Cloudflare, a company with a history of resisting surveillance and censorship orders (albeit imperfectly and sometimes with undesirable consequences) has announced a new DNS service, hosted at the easy-to-remember address of 1.1.1.1, which accepts connections under the still-novel DNS-over-HTTPS protocol, and which has privacy designed in, with all logs written only to RAM (never to disk) and flushed every 24 hours. Read the rest

Kaspersky Labs reports that an unnamed large Brazilian financial institution with $27B in assets was compromised by hackers who took over its DNS -- by hijacking its NIC.br account -- and for 5 hours were able to impersonate the bank to all its online customers (and possibly to control its ATMs) in order to plunder their accounts and steal their credit card details. Read the rest

Much of the web struggled to stay on its feet today, with outages bringing down U.S.-based services and sites such as Amazon, Twitter and Netflix. A massive distributed denial of service (DDOS) attack on Dyn DNS is reportedly the cause: as a popular provider of domain-name lookup services, it falling over means that browsers simply don't know where to find websites.

Monitoring: Services have been restored to normal as of 13:20 UTC. Posted about 1 hour ago. Oct 21, 2016 - 13:36 UTC

Update : This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue. Posted about 2 hours ago. Oct 21, 2016 - 12:45 UTC

Investigating: Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.

This is "probably why half the internet is shut down today," reports Gizmodo, which offers the following list of sites that were down for the count.

ActBlue, Basecamp, Big cartel, Box, Business Insider, CNN, Cleveland.com, Esty, Github, Grubhub, Guardian.co.uk, HBO Now, Iheart.com (iHeartRadio), Imgur, Intercom, Intercom.com, Okta, PayPal, People.com, Pinterest, Playstation Network, Recode, Reddit, Spotify, Squarespace Customer Sites, Starbucks rewards/gift cards, Storify.com, The Verge, Twillo, Twitter, Urbandictionary.com (lol), Weebly, Wired.com, Wix Customer Sites, Yammer, Yelp, Zendesk.com, Zoho CRM,

Update: The Amazon AWS status page is a useful bookmark, as the service backends many websites and services. Read the rest

Dan Kaminsky is master of all that is terrible and wonderful about the Internet's Domain Name Service, a vital piece of Internet infrastructure dating back to 1983, whose criticality and age make it a source of ongoing problems in Internet securityland. Read the rest

James Bridle writes, "A couple of months ago I released a browser extension - Citizen Ex - which tracks your browsing (entirely privately) in order to show you your "Algorithmic Citizenship" - where your browsing actually goes, and what this means for your rights." Read the rest

Yesterday, Microsoft convinced a judge to let it take over No-IP's DNS service, shutting down name service for many websites, in order to stop a malware attack. Today, the company fake-pologized. Read the rest

The City of London is a curiosity; it's the financial district within London proper, and it has its own local government, which is elected by the banks and other corporations within the district. This (literally) corporate-run government then operates its own police force, separate from the Metropolitan Police, with sweeping powers.

The City of London Police recently gave themselves the power to seize domains that they believed were implicated in copyright violation, and started sending officious letters to domain registrars demanding that the domains be shut down. This was a purely extrajudicial, ad-hoc procedure -- in other words, the City of London Police were just making it up. The letters they sent had no force in law, cited no evidence from a court, and were unenforceable. Read the rest

The awesomesauce merchants at BeagleNetworks.net have engineered an appropriately epic set of internal routes, such that a traceroute to 216.81.59.173 produces the introductory crawl from Star Wars:

