How can I block Verisign?

Lincoln Yeoh junkto at tm.net.my
Fri Sep 19 16:18:57 UTC 2003


On Thu, 18 Sep 2003 14:08:26 GMT, Mark <admin at asarian-host.net> wrote:

>Ever since Verisign horribly abused its root server privileges (which should
>be revoked) and usurped all previously invalid "com" and "net" domains, I
>have been looking for a reliable way to block the
>"sitefinder-idn.verisign.com" (64.94.110.11) reply.
>
>This is, of course, not trivial. Patching BIND? I have already read that
>this is not without risk either, and I like to err on the side of caution.
>Are there not Verisign IP addresses I can block? (at the firewall, for
>instance). And is it safe to block Verisign root servers? Or would that be
>pointless?
>
>I want to tread a bit carefully here; but I am nonetheless determined to not
>let Verisign get away with this (at least not on my system).
>
>Any suggestions are welcome; thanks,
>
>- Mark
>

Not really a direct solution but how about this:

Y'know those "ribbon" logos people used to put on their webpages as a
sign of protest for various things?

Well here's my suggestion, every protester should use a "broken
ribbon" logo on their webpage that's pointed to a random nonexistent
url e.g. random.nonexistent.site.com.

e.g. <img src="http://www.jrytcmtproyncz.com/" height=1 width=1>

You should use a random img url but it doesn't have to change much if
at all.

The height and width should be set to 1 so that if someone tries to
push an offensive image, it doesn't get seen by the person viewing
your webpage. 

Maybe someone could construct a broken ribbon logo with an html table
of different 1x1 imgs (all different URLs). Then a 16 by 16 pixel icon
could be a combination of requests to different nonexistent domains
and to a valid single background 1x1 image in order to draw a real
logo. This might perhaps be done using the <TD WIDTH=1 HEIGHT=1> tag,
and a lot of other stuff. This slows down page loading, so if used
should be left to the bottom.

Note: This can be subverted if someone serves up different coloured
images for each request for a nonexistent domain in a way that causes
a different image to appear ;) ...

Add enough people and websites and maybe this could work.

Then if Verisign figures out a cheap way to deal with all the traffic
heading their direction and still redirect users to their webpage,
they'll have solved the "defend against DDOS SYN flood" problem. Which
would be interesting to see.

What do you all think? Is this legal? Would it actually work?



More information about the bind-users mailing list