DNS Security Threats and Solutions

1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Security: Threats and Solutions
Cricket Liu, Chief DNS Architect
Irving, Texas | April 16, 2015

Outline
• Threat: Distributed Denial of Service and DNS
• Solutions: Monitoring DNS Traffic, Anycast and Response
Rate Limiting,Advanced DNS Protection
• Threat: Cache Poisoning
• Solutions: Query Port Randomization and DNSSEC
• Threat: Malware Propagation, Command and Control,
Tunneling
• Solution: Response Policy Zones

DDoS and DNS
• DDoS attacks are twice the
threat to DNS
̶ DDoS attacks target name
servers
̶ DDoS attacks use name
servers

DDoS Attacks Target Name Servers
• Authoritative name servers are obviously a critical
resource
̶ Without them, your customers can’t get to your web
site, send you email
• Authoritative name servers are easy to find
dig ns company.example.
– ”…big increase in proportion of attacks targeting DNS in Q2”
– Arbor Networks
–Up from 8% to 13.3%
– Recent DNS query flooding attack against a Prolexic customer:
119 Gbps

And DDoS Attacks Use Name Servers
• Why?
̶ Because name servers make surprisingly good amplifiers
This one goes
to eleven…

DDoS Illustrated
Open recursive name servers
Evil resolver Target
Response
to spoofed
address
Spoofed
query

$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec
; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036
;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN ANY
;; ANSWER SECTION:
isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600
isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX
kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs=
isc.org. 7200 IN NS sfba.sns-pb.isc.org.
isc.org. 7200 IN NS ns.isc.afilias-nst.info.
isc.org. 7200 IN NS ams.sns-pb.isc.org.
isc.org. 7200 IN NS ord.sns-pb.isc.org.
isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/dqdS+TMtBjKMmXU2NJBl0h
D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI=
isc.org. 60 IN A 149.20.64.69
isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l
NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A=
isc.org. 7200 IN MX 10 mx.pao1.isc.org.
isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/X0kh2WNE37wICVU6BYKkqDuWF2h5T
4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA=
isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"
isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $"
isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/T/yzx/P8t6VX+MYDC
ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg=
isc.org. 60 IN AAAA 2001:4f8:0:2::69
isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI
lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U=
isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.
isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N
VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4=
isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF
isc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk
DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ=
isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr
hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz
Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd
isc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm
Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=
isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1
Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az+B9J8xVz5GGMb8FStEXMYauE9r8Z5G4ZzRZUv619lXYH+Uhha5QUfq
IcVYvtOt+QLlwdWV4Kt3fp3m6KveBAnIiorPSjOd40PfWZD3CQ4GqVIc EyYai55bKN1hVgtFRhL8MqGexvbPvU49RKekeJihf7pzfM6nlo5+Xqvj WBe+EQ==
isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 50012 isc.org. HFc6EpppK8DieQnYccCLEMuP3uhCFENhY9pwbqcwYh9fVOMMeEim/XSy
Amplification: They Go Past Eleven…
Query for isc.org/ANY
53 bytes sent, 4077 bytes
received
~77x amplification!

A Little Math
• Say each bot has a measly 1 Mbps connection to the Internet
̶ It can send 1Mbps/53B =~ 2415 qps
̶ That generates 2415 pps * 4077B =~ 78 Mbps
• So 13 bots > 1 Gbps

Solution: Monitoring DNS Traffic
• Monitor traffic to your name servers, including
̶ Aggregate query rate
̶ Top queriers

Monitoring Aggregate Query Rate

Setting an Alert on Aggregate Query Rate

MonitoringTop Clients

Solution: Anycast
• Anycast allows multiple, distributed name servers to share a
single virtual IP address
• Each name server advertises a route to that address to its
neighbors
• Queries sent to that address are routed to the closest name
server instance

Anycast in Action
Router 2Router 2
Router 4Router 4Router 3Router 3
Router 1Router 1
Server instance AServer instance A
Server instance BServer instance B
ClientClient
DNS query toDNS query to
10.0.0.110.0.0.1 Routing table from Router 1:Routing table from Router 1:
Destination Mask Next-Hop DistanceDestination Mask Next-Hop Distance
192.168.0.0 /29 127.0.0.1 0192.168.0.0 /29 127.0.0.1 0
10.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.1 1
10.0.0.1 /32 192.168.0.2 210.0.0.1 /32 192.168.0.2 2
192.168.0.1
192.168.0.2
10.0.0.1
10.0.0.1

