Notes techniques

Site Tools

Home > CoolInternetFinds > PaulVixieBotNetsTakeDown | About

Who's Paul Vixie ?

My background includes […] acting as the operator of the “F” DNS root name server. I have also been involved in Internet standards work in the Internet Engineering Task Force (IETF) and policy development work in the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, I served for nine years on the board of trustees of ARIN, a company responsible for allocating Internet address resources in the United States, Canada, and parts of the Caribbean. I presently serve on the ICANN Security and Stability Committee (SSAC) and the ICANN Root Server System Advisory Committee (RSSAC). I am the author of several Internet standards related to the Internet Domain Name System (DNS) and was for eleven years the maintainer of BIND, a popular open source DNS software system. It was for my work on DNS and BIND that I was inducted earlier this year into the Internet Hall of Fame.

I had a hands-on-keyboard role in operating the data collection and measurement infrastructure for the takedown team [of the Conficker worm]

I personally prepared, installed, and operated the replacement DNS servers necessary for this takedown [Operation Ghost Click]

My picks

Each of these examples shows an adhoc public/private partnership in which trust was established and sensitive information including strategic planning was shared without any contractual framework. These takedowns were so-called “handshake deals” where personal credibility, not corporate or government heft, was the glue that held it together and made it work. And in each case the trust relationships we had formed as members of M3AAWG were key enablers for rapid and coherent reaction.

Each of these takedowns is also an example of modern multilateralism in which intent, competence, and merit were the guiding lights. The importance of multilateralism cannot be overemphasized: We have found that when a single company or a single agency or nation “goes it alone” in a takedown action, the result has usually been catastrophe. The Internet is hugely interdependent and many rules governing its operation are unwritten. No amount of investment or planning can guarantee good results from a unilateral takedown action. Rather, takedown actors must work in concert and cooperation with a like -minded team representing many crafts and perspectives, in order to maximize benefit and minimize cost –and I refer specifically to the collateral costs borne by uninvolved bystanders.

For example, Conficker’s second major version generated 50,000 (fifty thousand) domain names per day that had to be laboriously blocked or registered in order to keep the control of this botnet out of the hands of its criminal authors. Complicating the situation, these 50,000 domain names were split up across 110 different “country code” top-level domains that are each the property of a sovereign nation. The registries for these domains are a mix of private and public institutions, some with national government oversight and many without. Almost all of the 110 registries agreed to cooperate, which involved sharing technical plans and data, as well as strategic plans and calendars. Similarly, Operation Ghost Click required cooperation between United States and Estonian national law enforcement agencies, as well as competing national and multi-national ISPs and Internet security companies, and an eclectic collection of Internet researchers and adventurers. This diverse team worked together for a single common cause which was to protect the Internet’s end users and restore the Internet’s infrastructure after an extraordinary breach.

The ad-hoc nature of these public/private partnerships may seem like cause for concern, but I hope you will consider the following: First, this is how the Internet was built and how the Internet works; second, this is how criminals work with other criminals.

While government has a role to play in the takedown of criminal infrastructure such as botnets, it can be most effective by continuing to support the participation in ad-hoc public/private partnerships by agencies such as Justice (for example, see the FBI’s involvement in the National Cyber-Forensics and Training Alliance [NCFTA]) and Homeland Security (for example, see the United States Computer Emergency Readiness Team [US-CERT] and the SEI/CMUCERT).

The invisible cost of this growth and innovative value creation is that much of the software we run on many of our connected devices was given wide exposure and perhaps forgotten by its maker without receiving “red team” testing to check for vulnerabilities.

The economics of this situation also can be challenging, since in the fast-changing, high-growth Internet-enabled economy the winners are characterized by short time to market, low cost, and high volume . Innovators may not always have the time or resources to address potential security issues, so we live in a culture of “patching it later".

I read news reports of an Internet-enabled light bulb, part of the “Internet of things,” that was found to be vulnerable to a simple attack in which it would expose the local wireless network password to anyone who asked. It is extremely unlikely that any of these flawed light bulbs can be patched or that their owners can or will be informed of the need to return the product for a refund or exchange. So while the world needs the Internet and the Internet’s powers of economic growth and innovation, the cost to the world is that many tens of millions of connected devices can easily and quite often do become tools for criminals.

[…] the pace of innovation and adaptation on the Internet is being matched by the pace of innovation and adaptation by criminal bot masters. After a software flaw leading to vulnerability is found and circulated, it is quickly exploited for criminal purposes.

Regrettably, the major trend in the twelve years since that report was written is growth–more Internet connected devices, more software flaws, more botnets, and more crime.

Some of the Conficker-infected computers we tracked in 2008 and 2009 turned out to be industrial controllers for medical equipment including in some cases human life/safety monitors used in surgical operating theatres.

time-to-market, not resistance to takeover, has often been our overriding engineering principle.

The Internet is also therefore the greatest invention in recorded history in terms of its negative impact on human privacy and freedom, as evidenced by the massive and continuing illicit transfer of wealth from productive people and countries toward unproductive people and countries.

The Internet is borderless and lawless, but carries more of the world’s commerce every year.

contact : @ychaouche yacinechaouche at yahoocom