Uh next up we have Dr. Paul Vixie and I will remind you before he speaks um you know as
you're coming in on the left side um when the talk's done make sure you exit out um exit out
your left side or stage right go out those back doors or the side doors here and we'll kind of
keep the flow going through when you're done. So I'd like to present Dr. Paul Vixie.
Thank you very much, thank you for inviting me. Um we have been doing some uh science fair
project work at my day job and we had some intermediate results that I thought would be
interesting to this crowd and the program committee agreed so let us begin. Um front
runners are people who are grabbing things uh that are uh that are uh that are uh that are
may be valuable to others uh for the purpose of either hoarding them to drive up the price of
other things or uh just keeping them so that you have to pay them essentially ransom to get
it. I was a member of the ICANN security and stability committee when we published this
report because there was an awful lot of front running in the form of domain grabbing. People
were grabbing domain names for reasons other than uh using them and uh we thought that that
was a security and stability problem and uh wrote a report. Uh one of the ways that this manifested
was in tasting, domain tasting. It used to be possible within certain limits for some
registrant to grab a domain name, keep it for three days and then return it without owing any
money. Uh and as I said that's within limits. They had some things they you know they
couldn't do too many per day and they had to pay for some other number of them and so forth but
it was basically it was a loophole by which a small number of people were uh keeping a whole
large number of domain names uh because you could grab the same one 73 hours later and uh
anyway that was all shut down. ICANN finally did something. They realized uh that this was bad
for the world and as a 501c3 public charity they thought that they should help the world in
that way so they they got rid of domain tasting. Um that does not mean that front running has
gone away. So we are a passive DNS company uh at the moment. We have a lot of other data
sources but we're known for passive DNS and we have a lot of real time data and we thought we
would take a look at whether the real time information flowing through the DNS could be of
help to somebody who wanted to uh acquire a domain name for the purpose of then selling it
later or maybe collecting traffic because of typo squatting or whatever. Um now most of what we
do focuses on things that exist but we do have a channel that uh just talks about uh uh
observations of non-existence which is called NX domain in the uh in the DNS field. Um and so
although we don't have a database for that we do have a very good real time flow so uh this
turned out to be kind of a good way to use our position of observability in the industry to uh
you know figure out whether this was a problem that we could then bring to the attention of ICANN
and others. Um now we are not concerned about people who are amateurs in the field of
this. If you think of a cool name of or a cool domain name when you're taking a shower or
driv- driving on your commute and you go register that, you're not gonna cause a problem for
anybody. Um that I mean there was a chance to do that thirty year ago who ever registered
scuba.com probably later sold it for millions and I can tell you that the guy who registered
altavista.com did in fact sell it for millions to uh DEC when they had a search engine by that
name. Um but we're not worried about that um because it's by definition not scaling um but
the professionals who are working at scale uh are really getting in the way. There it's
inevitable now if you're going to start a company that uh one of the things you'll test for
is can I get the dot com name and if you can't get the dot com name chances are you will not
choose that name for your company or your product uh which means uh these these names are
very powerful. They are as powerful as an international trademark would be if such a thing
existed. Um and you know wherever there is uh money to be made you'll find people looking for
the loopholes that will allow some of that money to flow their way. Um and I think we have to
pay attention to that. I think that the DNS uh really should be available for people who want to
add value to the internet rather than adding money to their bank account as their first act.
I'm I'm I'm happy to do well by doing good.
But doing well at the expense of others is a problem. Sorry if I'm going a little fast for you I
have uh 50 slides. This is a one hour talk. I have 20 minutes to do it in. Um so um we don't
sell the NX domain feed to spammers or domainers. Uh and that does not just reflect my own
ethical concerns about it. It's a very practical concern. Uh we have 200,000 cash miss transactions
coming to us every second and these are from customers who operate a sensor for us in exchange
for a discount on commercial services. Um and they could if they saw us doing evil with their feed
uh stop sending us that data. So they're under contract but that contract can be terminated.
