Identity Theft Hits the Root Name Servers

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on Monday May 19, 2008 @02:00AM from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

131 comments

Good Samaritans? by FurtiveGlancer · 2008-05-19 02:03 · Score: 2, Insightful

Somehow, I doubt that is the explanation, but wouldn't it be nice if it were true?

--
Invenio via vel creo
1. Re:Good Samaritans? by stoborrobots · 2008-05-19 02:25 · Score: 3, Insightful
  
  Or possibly some attempt at stopping arbitrarily many of their customers setups from breaking... If you've got enough poorly configured machines, it might be easier to ensure that the servers they are looking for remain available, rather than trying to fix _all_ of them immediately... Especially if they're mission-critical systems...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:Good Samaritans? by perlchild · 2008-05-19 02:28 · Score: 2, Insightful
  
  Then wouldn't need to advertise routes/ip space for their own customers... The very word advertise, in the context, means to third parties, as in BGP advertisement.
3. Re:Good Samaritans? by SatanicPuppy · 2008-05-19 02:31 · Score: 5, Interesting
  
  I upgraded a corporate DNS once and left the old system in place, just changed the CNAME to point to the new server. The new server (windows) ate itself later, and since the guy whose baby it was had been canned, I just switched the name back to the old servers.
  
  Later, my new boss wanted to switch to a Linux based system, instead of the windows system which I'd already repurposed. I quoted him a modest server, set it up as a secure proxy for some of our internal web applications, and let the original linux system keep chugging along.
  
  I figure I can get at least two more servers out of this, before I actually have to upgrade the system.
  
  Maybe the guys at root-servers just left some hardware running at the old address? ;)
  
  They should never have relinquished the address so damn quickly. Turn off the equipment for a few weeks first and let people see that that address no longer works...Don't just let someone move in seamlessly and hijack your junk.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
4. Re:Good Samaritans? by locofungus · 2008-05-19 02:34 · Score: 5, Informative
  
  From the link in the FA:
  
  http://blog.icann.org/?p=227
  
  It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service.
  
  1st November 2007 -> 1st May 2008 is 6 months. So they left it a few days over 6 months ...
  
  Tim.
  
  --
  God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
5. Re:Good Samaritans? by zappepcs · 2008-05-19 02:35 · Score: 5, Insightful
  
  Mod parent up. Those IP addresses should NEVER have been let out in the cold where they could be misused. That's just not right
  
  --
  Support NYCountryLawyer RIAA vs People
6. Re:Good Samaritans? by stoborrobots · 2008-05-19 02:38 · Score: 2, Insightful
  
  Umm, the "customers" in question might not have been on the same AS?
  
  And, for that matter, if Bill Manning authorized the use of the address space, then it's not even an attack!
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
7. Re:Good Samaritans? by SpinyNorman · 2008-05-19 02:39 · Score: 3, Insightful
  
  It does seem like the simplest explanation.
  
  For the owner of the original IP address now being vacated by ICANN, there is also maybe a self-interest motive of identifying the servers who hadn't updated so as to notify them and kill the unwanted traffic.
  
  Given how visible this is, it's hard to imagine anyone doing it for criminal purposes and thinking they could get away with it.
8. Re:Good Samaritans? by stoborrobots · 2008-05-19 02:43 · Score: 2, Informative
  
  Except that apparently ICANN switched their machine off on May 2nd. However, anticipating such a switch off, three other organisations around the world stepped in over the past 6 months to fill the void, and mostly went undetected for the last 6 months...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
9. Re:Good Samaritans? by CrazedWalrus · 2008-05-19 02:46 · Score: 2, Interesting
  
  Here's my question:
  
  Isn't there some sort of authentication for DNS a la SSL certificates? If not, would this take a major overhaul of the DNS system to support it?
  
  As I understand it, there's also a man-in-the-middle type of attack with DNS where a local router (possibly a Hacked By Chinese(tm) "Cisco" router) will substitute its own DNS replies instead of passing the query to the real DNS server.
  
  Couldn't both of these issues be resolved by having a field on the DNS record where the reply is signed by the DNS server? Leave the original field as-is, but add a field where the same reply is cryptographically signed. Then systems who support it can verify it. I can't imagine it'd take very long for Linux and BSD to support it, and Mac and Windows probably would follow along eventually.
  