TraceRoute from Network-Tools.com to 216.81.59.173 [fin] Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 206.123.64.42 - 2 0 0 0 64.124.196.225 xe-4-2-0.er2.dfw2.us.above.net 3 3 3 3 77.67.71.165 ae2-109.dal33.ip4.tinet.net 4 36 36 36 89.149.181.117 xe-1-2-0.atl11.ip4.tinet.net 5 37 35 38 77.67.69.158 epik-networks-gw.ip4.tinet.net 6 21 21 21 216.81.59.2 po0-3.dsr2.atl.epikip.net 7 58 58 56 10.26.26.102 - 8 61 57 58 206.214.251.1 episode.iv 9 59 63 62 206.214.251.6 a.new.hope 10 59 58 61 206.214.251.9 it.is.a.period.of.civil.war 11 Timed out 58 60 206.214.251.14 rebel.spaceships 12 58 66 65 206.214.251.17 striking.from.a.hidden.base 13 60 60 60 206.214.251.22 have.won.their.first.victory 14 61 57 57 206.214.251.25 against.the.evil.galactic.empire 15 61 57 56 206.214.251.30 during.the.battle 16 61 58 60 206.214.251.33 rebel.spies.managed 17 57 59 62 206.214.251.38 to.steal.secret.plans 18 60 60 56 206.214.251.41 to.the.empires.ultimate.weapon 19 62 60 58 206.214.251.46 the.death.star 20 60 60 57 206.214.251.49 an.armored.space.station 21 61 64 61 206.214.251.54 with.enough.power.to 22 59 58 60 206.214.251.57 destroy.an.entire.planet 23 63 62 65 206.214.251.62 pursued.by.the.empires 24 62 59 Timed out 206.214.251.65 sinister.agents 25 59 61 60 206.214.251.70 princess.leia.races.home 26 62 60 62 206.214.251.73 aboard.her.starship 27 61 61 68 206.214.251.78 custodian.of.the.stolen.plans 28 64 60 62 206.214.251.81 that.can.save.her

Trace complete

Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS express 216.81.59.173:

(via Hacker News) Read the rest

If you manage your domains through GoDaddy or are hosting a website with them, it's probably down right now and has been for about an hour. Take advantage of this time to find out which ones of your friends use GoDaddy in order to ridicule them. You can start with ridiculing me. GoDaddy's management tools are down too, so you can't really do anything yet if you're affected, but there's more information about what you could do to move away from GoDaddy in this thread on Hacker News. Read the rest

My latest Guardian column is "Why did an MPAA executive join the Internet Society?" which digs into the backstory on the appointment of former MPAA CTO Paul Brigner as North American director of the copyright-reforming, pro-net-neutrality Network Society group, which manages the .ORG domain name registry.

I asked Brigner whether his statements about DNS blocking and seizure and net neutrality had been sincere. "There are certainly a number of statements attributed to me that demonstrate my past thoughts on DNS and other issues," he answered. "I would not have stated them if I didn't believe them. But the true nature of my work was focused on trying to build bridges with the technology community and the content community and find solutions to our common problems. As I became more ingrained in the debate, I became more educated on the realities of these issues, and the reality is that a mandated technical solution just isn't a viable option for the future of the internet. When presented with the facts over time, it was clear I had to adjust my thinking.

"My views have evolved over the last year as I engaged with leading technologists on DNSSEC. Through those discussions, I came to believe that legislating technological approaches to fight copyright violations threatens the architecture of the internet. However, I do think that voluntary measures could be developed and implemented to help address the issue.

"I will most definitely advocate on Internet Society's behalf in favor of all issues listed, and I share the organization's views on all of those topics.

Read the rest

Carl Malamud sez, "Paul Vixie tells a real-life action adventure about the DNS Changer and Conficker plagues that are still active on the Internet and how he ended up running a center for disease control in addition to his day job. His day job, in case you're not familiar with isc.org, consists of helping keep the DNS going and as a sideline hosting a lot of important software and services like Mozilla, the Internet Archive, and many others (and a few lightweight low-volume clients like public.resource.org)."

Since the original court order that authorized ISC to install and operate these replacement DNS servers was due to expire on March 9 2012, a new DNS Changer Working Group (DCWG) was formed to handle victim notification and remediation. We had roughly four months to identify and notify half million or so DNS Changer victims, and to help these victims clean up their infected computers. Many victims would have to reinstall Windows on their computers — which at first was the only sure cure for this particular infection. On top of that, many of the victims have had their DSL or Cable modems ("home routers") reconfigured by the DNS Changer malware, so that they were using ISC's replacement DNS servers even if none of their computers are still infected and even if none of their computers were running Windows. Most Internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows.

Read the rest

In case you were trying to figure out how broken the Internet will be if SOPA passes, have a look at this article and this article from DynDNS, one of the world's leading DNS providers. (Thanks, Adam!) Read the rest