They could choose uh either to stop using our commercial services or to stop getting a discount
on them. Which means I have to be extremely careful with what we allow for the internet. So I'm going
to talk about some of the things that we have in touch with our customers. Um we have a
have to issue their data as it flows through our system to then be allowed to do. And a couple of
them are ethically very concerned about things like front running, things like domaining. And that's
why we have a fairly long contracting process when people want to buy data from us uh they will end
up sitting with a fairly senior person at Farsight and describing their intended use and signing a
contract indicating that that and only that will be the use they make of our data. And if we later
find that they made other uses then they're going to discover that the contract has teeth.
Uh so as you listen to this please understand that we don't do surveillance and we don't help
spammers uh even though we have a very good observation framework within those constraints.
So again this is a science fair project so I'll tell you uh what our hypothesis was. Uh we
thought that there would be somebody out there who could see NX domain traffic although
probably not from us cause as I said we wouldn't sell to them uh but we're not the only game in
town and a lot of other ISPs and so forth are data mining everything they can because they are
engaged in a race to the bottom on the margins on their primary product and so they all sort of
uh give a uh an eye towards social networking or uh basically selling your PII as a an
additional data uh revenue source for them. And um so we thought are there people who are
looking for typo squatting? Uh are they registering domains that are one letter or in some
case one bit off of some existing name for the purpose of catching nearby traffic? Um or are
they looking for permutations? Uh in Vietnam they call this recon by fire, shoot a machine gun
into the forest there and see if anybody yells. Um and uh we we looked at various things like
hamming distance and what not to find what nearby meant in the in the in the area. Uh and uh we
have of course I mentioned we have a passive DNS database and it's what we're most known for
but it's built on a real time foundation called the security information exchange and um we're
seeing maybe 700 megabits a second of real time data which about half is DNS the other half is
random other stuff like spam. Um and that is the foundation of our passive DNS database. So
although the database pays the bills the real time exchange is a very complex database and we can't
look at the data that we use. So for example the data that's used for this problem we can't look at
the original data of storage. Uh so there is a wide array of different ways that you could
use the data to build something but uh to get all the data out of storage is very complex and
very complicated. Um so the key was to be able to use DevOps and to be able to apply the data to
all of the different places and that's why we have a nice new system that we've been working on. So
that's the sort of data we've been working on. Uh I think that's the last question we could ask you. Uh it was more a question about
um so we looked at uh NX domain data, we looked at newly observed data, we have a channel for
each one, I've just gotten my 5 minute warning believe it or not, so uh I can't go through
these in as much detail as I'd like but they will be available online and of course you all
apparently have my email address please use it. This is what it looks like on the NX domain
channel broken out into ASCII so you can see the uh delegation point there at the end um and
that delegation point, nflixvideo.net is what you would have to register so that's what
concerns us and the expression of negativity is below that, ip41 lag 0 etc is what didn't
exist. Netflixvideo.net very much did exist um and you can see that in who is it belongs to
Netflix. Uh the other channel we have is newly observed they look like this and you're just
seeing the domain startjobs.xyz in this case. So um these are in vastly different volumes
scales. Uh it's in 5,000 increments on the top and uh 2 million on the bottom so you're
seeing a lot more NX domain traffic than you are seeing the uh uh newly observed domains. Uh
the stuff that you see as the parent of the things that don't exist is what you'd expect. A
lot of people look for non-existent ip6.int or non-existent spamhouse.org subdomains. Um we
filtered, we did all kinds of stuff, um it's a lot of junk, huge amount of junk, huge amount of
junk, bad characters that make it into DNS that shouldn't or they're just buggy libraries and
buggy applications. Um and what did we find? This is what I really wanted to get to so I'm going
to use my last minute for that. Um so there wasn't a huge amount of evidence that uh NX
domain correlates to newly observed domains. And we think that we can uh hone this down by doing
different science uh using slightly different data. So we're going to look at some of the other
data and uh filtering it out in in different ways. So we did learn some things that I'm skipping
the slides that tell you what we learned. But ultimately there were only 181 crossovers where
something was negative before it was positive. Uh and out of the size of the data set we had
lasting a week that could easily be uh completely reasonable people that are just registering
stuff that they uh they do plan to use. Uh so in other words at the moment we have no evidence that
the bad guys are using NX domain. Uh so we're going to look at some of the other things that we're
going to be doing to drive their operations. As to whether they should uh I'll leave that for
them to decide. Uh if they do we'll be watching. Um there was a huge amount of other crud and I
wanted to let you know that uh turns out NX domain is a great source of DGA intelligence, domain
generation algorithm. Uh botnets that are using the DNS in order to find their command and
control use these gibberish domain names uh that are computed by their domain. Uh this is a very
based on the current time of day in order to decide where their command and control is
going to be. So you as the owner of the botnet need to only register one of the ones that
your botnet is going to be using tomorrow and then tomorrow you'll be able to send it
commands. But all of them have to do lookups for all of the names that might be used for
tomorrow. And so NX domain as a data source this is something Dembala and David Dagan's
team at Georgia Tech told us 10 years ago and I thought that perhaps that would mean we
would have dealt with it by now but no. According to our uh our data this is very much real.