Anycast in Action
Router 2Router 2
Router 4Router 4Router 3Router 3
Router 1Router 1
Server instance AServer instance A
Server instance BServer instance B
ClientClient
Routing table from Router 1:Routing table from Router 1:
Destination Mask Next-Hop DistanceDestination Mask Next-Hop Distance
192.168.0.0 /29 127.0.0.1 0192.168.0.0 /29 127.0.0.1 0
10.0.0.1 /32 192.168.0.1 110.0.0.1 /32 192.168.0.1 1
10.0.0.1 /32 192.168.0.2 210.0.0.1 /32 192.168.0.2 2
192.168.0.1
192.168.0.2
10.0.0.1
10.0.0.1

How Does Anycast Address DDoS?
• From any one location on the Internet, you can only see (and
hence attack) a single member of an anycast group at once
• If you succeed in taking out that replica, routing will shift traffic
to another
̶ The first replica will probably recover
̶ It’s like Whac-A-Mole

Anycast Made Easy

Solution: Response Rate Limiting
• Originally a patch to BIND 9 by PaulVixie andVernon Schryver
̶ Now included in BIND 9, other name servers
• Applies to authoritative name servers used in DDoS attacks
against others
• Prevents these name servers from sending the same response
to the same client too frequently

How RRL Works
isc.org/ANY
[4077 byte response]
token
bucket
Evil resolver Target
isc.org name servers

HowWell Does RRL Work?
• Pretty darn well

Threat: Cache Poisoning
• Inducing a name server to cache bogus resource
records
• Can redirect…
̶ web browsers to bogus replicas of web sites,
where logins, passwords and credit card numbers
are captured
̶ email to hostile mail servers, where mail can be
recorded or modified

The Kashpureff Attack
• Exploited a flaw in the BIND name server
Cache
Recursive
name server
Evil™
resolver
alternic.net
name server
Q: xxx.alternic.net/A
Q: xxx.alternic.net/A
R: xxx.alternic.net A +
www.internic.net A

Message IDs
• Name servers use 16-bit message IDs to match responses
with queries
Message IDMessage ID
3878938789
ns1 ns2
Message IDMessage ID
3878938789

The KleinVulnerability
• The pseudo-random number generator (PRNG)
responsible for generating message IDs wasn’t
random enough
̶ If it generated an even message ID, the next
message ID was one of 10 possibilities
̶ If you could capture 13 to 15 consecutive message
ID, you could reproduce the state of the PRNG

• Brute-force guessing of 65536 possible message IDs seems
hard
• Actually, it’s not that hard - if you get a lot of guesses
• In 2008, brute-force guessing was a Birthday Attack

The Birthday Paradox
• 365 (or 366) possible birthdays in the year
• Chances of two people chosen at random having different
birthdays:
• Chances of n people chosen at random having different
birthdays:

So?
Number of replies Chances of correct guess
200 ~20%
300 ~40%
500 ~80%
600 ~90%
Number of people
Chances two or more
have same birthday
10 12%
20 41%
23 50.7%
30 70%
50 97%
100 99.99996%

The KaminskyVulnerability
paypal.com
name servers
Recursive
name server
Hacker
Q: q00001.paypal.com/A
Many, many spoofed responses
Q: q00001.paypal.com/A
R: NXDOMAIN

Yeah, But...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61718
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;;; QUESTION SECTION:
;q00001.paypal.com. IN A
;;; AUTHORITY SECTION
q00001.paypal.com. 86400 IN NS www.paypal.com.
;;; ADDITIONAL SECTION
www.paypal.com. 86400 IN A 10.0.0.1

Query Port Randomization
• To make spoofing responses more difficult, we
use random query ports
̶ In addition to a random message ID
̶ Now you have to guess both the message ID and the query
port
• But this isn’t a complete solution
̶ It takes longer to guess, but it’s not impossible

Solution: DNSSEC
• The DNS Security Extensions, or DNSSEC, use asymmetric
cryptography to allow
̶ Administrators to “sign” zone data
̶ Recursive name servers to validate signed zone data
• This provides
̶ Authentication of DNS zone data
̶ Integrity checking of DNS zone data

DNSSEC: The Cost
• To do this, DNSSEC...
̶ Introduces new resource record types
̶ Adds these records to signed zones
̶ Introduces new fields to the DNS message header
̶ Adds new administrative processes
- Key generation, signing, re-signing, DSset submission,
key rollover...

