Why PROTECT IP Breaks The Internet

from the collateral-damage dept

Last year, after the entertainment foisted COICA on an unsuspecting public, Paul Vixie -- a guy you should listen to when he's concerned about the technical impact of something on the internet -- explained why COICA's reliance on DNS block was incredibly stupid. Not only would it not work, but it would fundamentally fracture the way the internet works, creating massive collateral damage. Last week, when the Senate Judiciary Committee pushed forward with PROTECT IP, we mentioned in passing a new report from Vixie and other internet technology gurus explaining why PROTECT IP's focus on the DNS system would cause tremendous damage. While we had mentioned it, lots of folks keep submitting it, and judging from the ridiculous claims of those in favor of PROTECT IP, the folks in DC pushing for this bill are apparently still ignorant of what the report says -- so we're posting about it again. The report, titled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill (pdf) is worth a read. The five authors are incredibly well respected, and the entertainment industry folks who are trying to claim this paper can be ignored are going to come out of this looking quite silly.

These are concerns that shouldn't be taken lightly. The paper's authors also make it clear that they're not in favor of infringement, and in fact support enforcement of IP laws. They just recognize that this particular solution is dumb and counterproductive:
Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.

First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records.

In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe.

Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings. This type of collateral damage was demonstrated vividly by the ICE seizure of mooo.com, in which over 84,000 subdomains were mistakenly filtered.
The defenders of propping up the business models of dying industries will brush these unintended consequences as no big deal or a "small issue" at the expense of "saving" the entertainment industry. This is because they don't understand the technology at play, the First Amendment or the nature of collateral damage. It's pretty ridiculous in this day and age that we still have to deal with technically illiterate "policy people" and politicians trying to regulate technology they clearly have little knowledge about. Only those who don't understand the technology think the collateral damage described above is minimal.

Filed Under: dns, internet, paul vixie, protect ip

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 1 Jun 2011 @ 9:15am

    This breaks nothing.

    These complaints are incredibly minor and not remotely difficult to take into account.

    Subdomains? No shit. What's the surprise there? If the parent domain doesn't want to kill the illegal subdomain off, that is their choice to live with.

    Other sites that point and rely on pirate sites? They'll fix their scripts the next day to stop relying on pirate sites.

    Virtual hosting? Again, no big deal. Especially since PROTECT IP doesn't even filter by IP, it filters by domain. And sites like The Pirate Bay aren't exactly on shared hosting plans.

    Yawn. Wake me up when you whiners have something substantial.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.