Forgot your password?
Close
typodupeerror
The Internet

Routing and DNS Security Ignored By ISPs 101

Posted by Unknown Lamer
from the netblock-hijackers dept.
Bismillah (993337) writes "The re-routing of Google's public DNS servers last weekend was yet another example of how easy it is to 'steal the Internet' by abusing today's trust-based networks. Problem is, ISPs don't seem to care about that, or securing DNS which is another attack vector that doesn't require compromising end users' systems. Why isn't more done to secure routing and DNS then?" The route announcement was likely unintentional. The chief scientist at APNIC noted that implementing RPKI would solve the problem, but far too few ISPs bother with it.
This discussion has been archived. No new comments can be posted.

Routing and DNS Security Ignored By ISPs More

Routing and DNS Security Ignored By ISPs

Comments Filter:

  • obvious reason (Score:3, Insightful)

    by slashmydots (2189826) on Wednesday March 19, 2014 @01:32PM (#46525515)
    This article is slightly incorrect. It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs. If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.
    • Where is this fabled competition you speak of? You must not live in the US.
      • You must live in some dumpy, backwards rural area where there's a monopoly. In my city with a whipping 60,000 people, we can get AT&T, Time Warner, TDS, and probably some weird third party DSL ones like MPC, Earthlink, etc. All the major satellite TV providers have 3rd party agreements to lease DSL lines as well so you can get an internet connection "through them" as well.

        • Re: (Score:1)

          by Anonymous Coward

          You must live in some dumpy, backwards rural area where there's a monopoly.

          I live in downtown Boston. There is only one option for an ISP that is >768kbps and $200/month.

          • Oh, I forgot to mention overpopulated 400 year old cities with no infrastructure and every other building being a historical site as being internet nightmares as well.

            • Re: (Score:2)

              by OneAhead (1495535)
              Oh, so then can you explain why big European cities, which are much more conservative about touching their >400 years old landmarks, feature sprawling competition, with much higher speeds and lower prices than the old American cities you speak of?
        • Or I live in a large city whith the options of Comcast or Centurylink. Centurlyink doesn't provide anything faster than 7mbps (advertised) - which actually works out to about 5mbps by the time it hits your door step and struggles to stream anything in high def without buffering indefinitely. So I have one option of Comcast if I want a connection that's faster than what was offered a DECADE ago. Which is about the exact situation 90% of the US broadband market currently faces.
          • You know, netflix caps at 3 megabits in HD. Anyway, I have a 15x1 connection over cable for $38/mo after all fees.
            • That's patently false. Their 1080p "SuperHD" streams will run up to 12mbps if you have that much available.

        • You must live in some dumpy, backwards rural area where there's a monopoly.

          That's pretty condescending. I live in one of the 10 largest metro areas in the US. My broadband choices at my house consist of Comcast where I can get 100mbit speeds or Frontier which gives 6mbit speeds if I want wired access. That means realistically I have one option if I give a shit about the speed of my internet connection. Not exactly what I'd call real competition. Oh I could cut the cord and go wireless I suppose but that has plenty of problems and I'd lose a lot of connection speed and gain a

        • Re: (Score:2)

          by Urza9814 (883915)

          Where the hell do *you* live?

          I'm in freakin downtown Providence, RI and I have exactly two options: Cox or FiOS. Been here two years, already been screwed over by *both*.

    • If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

      Seems a bit disturbing that "We help prevent your connection to Google from being hijacked by identity thieves" isn't considered a feature.

      • Then they'd have the same problem I do at my computer repair shop. They go download every BHO known to man then call in and claim their ad said they were magically protected from all internet hijacking (browser = internet if user == stupid). People stop into my shop saying obviously I'm wrong because I put on "the best" antivirus and yet they still managed to catch a virus.

      • Re: (Score:2)

        by RR (64484)

        If you can't put it on a billboard as a feature, they're not interested because it costs money without generating more users.

        Seems a bit disturbing that "We help prevent your connection to Google from being hijacked by identity thieves" isn't considered a feature.

        They can't do this unilaterally.

        RPKI and DNSSEC are important, but they won't work if the resource or domain owner doesn't use them. For example, Google's public DNS service performs DNSSEC validation, but Google's own DNS zones are unsigned and do not validate using DNSSEC. Even with automation, DNSSEC increases the administrative burden of running a domain, so I see why they don't, but I don't excuse them.

        • Re: (Score:2)

          by Lennie (16154)

          It isn't just the administrative burden.

          A failure to get DNSSEC right could take down the domain for hours without an easy way to recover.

          • Re: (Score:2)

            by RR (64484)

            A failure to get DNSSEC right could take down the domain for hours without an easy way to recover.

            What are you talking about? DNS does that, anyway.

            DNSSEC records are distributed and expire just like any other record. Make a mistake deploying DNSSEC, then just fix it, and eventually the bad records will expire and the new ones will take over. The major issue I see is that the TLD registrar needs to hold DS records for your key, so now your registrar needs to do NS, DS, and glue records.