An Unsigned Zone
$TTL 1h
foo.example. IN SOA bigmo.nxdomain.com. root.bigmo.nxdomain.com. (
20 21600 3600 2592000 900 )
IN NS bigmo.nxdomain.com.
IN MX 0 bigmo.nxdomain.com.
IN A 10.0.0.1
www IN CNAME @

The Same Zone, Signed
; File written on Mon Jan 4 14:26:13 2010
; dnssec_signzone version 9.7.0rc1
foo.example. 900 IN SOA bigmo.nxdomain.com. root.bigmo.nxdomain.
com. (
20 ; serial
21600 ; refresh (6 hours)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
900 ; minimum (15 minutes)
)
900 RRSIG SOA 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
vIWxKd/x4nd+B/7fwWBNVEJL2s4eQEQPrW31
QdgqhBYFF92glVRKjB5te0n07AI9zPQ7JOJq
8DxlfuOGWWdATA== )
900 NS bigmo.nxdomain.com.
900 RRSIG NS 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
jj+8qj9oO5zOJVx/itXHiYwoDar+SMubMxqi
CuEj1lQVOOLrpulHpertQlKO2lG7n+bEgT6W
fzS5FTMCZrLS7Q== )
900 A 10.0.0.1
900 RRSIG A 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
x9HhmPc9ORCNvTaXTUVIrcQ2jG/wIPjSYE6D
+0plW2JVC3jVRRRRX9xL050mZuCfX6/28Jtg
DkCiv5Vq1CZEbg== )
900 MX 0 bigmo.nxdomain.com.
900 RRSIG MX 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
pmSNnHDWagatKcW2YFSu6ha1qp9IDq+Ta9th
SIaXrZdZhV0+FFGU3bgg/Y2R8O4laX5AM3dw
1PgTinwF8w5IVw== )
900 NSEC www.foo.example. A NS SOA MX RRSIG NSEC DNSKEY

The Same Zone, Signed (continued)
900 RRSIG NSEC 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
UWJ12tRC53aagZ2xbyI7Q01ph8sjTqNhhRRv
qCLe3cqq+nMkDTTHd4Thc/ofjsItVZQ9tphN
HLjCGHytn6UZLg== )
900 DNSKEY 256 3 5 (
AwEAAcfYFU1yZfzMVZI1mmr3IhvFQGN5qqqP
GB/35m0Kq+KVad8nY2Gr+14KexBBEJIuFwAm
KT7IpFVhSt2YMUjr4sc=
) ; key id = 24480
900 DNSKEY 257 3 5 (
AwEAAa1Z3PzmmTQ8wBty0RHb3/FVpw+fRXNh
/pxA6EQ8rcnNHbQDGkd50iTRXBphgZTrcAgd
HvSn8IIYylQe9Euu750=
) ; key id = 29062
900 RRSIG DNSKEY 5 2 900 20100203212613 (
20100104212613 24480 foo.example.
MK70q4hHghxQElcVuPx9dQwV7Y/MXd82z8A8
B5ZWq5bMax0DLEDk4vYaWL0XjuiPuSTI9mNb
UNj5EtB272azBA== )
900 RRSIG DNSKEY 5 2 900 20100203212613 (
20100104212613 29062 foo.example.
GDH51truQbh3HIR/FvuoIlZ6N+WxtbhpR/zY
OIM3LkRlCd6yVLaYVSVS8p6RMJFGSjh40xE/
S0jvtCfH+4XYqw== )
www.foo.example. 900 IN CNAME foo.example.
900 RRSIG CNAME 5 3 900 20100203212613 (
20100104212613 24480 foo.example.
PbHHMlRdxSwFnhn3Dgg32DTsWBLLcbMW84Mn
ZFUHtordYu3Im6+NliLi9HWb6gQHRo/q2JyU
btEF65jJDZBuqQ== )
900 NSEC foo.example. CNAME RRSIG NSEC
900 RRSIG NSEC 5 3 900 20100203212613 (
20100104212613 24480 foo.example.
PhWf9HC5MfAcSFtwJ8Qmb2JuxDzf5ECQ7hw1
0V4jfdUmp3TOgh2a7lyJhh06aYg29ZPSZR7F
0I/6Ptva2oKrug== )

How to Conduct a Key Rollover

What Does This Mean toYou?