  What's wrong with this idea? Does it already exist in some form and just isn't widely used?
10. Re:Good Samaritans? by LordSnooty · 2008-05-19 02:46 · Score: 1
  
  Given this is the Internet, it's hard to imagine anyone getting caught for it.
11. Re:Good Samaritans? by Firehed · 2008-05-19 02:48 · Score: 4, Interesting
  
  According to l.root-servers.org linked above, the IP change happened on the first of November last year, and only a couple weeks ago was taken offline at the old address. Is six months not enough?
  
  --
  How are sites slashdotted when nobody reads TFAs?
12. Re:Good Samaritans? by stoborrobots · 2008-05-19 02:48 · Score: 5, Insightful
  
  There is DNS Security... But really, it's like any fix for SMTP - nobody bothers using it because nobody is using it...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
13. Re:Good Samaritans? by aleph42 · 2008-05-19 02:55 · Score: 5, Insightful
  
  You guys are awefully optimistic; those who pulled that off had an enormous power for a short time. Quoting TFA:
  In general, they could engage in all sorts of mischief, ranging from very targeted ("let's get this one individual or organization") to very wide-ranging ("let's blow away .com today"). all the while completly undetected. I don't understand all the details, but from what I got the whole name resolving is a trust based system; so advertising a false youtube domain would temporarly work, but then you'd be busted and left with no karma. Except that these "root servers" are free of those constraint.
  
  The fact that those who did this had huge resources do not make it less scary, neither does the fact that nobody detected anything. Remeber how that guy operated a tor exit node to get a whole lot of interesting datas; the idea here is the same.
  
  (A concrete example would be to send your wikipedia request to a bogus wikipedia website. It would forward all your queries to the real wikipedia, so you couldn't tell the difference (man in the middle), but on some pages it would serve you an altered page; it could also make you feel like you wrote an article, but the article would actually only show up on your copy of the bogus website, not the real one. Encryption twarts this, otherwise it's really the worst case scenario.)
  
  And apparently, there is nothing to prevent it from happening again. Since people seem so little concerend, I must have missed some detail which makes everything fine; or at least I really hope so.
  
  --
  Don't take my posts literally; it's just code to control my botnet.
14. Re:Good Samaritans? by Anonymous Coward · 2008-05-19 02:56 · Score: 0
  
  thats right folks, there's nothing to see here but a garden variety slashvertisement. move along.
15. Re:Good Samaritans? by Anonymous Coward · 2008-05-19 03:16 · Score: 2, Insightful
  
  Probably not. I'm sure there are still a lot of people using hints files from years, if not decades ago. Most people don't think to update them unless they're installing a new server. Even then they're unlikely to update them since they just copy the zone files from the old server to the new one and usually the hints file is included and overwrites whatever came with the new server's distribution. ;-/
16. Re:Good Samaritans? by Jellybob · 2008-05-19 03:25 · Score: 2, Informative
  
  Most modern DNS servers will automatically update their hints file each time they're restarted, by making a request to whichever root they connected to for the current list.
17. Re:Good Samaritans? by leuk_he · 2008-05-19 03:27 · Score: 1
  
  It is very visible, but also not illegal. They serve data from a server they own, from a ip adress they bought (got assigned?).
  
  If they want to point to spammy sites, or collect dns typing mistakes then they are legal.
18. Re:Good Samaritans? by stoborrobots · 2008-05-19 03:41 · Score: 1
  
  And if they connected to the old l. address?
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
19. Re:Good Samaritans? by SatanicPuppy · 2008-05-19 03:50 · Score: 5, Insightful
  
  Not if it still works. You need to take the old address offline for a while.
  
  Most people don't pay much attention to their DNS infrastructure. The stuff doesn't need much maintenance. If it breaks, they'll notice that something is wrong, but if it continues working seamlessly, they'll ignore it.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
20. Re:Good Samaritans? by aleph42 · 2008-05-19 03:50 · Score: 1
  
  Just a precision: the great firewall of China, or your ISP, has the same power (man in the middle possibility). But as in the p2p throttling case, once people detect it, they know that the culprit is the ISP.
  
  Also, an ISP from an other country will not be able to affect you; but that root server effect is world-wide.
  
  Of course (IIRC), the US always had their hand on a server with that kind of privilege. But again, meddling with it would have directly incriminated the US.
  
