By Matthew Lasar
Senator Ron Wyden (D-OR) has called the PROTECT IP Act "a threat to our economic future and to our international objectives." He characterized its predecessor as a "bunker-busting cluster bomb when what you really need is a precision-guided missile." The bill would force Domain Name System (DNS) operators to stop correctly resolving the names of so-called "rogues sites."
Is this sort of monkeying with the DNS a problem? Yes, say DNS experts in a new report (PDF) on the practice. In their view, DNS filtering provisions would make the Web less secure—and do little to stop illegal filesharing sites.
DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight...
These rerouting measures "would weaken this important effort to improve Internet security," the paper contends. They would "enshrine and institutionalize the very network manipulation" that DNS security components fight "to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks." Their widespread use would "threaten the security and stability of the global DNS" and create "significant risk of collateral damage, with filtering of one domain potentially affecting users' ability to reach non-infringing Internet content."
And in the end, they would do little to stop digital piracy. The authors say filters are easily evaded and would be of minimal help when it comes to cutting down on copyright infringement online.
The report is signed by five DNS experts from Shinkuro, Verisign, Georgia Tech, ICANN's Security Council, and the Internet Systems Consortium, and it appeared just before the PROTECT IP ACT was placed on hold in the Senate at Wyden's request.
The authors say that they have no beef with strong enforcement of intellectual property rights, but this kind of IP policing makes them cringe. Here's why.
Such text shall specify
First, a quick primer on DNS. It's the reason why, if you want to visit the United States Senate's website, you can type "senate.gov" rather than its Internet Protocol address: 156.33.195.33. Domain name servers distributed around the world keep track of who has what IP number, aided by millions of recursive servers that make the number-to-name process much faster.
"Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill"
What PROTECT IP would do is authorize the feds to serve a court order on an ISP, demanding that it take action against a US based website accused of engaging in intellectual property theft. Specifically, the ISP would be required "to prevent the domain name described in the order from resolving to that domain name's Internet protocol address"—in other words, filtering or rerouting it elsewhere.
Wherever users would wind up, elsewhere-wise, they'd see a government announcement explaining the move. "Such text shall specify that the action is being taken pursuant to a court order obtained by the Attorney General," the bill says.
What these security folks especially don't like about this DNS redirection business is that it will mess with an up-and-coming extension for the system, called DNSSEC, which encrypts DNS records, making them more secure. DNSSEC's main objective is to protect consumers and sites from so-called "Man-in-the-Middle" attacks, in which a miscreant intercepts a digital conversation, and, pretending to be a trusted source, fleeces the user of her security data.
Ironically, PROTECT IP bears strong resemblance to such a hack, except that it is authorized by the government, the experts note.
"DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS," they write. "PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet."
Defeat and circumvention
The first practical concern is that PROTECT IP redirection would defeat the primary purpose of DNSSEC:
The only possible DNSSEC-compliant response to a query for a domain that has been ordered to be filtered is for the lookup to fail. It cannot provide a false response pointing to another resource or indicate that the domain does not exist. From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running secure applications have a need to distinguish between policy-based failures and failures caused, for example, by the presence of an attack or a hostile network, or else downgrade attacks would likely be prolific.
But while this mandated filtering would subvert DNSSEC's mission, rogue sites could still easily evade the purpose of the law. DNS filtering doesn't actually eliminate Internet content. It just points users away from a specific site. So the allegedly offending service can simply move to a new domain.
The paper notes that when US Customs Enforcement grabbed TVShack.net, the company just jumped to another domain. When authorities seized rojadirecta.com, the outfit relocated to rojadirecta.es, "which quickly reached levels comparable to that of the former domain."
Users can alter their computer to change the location of their DNS server to circumvent a redirect. But, more ominously, they can also have it changed for them by a website: "It is likely, if not inevitable, that infringement sites would use the same strategy, allowing a single site to instantly, silently, and permanently change a user's DNS path and evade DNS filtration and filtering." And these new DNS paths will likely lead to far less safe and secure websites outside of the United States.
Will consumers try to avoid this fate? The authors of this paper don't think so. Users seeking pirated content are often more interested in getting the content than the reputation of the provider. And besides—in many instances, they won't know that they are switching DNS servers.
"Those promoting pirate sites will simply create websites and postings that ask: 'Frustrated by getting filtered when you try to watch movies? Click here to fix the problem'," the article notes. "Long experience shows that high numbers of users will simply do just that; they will 'click here' and thereby quickly circumvent the intended roadblock through automated processes such as DNS changers."
Increased vulnerability
This potentially significant transfer of Web activity to far-less secure sites around the world will make cyberspace more dangerous in a variety of ways. First, the trend could expose many more consumers to malware sites:
In households with shared computers, one user (say, a teenage music sharer) may redirect the DNS settings, but then those settings would carry over to when the parent later did online banking on the same computer. The teenager's redirection also could redirect banking information and put it in jeopardy. The effects of increased security vulnerability will be felt not just by users, but by U.S. networks and businesses, including banks and credit card companies, which will internalize the costs of botnet disruptions, identity theft, and financial fraud.