            Worst case scenario, you lose the secure entry point keys. So, you use some out-of-band management interface to change

            • Re: (Score:2)

              by Lennie (16154)

              The complexity of DNSSEC makes it easier to make such a mistake.

              • Re: (Score:2)

                by Lennie (16154)

                Let me add something: it is extra risk in comparison to non-DNSSEC DNS deployment.

              • Re: (Score:2)

                by RR (64484)

                So you create a working configuration, and you script it.

                This is not your neighborhood club's web site. This is Google. I'm sure they have the resources at hand to do configuration management on their DNS servers. So, once it's set up, you just need to renew the registrar's DS records appropriately. You need to communicate with your registrar regularly, anyway, to keep your zone from expiring. Unless you want your cloud to fall down like a Microsoft cloud.

                Greater complexity is usually greater risk, but we a

    • " It's not that they won't "want" to implement it, it's that it would cost money and competition is completely insane right now for ISPs."

      Are you in the United States? If so, you're nuts. Your local situation does not translate to the rest of the country.

      80% of the people here live where there is a cable monopoly. Mostly Comcast or Time-Warner. In most places DSL is not as fast for the money, and satellite has too much latency for business use.

      "Competition", my ass. They don't do it because it costs money, but their customers are locked-in, so they don't have to.

      Why do you think broadband is so much more expensive in the U.S. than it

  • Probably because ISPs have much more immediate and probable threats to deal with. Let's inject a little bit of reality into the discussion. Correct me if I am wrong, but actual attacks (as opposed to misconfigurations) through routing insecurity on the global Internet number zero. (Unless you count state level attempts at censorship, which is moot in this case where we are asking why ISPs don't do more) This Google hijack was quickly corrected thanks to all the monitoring and response procedures that are in

  • Why the hell would they want Google DNS to work? (Score:4, Interesting)

    by tlambert (566799) on Wednesday March 19, 2014 @02:42PM (#46526259)

    Why the hell would they want Google DNS to work?

    They intermediate DNS all the time,in order to do proxy caching, and to prevent you going to high bandwidth sites without a lot of difficultly, or to land you on a page when you hit a non-existant domain because of a typo, and they try to sell it to you.

    One wireless carrier, on their WiFi hotspot-only options, used to move you off their 4G network and onto their 3G by having intentional "DNS outages" that pointing to Google's DNS worked around. 3G had a data cap for which they got paid, 4G was no data cap, so the benefit to them for you using the DHCP assigned DNS was enormous: large amounts of data charges.

    Even if they aren't screwing with the results for their own reasons, you hitting Google for all your DNS lookups means that they can't cache DNS responses, which means that they have to support more DNS traffic out and responses in on their network than they otherwise would need to.

    None of these are beneficial to their bottom line.

  • OpenDNS for the win (Score:1)

    by Anonymous Coward

    Not a shill, just educating: in case anyone needs better (and free) DNS for their parents/dumb relatives/noobs continuously getting spyware and malware by clicking on everything they see, OpenDNS is a great start. Their commercial product is useful for small/medium business as well. http://www.opendns.com/

    The brilliant simplicity is that even if you get a dropper/adware/malware on your machine, if it can't resolve a malware domain to pull its payload from, it's effectively dead on your machine until your vi

  • If it's not broke, don't fix it (Score:4, Interesting)

    by RR (64484) on Wednesday March 19, 2014 @03:45PM (#46526933)

    I see this attitude all the time with managers. It's like a mantra:

    If it's not broke, don't fix it.

    It's blocking IPv6, it's blocking DNSSEC, it's blocking RPKI, it's blocking Windows XP retirements. There are a lot of improvements that are stymied because change is considered more scary than just living with the problem.

    But it is broke. Computers are hugely complex and buggy. We need the upgrade treadmill just to stay ahead of threats to our computing. Computers are incredibly malleable, and collectively we need major changes. I would be seriously depressed if our current state became the pinnacle of computing.

    • Re: (Score:2)

      by zyzko (6739)

      Managers?

      I see this all the time with tech-oriented people as well. They say that we don't need IPv6 because IPv4 and NAT works just fine, and XP is the best thing ever and it is just greed by Microsoft to not support it. What separates tech people and managers is that managers count money. IPv6 and DNSSEC implementation cost money.

      Techies who oppose these often cloud their inability or non-desire to learn something new and "complex" in "if it works, don't fix it". Which of course also comes down to investm

  • Not yet (Score:2)

    by vanyel (28049)

    "too few ISPs bother with it" [RPKI] because "Cisco Systems is committed[4] to offering this functionality in Cisco IOS. Juniper Networks is working on an implementation[5] for Junos as well", i.e. it doesn't exist yet. DNSSEC exists, but is very challenging to implement and is fragile, though recent BIND implementations have improved that situation considerably. DANE will build on top of that, so there *is* hope for the future, but it is still the future.

Wherever you go...There you are. - Buckaroo Banzai

Close