  --
  Don't take my posts literally; it's just code to control my botnet.
21. Re:Good Samaritans? by Anonymous Coward · 2008-05-19 03:57 · Score: 0
  
  I upgraded a corporate DNS once and left the old system in place, just changed the CNAME to point to the new server.
  
  This makes no sense. You have to use an IP address to get to a DNS server. If you could resolve CNAMEs before you talked to the DNS server, you wouldn't need the DNS server.
  
  Oddly, the word in the captchca was "retard" :)
22. Re:Good Samaritans? by OeLeWaPpErKe · 2008-05-19 03:58 · Score: 1
  
  Exactly. This is going to cost stupid people who don't bother keeping a working dns system a lot of money - or they might get shamed.
  
  Exactly what you'd want if you want people to be more aware of internet and dns problems.
  
  Update those root zonefiles, people !
23. Re:Good Samaritans? by Anonymous Coward · 2008-05-19 04:59 · Score: 0
  
  What if said corporation wanted the DNS to log/cache every DNS request made from within ?
  
  For sake of completeness, my CAPTCHA is 'astute'
24. Re:Good Samaritans? by SpinyNorman · 2008-05-19 05:26 · Score: 1
  
  Yes, but...
  
  1) This is the (D)ARPANet... I'm sure the US government would not take kindly to spoofing a root level name server even if the mechanism by which it was done was legal
  
  2) Never mind the military/government basis of the internet, knowingly messing with .com domains could presumably be taken as messing with interstate commerce and fall under the scrutiny of the FBI. I sure wouldn't do it!
25. Re:Good Samaritans? by Jartan · 2008-05-19 05:34 · Score: 2, Insightful
  
  From my reading of the article they didn 't "relinquish" the ip at all. Basically some new groups claimed that they owned the ip address (when they didn't) and the sections of the internet just accepted that claim and started routing data to that IP to those groups.
  
  If you follow the article the actual change of IP address doesn't even matter. The server change merely provided a situation where they weren't paying as much attention to the old DNS.
  
  It sounds like the attack could be pulled off at any time vs a root server though. It would simply be caught quicker.
26. Re:Good Samaritans? by el_nino · 2008-05-19 05:54 · Score: 1
  
  There are people pushing for DNSSEC, but there's obviously a great deal of inertia involved.
  
  Around the same time as L was moved, the Swedish ccTLD .SE together with other Swedish net organisations sent an open letter
  to ICANN urging them to deploy DNSSEC and sign the root zone.
  
  Hopefully this incident will speed things up.
27. Re:Good Samaritans? by petermgreen · 2008-05-19 06:32 · Score: 1
  
  Someone may have just forgotten to block an internal routing advertisement from being propogated to the outside or something.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
28. Re:Good Samaritans? by AnyoneEB · 2008-05-19 06:38 · Score: 1
  
  I think it is a bit early to say DNSSEC is being ignored. The most recent related RFC is dated Feburary 2008 (although Wikipedia says it was released in March). The Wikipedia article mentions work on setting up implementations. It sounds like it is getting slowly phased in, but as the parent implied, like many other internet standards, it may end up dying before anyone actually starts using it.
  
  --
  Centralization breaks the internet.
29. Re:Good Samaritans? by bluelip · 2008-05-19 08:11 · Score: 1
  
  Please explain. You changed a CNAME to point the users to a new DNS server?
  
  What mechanism allows you to do that?
  
  --
  
  Yep, I never spell check.
  More incorrect spellings can be found he
30. Re:Good Samaritans? by bluelip · 2008-05-19 08:15 · Score: 1
  
  Disregard, I saw the "brain fart" explanation below.
  
  --
  
  Yep, I never spell check.
  More incorrect spellings can be found he
31. Re:Good Samaritans? by rekoil · 2008-05-19 09:32 · Score: 1
  
  This doesn't appear to have been updated in the Debian 4.0 bind9 package - I just checked my installation, then updated the file manually.
32. Re:Good Samaritans? by CrazedWalrus · 2008-05-19 10:12 · Score: 1
  
  Thanks for the pointer. Like everything else, it seems my original ideas have been thought of years ago. :-)
  
  Judging by the other replies to your post, it seems like there's some hope. Even if it was just .com and .org at first, that'd be a huge step forward.
33. Re:Good Samaritans? by stoborrobots · 2008-05-19 10:46 · Score: 1
  
  *shrug* There are 12 other fail-over points. I certainly wouldn't notice if one of the root-servers fell off the internet.
  
