitment on this
project.

I am still in the process of writing slides but would be happy
to share them with you prior to the presentation, and if you
like, am also happy to the provide access to the reporting
interface for the data I have collected so far (once I've tidied
it up a bit - it's very much cobbled together at this point!).

Of course, we'd be happy to help out where we can.

thanks!

kim


- --
Nick Freeman
Principal Security Consultant

Security-Assessment.com<http://Security-Assessment.com>
Mobile: +64 21 424 777
Email : nick.freeman at security-assessment.com
Web   : http://www.security-assessment.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSXdfCAAoJEHsndH8/peG7/AkQAJL7qe04SBxDjLJZYZPgn81g
z0Gw3nVQpNcjjqOsAvWLzVuO1AyCLMXYmnjHEijicy3QOrhva+ve5qVGwzom2Hkh
MbsE6/4XEex2aEQP6ffGTiNOYLyDReTzVEGXZrfCk54xJGfSK4MxxvJa7rk7bQTe
kxdbHz+ferDJLY6FBrTABcd7lO1TWSbO17sK34rqwO41ZyaQ/bo9984yPog5vV+E
8kv8i9Gd/98ojgNazwHNAb/DUheJVmlNsdhYLcGRjq2eu9Iml1YMKrbEcKT7ObV6
fQaRtJlna2UDH+S4EXBsAYy2JdvB8StNQepsd8XyZi4pr+6oK97Od8gG3GDQJ49g
+1khh9XX5hwN4+muyO/2gt1SI/AvPcSL6pXlEM5BVNgnIPuto16kdiTz9AYuRa1b
XOB1Lnpfql3Q6z/UZ9s0+zRyP0qXBinas4mb8idFNtR5hzlNOcXJRTGNrEX9XeUJ
qkCR7wOYu8loAVfFGMOX0mxUAJg2A7qeoUbPvwGqgGavbO58MOJzUfzq5JRuCwEJ
sqZmdYafzUB6VryRKRSewjr6W0tXDIE59w+SfGsjLEo7x8GOQ4zrXie6vzSK4ME0
2o3EEYQY2Tsys6yUIDMoaMJL14dOUxvvjNGariFg7mAQSHkskKErmBFC6+ndF51b
v9fAX6KQgo+tPBaVpE0A
=I1g1
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131016/c563ce50/attachment.html>