And this insecurity could spill over not only to business and financial sites, but to government portals as well.
Second, the rush to compensate for and work around PROTECT IP Act redirection would harm the ability of ISPs to keep their own networks secure. DNS traffic pattern data helps ISPs keep track of threats, especially denial-of-service attacks, botnet hosts, and compromised domains.
"As users increasingly turn to other DNS servers to avoid the DNS filtering, ISPs have less and less ability to manage security threats and maintain effective network operations," the paper warns. "By losing visibility into network security threats, ISPs will be less able to identify customer computers that have been infected by a virus and come under the control of a criminal botnet."
Third, reroutes of delivery to offshore servers could compromise the effectiveness of Content Delivery Networks (an example of a CDN would be Level 3, employed by Netflix to stream its video).
"To such networks, US users who have changed their DNS resolvers for all lookups will appear to the CDNs to be browsing from abroad," the writers contend. "As a result, these users could be routed to offshore servers not just for DNS queries, but also for content, undermining precisely the benefits CDNs provide by optimizing traffic distribution to account for proximity of client and server."
Collateral damage
Finally, there is the prospect of innocent sites getting caught in the crosshairs of a PROTECT IP redirect. For example, if example.com's DNS service is provided by isp.net and the latter is subject to a government ordered filter, the move could "quite powerfully affect the usefulness" of the former.
And if an operator "filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host," the authors contend. "The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe."
Then there is the problem of subdomains, examples of which abound in the blogspot kingdom:
For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e- criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings.
A less hypothetical example would be that of the government redirect of mooo.com over child pornography charges. Within moments, 84,000 sites that shared the mooo domain name were displaying a child porn warning. The company repaired the problem, but warned mooo users that the warning banners might not go down for three days.
"We strongly believe that the goals of PROTECT IP are compelling," the paper concludes. But "we believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions."
Bottom line: "We urge Congress to reject the DNS filtering portions of the Act."
Senator Ron Wyden (D-OR) has called the PROTECT IP Act "a threat to our economic future and to our international objectives." He characterized its predecessor as a "bunker-busting cluster bomb when what you really need is a precision-guided missile." The bill would force Domain Name System (DNS) operators to stop correctly resolving the names of so-called "rogues sites."
Is this sort of monkeying with the DNS a problem? Yes, say DNS experts in a new report (PDF) on the practice. In their view, DNS filtering provisions would make the Web less secure—and do little to stop illegal filesharing sites.
DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS. PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight...
These rerouting measures "would weaken this important effort to improve Internet security," the paper contends. They would "enshrine and institutionalize the very network manipulation" that DNS security components fight "to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks." Their widespread use would "threaten the security and stability of the global DNS" and create "significant risk of collateral damage, with filtering of one domain potentially affecting users' ability to reach non-infringing Internet content."
And in the end, they would do little to stop digital piracy. The authors say filters are easily evaded and would be of minimal help when it comes to cutting down on copyright infringement online.
The report is signed by five DNS experts from Shinkuro, Verisign, Georgia Tech, ICANN's Security Council, and the Internet Systems Consortium, and it appeared just before the PROTECT IP ACT was placed on hold in the Senate at Wyden's request.
The authors say that they have no beef with strong enforcement of intellectual property rights, but this kind of IP policing makes them cringe. Here's why.
Such text shall specify
First, a quick primer on DNS. It's the reason why, if you want to visit the United States Senate's website, you can type "senate.gov" rather than its Internet Protocol address: 156.33.195.33. Domain name servers distributed around the world keep track of who has what IP number, aided by millions of recursive servers that make the number-to-name process much faster.
"Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill"
What PROTECT IP would do is authorize the feds to serve a court order on an ISP, demanding that it take action against a US based website accused of engaging in intellectual property theft. Specifically, the ISP would be required "to prevent the domain name described in the order from resolving to that domain name's Internet protocol address"—in other words, filtering or rerouting it elsewhere.
Wherever users would wind up, elsewhere-wise, they'd see a government announcement explaining the move. "Such text shall specify that the action is being taken pursuant to a court order obtained by the Attorney General," the bill says.
What these security folks especially don't like about this DNS redirection business is that it will mess with an up-and-coming extension for the system, called DNSSEC, which encrypts DNS records, making them more secure. DNSSEC's main objective is to protect consumers and sites from so-called "Man-in-the-Middle" attacks, in which a miscreant intercepts a digital conversation, and, pretending to be a trusted source, fleeces the user of her security data.
Ironically, PROTECT IP bears strong resemblance to such a hack, except that it is authorized by the government, the experts note.