And so my conclusion is um well my conclusion way down at the oh wait excuse me one more
thing I'm going to go over time they're going to kill me now. Paypal has a problem um these
are all things that had PAYP somewhere in their names and um you know Paypal is one of my
partners and so I've already informed them of this. But every
domain holder every trademark holder has a problem like this one. Um and you're going to find
these often in the NX domain first because they will be doing re-reconnaissance to see if this
exists before they try and register it. Um and again this is just one trademark. So um yeah
here we go way too many uh slides there. Anyway um my hope is that NX domain traffic uh is
going to be the next big data mining opportunity. And my hope is that uh we will somehow keep
that data mining from happening on the dark side of the economy. And uh if you are interested in
doing science for which you do not charge a fee you can get an NX domain feed in real time from
us. But whatever you do I hope that you will at least give some consideration to things that
don't exist and the implications of that non-existence on your security and the security of
the internet. Thank you. Do I have a minute for questions?
Yeah. Okay.
Just scream it out. Wait here we go. What was the most interesting data point that you've learned from
turning these data points? Um I think the most interesting data point that I've learned is
the fact that to me it was the fact that non-existent names that have a short hamming distance
away from Paypal are being uh reconned. I assumed that people would just try to register these
things and use a you know I'm sorry that name already exists as their signal that they couldn't
get it but they're not they're doing reconnaissance first. Um we did not look at uh you would
have to decode the IDN uh strings into uh UTF or you know something and uh our level of processing
was command line awkscripts for this so no we did not look at any of the international names for
this study. I'll be back probably next year with an update on this that uh has a lot more detail.
Oh. Are you saying that I bought an NX and it's for like new utility? Um I'm not sure. I'm not sure.
No. The new gtlds were conspicuously absent from this study. And you know I want to say as I
usually do that the way that most of us in this room first become aware of the existence of a new
gtld is when we get spammed by it. And so I was expecting to see uh a fair amount of the bad
behavior happening there but it's not. And I think it's either that the bad guys have got other
lower hanging fruit and it's more profitable to forget about that stuff or they realize that
these new new uh gtlds are very sparsely populated. And I think it's either that the
gtlds are very sparsely populated unlike something like .de or .com. And so there won't be very
many opportunities to sort of play battleship uh in those spaces until and unless one of them
ever succeeds. Louder? Uh that is true. If someone does arrive at a gtld that's
a registration event uh and then they don't use the domain we will not see it in the newly
observed domain feed. So we're really looking for things that uh were first observed negative
negatively and then observed positively. So you could bypass a study like ours with uh by
simply avoiding DNS queries and doing everything at the registry level. Um and we'll probably do a
study there. We have three bulk whois providers that we can uh use for that that study uh
partners. Um and we'll probably have an update on that as well. Um and we'll probably have an
update on that in the next version of this talk. Uh the question is how much whois information
is private? And my answer is um I estimate that very little of it is private. Probably on the
order of 10 to 15 percent uh because bad guys would rather use the address that corresponds to
the stolen credit card they used
by the domain because that will help them get in the door in case the whois information is used to
validate their their credit card number. Um so really the whois privacy tends mostly to be used
by uh people who just don't want to be spammed rather than by people who want to do crime. That
doesn't mean I love whois privacy. I'd like to see it go away but I I don't think it's the
problem that people are worried about. Is that it?
How do you get the slides? Um, my email address is vixi at fsi.io so you can send me mail or
you could wait for it to appear on the uh, DEF CON website which it will inevitably do.
Alright, thank you.