NowWe Pause for This Brief Commercial
Interruption
One-step signing!
Automated...
Re-signing!
(ZSK) Rollover!
Now with NIST 800-81!

Threat: Malware Uses DNS
• Malware infects clients when they visit malicious web sites,
whose names are resolved using DNS
• Malware rendezvous with command-and-control channels
using hardwired domain names and rapidly changing IP
addresses
• Malware tunnels new malicious code through DNS

Solution: Response Policy Zones
• Many organizations on the Internet track malicious activity
̶ They know which web sites are malicious
̶ They know which domain names malware look up to rendezvous with
command-and-control servers
• Response Policy Zones are funny-looking zones that embed rules instead of
records
̶ The rules say, “If someone looks up a record for this [malicious] domain
name, or that points to this [malicious] IP address, do this.”
̶ This is generally “return an error” or “return the address of this walled
garden” instead

How Response Policy ZonesWork
Infected client
Local recursive
name server
Master name
server (run by
RPZ feed provider)
RPZ data via
zone transferQuery for
malicious domain
name
Error or
redirect
log

Where Do I Get One of These Newfangled RPZs?
• From Infoblox!
• From a provider such as Spamhaus or SURBL
• From a commercial provider such as Internet Identity or
Farsight Security

Managing Response Policy Zones

Managing Response Policy Zones (continued)

Infoblox-FireEye Integration
Detection: FireEye has ability
to detect APTs. Alerts are sent
to Infoblox.
1
2
3
Disruption: DNS Firewall
disrupts malware communication
Pinpointing: Infoblox
Reporting provides list of blocked
attempts as well as the
•IP address
•MAC address
•Device type (DHCP fingerprint)
Malicious
domains
Infoblox DDI
with DNS
Firewall Blocked attempt
sent to Syslog3
Malware
2
Infected device
1 Alerts
FireEye MPS
appliance

Advanced DNS Protection from Infoblox
47
 Rate limiting
 Network flood protection
 Automatic updates to protect
against the newest threats
5353
Secure
access
Limited
port
access
Infoblox
Update
Service

• Protects the DNS infrastructure
against incoming DNS-based attacks
and floods
• Eliminates the need for costly over-
provisioning of bandwidth to DNS
servers
• Intelligently distinguishes legitimate
traffic from attack traffic
• Regular, automated threat updates
provided the latest protection
• Real-time centralized visibility via the
Infoblox GUI and Reporting appliances
Self-Protecting Authoritative DNS
INTERNET
Advanced DNS
Protection
Advanced DNS
Protection
DMZ
INTRANET
DATACENTE
R
CAMPUS/REGIONAL

Which Attacks Does ADP Protect Against?
DOS/DDoS Attacks
Amplification and reflection Using the name server to propagate a
DoS/DDoS attack. We rate-limit large
responses to queries.
Flooding Attacks
Floods UDP, TCP, ICMP
Unexpected header values Land attack
IGMP flood Invalid input Moyari13
OS and BIND Vulnerabilities
Linux- and BIND-based
exploits
Example: 2013-4854: A specially-crafted
query can cause BIND to terminate
abnormally.
Protocol Anomaly-based Attacks
Impersonation attacks Smack
Large packets Ping of Death
Invalid fragments Nestea, TearDrop, Jolt
DNS-specific Attacks
Cache poisoning Birthday attacks (Message ID guessing)
DNS Message type Block specific queries by record type
DNS Tunneling Iodine
Multi-pronged Security
•Dedicated compute capacity from an
additional network processor card so
name server can continue operation under
attack
•Signature-based attack detection for
known vulnerabilities and exploits
•Dynamic throttling to mitigate flood-
based, DDoS reflection and amplification
DNS attacks
•Fine-grained filters to allow/block specific
DNS record types
•Reports provide greater visibility into
DNS traffic
• Assists in early detection of
reconnaissance activities

Here Comes the Cavalry!
• Anycast*
• Response Rate Limiting
• The DNS Security Extensions*
• Response Policy Zones*
• Advanced DNS Protection*

Questions?

Thank you!

DNS Security Threats and Solutions

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (16)

Semelhante a DNS Security Threats and Solutions

Semelhante a DNS Security Threats and Solutions (20)

Mais de InnoTech

Mais de InnoTech (20)

Último

Último (20)

DNS Security Threats and Solutions

Notas do Editor