"DNSSEC is being implemented to allow systems to demand verification of what they get from the DNS," they write. "PROTECT IP would not only require DNS responses that cannot deliver such proof, but it would enshrine and institutionalize the very network manipulation DNSSEC must fight in order to prevent cyberattacks and other miscreant behavior on the global Internet."
Defeat and circumvention
The first practical concern is that PROTECT IP redirection would defeat the primary purpose of DNSSEC:
The only possible DNSSEC-compliant response to a query for a domain that has been ordered to be filtered is for the lookup to fail. It cannot provide a false response pointing to another resource or indicate that the domain does not exist. From an operational standpoint, a resolution failure from a nameserver subject to a court order and from a hacked nameserver would be indistinguishable. Users running secure applications have a need to distinguish between policy-based failures and failures caused, for example, by the presence of an attack or a hostile network, or else downgrade attacks would likely be prolific.
But while this mandated filtering would subvert DNSSEC's mission, rogue sites could still easily evade the purpose of the law. DNS filtering doesn't actually eliminate Internet content. It just points users away from a specific site. So the allegedly offending service can simply move to a new domain.
The paper notes that when US Customs Enforcement grabbed TVShack.net, the company just jumped to another domain. When authorities seized rojadirecta.com, the outfit relocated to rojadirecta.es, "which quickly reached levels comparable to that of the former domain."
Users can alter their computer to change the location of their DNS server to circumvent a redirect. But, more ominously, they can also have it changed for them by a website: "It is likely, if not inevitable, that infringement sites would use the same strategy, allowing a single site to instantly, silently, and permanently change a user's DNS path and evade DNS filtration and filtering." And these new DNS paths will likely lead to far less safe and secure websites outside of the United States.
Will consumers try to avoid this fate? The authors of this paper don't think so. Users seeking pirated content are often more interested in getting the content than the reputation of the provider. And besides—in many instances, they won't know that they are switching DNS servers.
"Those promoting pirate sites will simply create websites and postings that ask: 'Frustrated by getting filtered when you try to watch movies? Click here to fix the problem'," the article notes. "Long experience shows that high numbers of users will simply do just that; they will 'click here' and thereby quickly circumvent the intended roadblock through automated processes such as DNS changers."
Increased vulnerability
This potentially significant transfer of Web activity to far-less secure sites around the world will make cyberspace more dangerous in a variety of ways. First, the trend could expose many more consumers to malware sites:
In households with shared computers, one user (say, a teenage music sharer) may redirect the DNS settings, but then those settings would carry over to when the parent later did online banking on the same computer. The teenager's redirection also could redirect banking information and put it in jeopardy. The effects of increased security vulnerability will be felt not just by users, but by U.S. networks and businesses, including banks and credit card companies, which will internalize the costs of botnet disruptions, identity theft, and financial fraud.
And this insecurity could spill over not only to business and financial sites, but to government portals as well.
Second, the rush to compensate for and work around PROTECT IP Act redirection would harm the ability of ISPs to keep their own networks secure. DNS traffic pattern data helps ISPs keep track of threats, especially denial-of-service attacks, botnet hosts, and compromised domains.
"As users increasingly turn to other DNS servers to avoid the DNS filtering, ISPs have less and less ability to manage security threats and maintain effective network operations," the paper warns. "By losing visibility into network security threats, ISPs will be less able to identify customer computers that have been infected by a virus and come under the control of a criminal botnet."
Third, reroutes of delivery to offshore servers could compromise the effectiveness of Content Delivery Networks (an example of a CDN would be Level 3, employed by Netflix to stream its video).
"To such networks, US users who have changed their DNS resolvers for all lookups will appear to the CDNs to be browsing from abroad," the writers contend. "As a result, these users could be routed to offshore servers not just for DNS queries, but also for content, undermining precisely the benefits CDNs provide by optimizing traffic distribution to account for proximity of client and server."
Collateral damage
Finally, there is the prospect of innocent sites getting caught in the crosshairs of a PROTECT IP redirect. For example, if example.com's DNS service is provided by isp.net and the latter is subject to a government ordered filter, the move could "quite powerfully affect the usefulness" of the former.
And if an operator "filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host," the authors contend. "The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe."
Then there is the problem of subdomains, examples of which abound in the blogspot kingdom:
For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e- criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings.
A less hypothetical example would be that of the government redirect of mooo.com over child pornography charges. Within moments, 84,000 sites that shared the mooo domain name were displaying a child porn warning. The company repaired the problem, but warned mooo users that the warning banners might not go down for three days.
"We strongly believe that the goals of PROTECT IP are compelling," the paper concludes. But "we believe that the goals of PROTECT IP can be accomplished without reducing DNS security and stability, through strategies such as better international cooperation on prosecutions and the other remedies contained in PROTECT IP other than DNS-related provisions."
Bottom line: "We urge Congress to reject the DNS filtering portions of the Act."
Posts
No comments:
Post a Comment