  Granted, someone much bigger than me might notice that 8% of their queries are failing and being re-tried... But I don't know how long it would take before it happened...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
34. Re:Good Samaritans? by mysidia · 2008-05-19 13:20 · Score: 1
  
  But who's to say they had any intent to change anything?
  
  Passive monitoring and collecting info about all DNS queries that happen for the purposes of data mining (marketing use) is another possibility.
  
  I.E. Things like which SLDs are being queried that give the most NXDOMAINs responses... these might be useful domains for a company to register, if say its a typo of the name of something they sell...
  
  That sort of information may be valuable to certain people
  
  Just like the list of sites you've visited with your browser is valuable, esp. when that list can be associated with a single cookie and used to select what advertising you see in the future.
35. Re:Good Samaritans? by cheeseboy001 · 2008-05-19 16:10 · Score: 1
  
  The fact that those who did this had huge resources do not make it less scary, neither does the fact that nobody detected anything. Remeber how that guy operated a tor exit node to get a whole lot of interesting datas; the idea here is the same.
  Except that they don't actually see any of that data.
  A concrete example would be to send your wikipedia request to a bogus wikipedia website. It would forward all your queries to the real wikipedia, so you couldn't tell the difference (man in the middle), but on some pages it would serve you an altered page; it could also make you feel like you wrote an article, but the article would actually only show up on your copy of the bogus website, not the real one. Encryption twarts this, otherwise it's really the worst case scenario.
  I could be wrong, but all DNS does is resolve a domain (e.g. en.wikipedia.org) to an IP address (e.g. 208.80.152.2). So they could redirect you to a completely different website, but not just a different page. Also, because of the way DNS data is usually cached all over the place, they would only see one request per domain during all of your browsing, if that.
36. Re:Good Samaritans? by aleph42 · 2008-05-19 18:23 · Score: 1
  
  I could be wrong, but all DNS does is resolve a domain (e.g. en.wikipedia.org) to an IP address (e.g. 208.80.152.2). So they could redirect you to a completely different website, but not just a different page. Also, because of the way DNS data is usually cached all over the place, they would only see one request per domain during all of your browsing, if that. But If ther send you to a bogus wikipedia IP, this one can in turn convert all your queries to wikipedia, except some that it meddle with (man in the middle attack). And you only need to highjack the name once (caching will cache the bogus IP).
  
  --
  Don't take my posts literally; it's just code to control my botnet.
Extremely vague article by Thornburg · 2008-05-19 02:09 · Score: 2, Informative

Summary of this article should read:

"Hey, something happened. No, we don't know who, what, when, or why. We do know where, but that's it. You got any ideas?"

Should have been submitted as "Ask Slashdot"... Then maybe we might find out what happened, if anything. As is, it is a non-news item.
1. Re:Extremely vague article by Anonymous Coward · 2008-05-19 02:24 · Score: 5, Informative
  
  nonsense. the article is very clear: here's what happened:
  
  icann hosted L-root on ip addresses they didn't have an exclusive right to use.
  
  they decided to stop doing that and moved L-root to somewhere else.
  
  shortly thereafter someone else decided to operate a name server on the very same IP addresses.
  
  that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.
2. Re:Extremely vague article by Anonymous Coward · 2008-05-19 02:55 · Score: 0
  
  They just posted it so that in a few hours (ok, /. time means a few days or weeks) they can post the solution story with the line, "..., which we covered previously ahref=here, ..." and feel more legitimate.
3. Re:Extremely vague article by menace3society · 2008-05-19 05:26 · Score: 1
  
  So, (and I admit my internetworking ignorance here) is there any mechanism to allow a root nameserver to inform the next tier of servers that it's moving, or at least tell everyone to that cached domain names may not point to the right place?
4. Re:Extremely vague article by element-o.p. · 2008-05-19 06:11 · Score: 1
  
  As is, it is a non-news item.
  Not entirely. It reminded me to update my root zone file on my DNS servers ;)
  
  --
  MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
5. Re:Extremely vague article by subsoniq · 2008-05-19 07:21 · Score: 4, Interesting
  
  nonsense. the article is very clear: here's what happened: icann hosted L-root on ip addresses they didn't have an exclusive right to use. they decided to stop doing that and moved L-root to somewhere else. shortly thereafter someone else decided to operate a name server on the very same IP addresses. that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.
  
  you're missing something here. It wasn't just that "someone" else decided to operate a bogus L root server on that IP address, it's that several someones were doing this. The article states there were FOUR of these running on the OLD ip address. so you had the newly IP'd correct L server, and 4 bogus L servers (one of which was being run by ICANN itself), all using the same old IP address.
  
