Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Wed, 17 Sep 2003 17:29:55 -0700 (PDT)
From: Karl Auerbach <karl@xxxxxxxxxxxx>
Subject: Re: [IP] VeriSign update
To: Dave Farber <dave@xxxxxxxxxx>
On Wed, 17 Sep 2003, Dave Farber wrote:
> > At the same time, the VeriSign service triggered a huge increase in
> > the amount of traffic flowing to the Mountain View, Calif., company's
> > Web site, a portion of which may be the result of a hacker attack
> > against the company, VeriSign said.
I did a simple evaluation of the packet flow that a mistyped name
previously engendered and what it does under Verisign's "sitefinder".
I did a simple "GET" command, mimicing what a web browswer would do.
In the old days, there would have been two to four packets to do the DNS
query - two if the root delegation to .com or .net had already been cached
in the user's computer, four packets if not. None of these packets would
have gone to Verisign's web site.
Now, there are those same two to four packets followed by A TCP connection
with about 17K of data. Overall this TCP connection seems to consume on
the order of 20 to 30 packets.
All of these TCP packets go to Verisign's "sitefinder" web site. And if
we use Verisign's estimate that there are 20,000,000 mistyped names a day,
that means that they are getting on the order of 400,000,000 to
600,000,000 packets now per day that they didn't get before - all as a
direct result of their own actions.
And, of course, this additional packet burden is propogated onto the backs
of ISPs that built their business models, support staffing, and link
provisioning on the two-to-four packet model not the 30 packet model.
I have heard estimates floating around on various mailing lists that
Verisign expects to derive about $100,000,000 yearly revenue from this
system. [As I see it, they are deriving this revenue by offloading a
significant portion of the costs onto innocent third parties, particularly
small ISPs that have thin profit margins already.
--karl--