  How could this happen you ask? because 3 entities not authorized to announce they host that IP block did so anyway, so there were 4 different routes to that IP block on the Internet, resulting in 4 possible places you could end up at when sending DNS queries to the old address, 198.32.64.12.
  
  So basically there are 2 concerns here, one is that a couple of Internet entities were advertising routes for an IP block they were not authorized to advertise, and that they were running a bogus L root server from that IP block on it's old address. Bill Manning owned the IP block so his ISP was authorized to advertise that route, and it might be obvious why ICANN was also advertising a route for it as well (to try to get that traffic going to the old IP address for root lookups), but why were Community DNS and Diyixian.com advertising that route and running a bogus L root server?
6. Re:Extremely vague article by Kalriath · 2008-05-19 16:12 · Score: 1
  
  Yes there is for lower levels. All DNS responses specify a TTL (time-to-live), after which the response issued during the last contact should be discarded. This doesn't address the root level though, for which you cannot actually use a DNS entry to get to in the first place (after all, who'd resolve it?)
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Cashing In by kennyj449 · 2008-05-19 02:11 · Score: 2, Insightful

They were probably running something similar to Verisign's SiteFinder that attempts to cash in on typos and non-registered domains.
1. Re:Cashing In by Anonymous Coward · 2008-05-19 02:32 · Score: 3, Informative
  
  nope. as the article points out, the fake L-root that is still running right now appears to be returning correct data for existing domains and NX records for non existing domains.
  
  they may be gathering data from NX hits, though. who could say. well, community dns could say. perhaps they will.
2. Re:Cashing In by Anonymous Coward · 2008-05-19 03:26 · Score: 3, Informative
  
  Right. Still returning correct data but collecting logs of names that don't exist so they can sell them to all those wacky people who register everything udner the sun and park adverts on it (I hate that). A story about this was /.'ed back in October but it was Verisign selling the data to third parties. http://www.domainnamenews.com/editorial/verisign-to-profit-from-rootserver-data/889
3. Re:Cashing In by lucifuge31337 · 2008-05-19 06:26 · Score: 1
  
  NX was going to be my guess. There have been people spamming in NANOG on occasion trying to buy NX data from providers.....so there is obviously a market for it. Good call.
  
  --
  Do not fold, spindle or mutilate.
4. Re:Cashing In by Punto · 2008-05-19 08:15 · Score: 1
  
  Incidentally, about 90% of the hits on the root nameservers are NX, since all of the correct request get cached downstream, but nobody can cache an NX response, so they keep coming back.
  
  --
  --
  Stay tuned for some shock and awe coming right up after this messages!
5. Re:Cashing In by VGPowerlord · 2008-05-19 10:30 · Score: 1
  
  Maybe I misunderstand what a root DNS server does, but I was under the impression that the only thing root servers did was answer "who is in charge of top level domain .tld?"
  
  What possible use could a list of mistaken TLDs be if these TLDs need to be approved by ICANN before they can be used?
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
statistics? profiling? by apodyopsis · 2008-05-19 02:13 · Score: 2, Insightful

statistics? profiling?

that data would be worth something to ad men surely...
1. Re:statistics? profiling? by GuldKalle · 2008-05-19 02:23 · Score: 1
  
  Phishing?
  
  --
  What?
2. Re:statistics? profiling? by Thanshin · 2008-05-19 02:52 · Score: 4, Funny
  
  Khunting?
  
  (flem, 'a', 'n'...)
3. Re:statistics? profiling? by emjay88 · 2008-05-19 13:54 · Score: 1
  
  That's what I thought, you could definitely gather some excellent stats from a root DNS, and that info would be good for determining a website's traffic without having to contact the website themselves.
  
  --
  1178161 is prime...
What? by explosivejared · 2008-05-19 02:14 · Score: 5, Insightful

Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims.

How do we go from this to a headline reading Identity Theft Hits the Root Servers?

There is no reason to believe that it was malicious at all. We all are familiar with that black hat turned grey or white that wants to help out by demonstrating vulnerabilities in the system. That is just as plausible as anything else. Maybe it's the free-masons!! The Illumanati, maybe!!! The only certain thing about this is the need to secure name service. We should be glad even though it was compromised, there is no apparent damage done.

--
I got a catholic block.
1. Re:What? by Anonymous Coward · 2008-05-19 02:31 · Score: 0, Troll
  
  > How do we go from this to a headline reading Identity Theft Hits the Root Servers?
  
  Simple... Sensationalized headlines just like the rest of the liberal media...
2. Re:What? by morgan_greywolf · 2008-05-19 02:50 · Score: 1
  
  Maybe it's the free-masons!! The Illumanati, maybe!!!
  Or the NSA!!! Maybe space aliens!! Or, or, I know...the Bilderberg Group!!!
  
  Either that, it was just some spammers trying to gather information. Nah, that's wayyyy too plausible.
  
  --
  My blog
3. Re:What? by Mister+Whirly · 2008-05-19 03:36 · Score: 1
  
  "liberal media" - yeah everybody knows that the biggest media mogul around, Rupert Murdoch, is the most lefty liberal guy out there. I wish there was a news network that gave a more conservative view than that pinko commie crap on Fox News.
  
  --
  "But this one goes to 11!"
4. Re:What? by billcopc · 2008-05-19 03:52 · Score: 2, Insightful
  
  If by liberal, you meant "American", then you're absolutely correct!
  
  Media is biased, because humans are biased. No single political party is any more or less inclined to distort facts in-line with their own beliefs.
  
  Would you have preferred a headline reading "Rogue DNS server running for 6 months with no adverse effects. Spread the lulz!" ?!
  
  --
  -Billco, Fnarg.com
5. Re:What? by subsoniq · 2008-05-19 07:28 · Score: 1
  
  How do we go from this to a headline reading Identity Theft Hits the Root Servers?
  
  because 3 seperate entities falsely advertised the routes to the IP block that contained the old IP address, 198.32.64.12, and ran bogus L root servers that answered queries from traffic that ended up where it shouldn't have been. Only ep.net was authorized to advertise that netblock.
6. Re:What? by Anonymous Coward · 2008-05-20 06:02 · Score: 0
  
  There is no reason to believe that it was malicious at all. We all are familiar with that black hat turned grey or white that wants to help out by demonstrating vulnerabilities in the system. That is just as plausible as anything else. Maybe it's the free-masons!! The Illumanati, maybe!!! The only certain thing about this is the need to secure name service. We should be glad even though it was compromised, there is no apparent damage done.
  
  The Freemasons? You really think a bunch of 60+ year old men are savvy enough to do something like this? What a maroon.
Maybe They Forgot... by Anonymous Coward · 2008-05-19 02:14 · Score: 0

'...the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?'

Maybe they just forgot they had them.
1. Re:Maybe They Forgot... by billcopc · 2008-05-19 03:58 · Score: 1
  
  Maybe their platform had the cojones to handle it.
  
  Not everyone is running their mission-critical apps on decommissioned P3 desktops :/ The average SOHO server today is a quad-core with 4gb memory. They can take one hell of a pounding compared to the dinosaurs we had four years ago.
  
  --
  -Billco, Fnarg.com
2. Re:Maybe They Forgot... by quantumplacet · 2008-05-19 04:49 · Score: 1
  
  I don't think server power is what they were talking about. Root name servers get queried constantly, and while the request packet itself is obviously quite small, a few hundred thousand requests a second will eat up a lot of bandwidth. It seems unlikely that someone had a few gbs of bandwidth that they had no other use for. As for "maybe they forgot" since someone actively set up a root name server and advertised a route for it after ICANN took theirs down, this also seems rather unlikely.
Harvesting NXDOMAIN hits by drags · 2008-05-19 02:19 · Score: 5, Interesting

Evil marketing firms are always looking for ways to improve typo-squatting. Popping a root server's address space is the ultimate in NXDOMAIN (failed to match) lookups as every DNS server on the net that cannot resolve a domain (such as unregistered typo-domains) will go further and further back until it hits a root server. Hence having a root server's NXDOMAIN data is the ultimate in typo-squatting.
1. Re:Harvesting NXDOMAIN hits by mpeg4codec · 2008-05-19 05:42 · Score: 4, Informative
  
  I honestly doubt that typo-squatters care about the millions of requests for com, net, org, and all the other TLDs and ccTLDs, which is all you'll get if you have control of a root server. If someone makes a typo on some com domain, it won't make it any further than com's servers, so having control of the root is rather moot unless someone also makes a typo in the TLD.
  
  On the other hand, the person in control of the root could give bogus records for the name servers for something like com. This is unlikely to be a major problems since the TTL on all the records served by the root is 120 days. Most people are going to be querying a caching name server of some sort, so it's statistically unlikely to affect much of the population before it is detected and dealt with.
  
  Not to plug my own work too much, but as a part of my research, I work with a team that monitors DNSSEC deployment. This is something we would in theory be able to see from our distributed polling framework, and our datasets going back to 2005 don't show anything like a rogue TLD server being published. Kind of unfortunate in a way, being that DNS isn't exactly the most interesting research topic at face value.
2. Re:Harvesting NXDOMAIN hits by asc99c · 2008-05-19 18:20 · Score: 1
  
  I thought the root servers were mainly dealing with the kind of typos more like www.google or www.google.con - forgetting or mistyping that top level address. The .com name block and all the others are assigned out to other companies, and it's those others who would see www.goggle.com
  
  How great it would be to have a top level domain of .con ...
3. Re:Harvesting NXDOMAIN hits by ais523 · 2008-05-19 22:43 · Score: 1
  
  Well, you could typo-squat non-existent TLDs. I've been known to typo on TLDs before. Also, someone with those sort of resources could probably direct .com to a mirror that gave much the same results, but typosquatted, as you suggested. Anyway, my personal theory is that someone hijacked the L root server's old IP address, and then posted to Slashdot to figure out what to do with it...
  
  --
  (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Collecting valid IP addresses, reference data by n9891q · 2008-05-19 02:21 · Score: 2, Interesting

Since they seem to be providing valid responses (as suggested in the article), it must be some traffic data that they are collecting. They now have a long list of valid IP addresses with data, consider it a list of targets. They also have some first-hand data on the most popular websites which they could sell to advertisers ("Are you sure you're getting the right billing from your advertising agents?"). It could also have been a set-up - benign now but gearing up to start attacking later. I hate to mention it, but they could have been testing a cyberattack technique and had the bad luck to get caught (the Manchurian DNS server).
What they got by $RANDOMLUSER · 2008-05-19 02:22 · Score: 1

The addresses (and traffic patterns) of the whole world's secondary DNS servers? Can you say DDOS??

--
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
1. Re:What they got by leuk_he · 2008-05-19 02:26 · Score: 4, Insightful
  
  If they did not answer the name requests then the client would go on retriying and retrying, being a more effective DOS on thier network. So the only correct action was to put a DNS server on the announced DNS adresses.
2. Re:What they got by stoborrobots · 2008-05-19 02:28 · Score: 0, Redundant
  
  Exactly!
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
3. Re:What they got by martinlp · 2008-05-19 07:41 · Score: 1
  
  They could also block the dns requests upstream. Plus as far as I can remember a client would only try a limited amount of times before trying another root server. Oh and only DNS servers configured to do recursive queries would normally query a root server.
Could be several reasons by analog_line · 2008-05-19 02:24 · Score: 4, Interesting

As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?

A few reasons spring immediately to mind.

1. Preliminary move with the intent of actual subversion of results at a later date. This gives you an idea of what the traffic looks like, the volume you're going to have to manage, and the technical requirements of managing the subversion on top of recording important information about the systems you just subverted for later exploitation, plus any statistical information you need/want to improve your subversion process.

2. Preliminary move by a government, corporate entity, or some grouping with the intent of either wresting control of some portion of the DNS infrastructure from ICANN, or setting up a country-specific DNS infrastructure that is legally mandated. Again, you get valuable information about the kind of stuff you need to be dealing with, depending on exactly what you have in mind.

3. Same as above, but more of an idealistic style intervention, fearing malicious intent from the US government which still controls the DNS system, and trying to prepare for a time when an ICANN-free DNS system may need to be put in place.

Depending on where this stuff is actually going (and if it's the actual owner of the IP space that is doing this) of course...
This is the perfect Man In The Middle attack by colinmcnamara · 2008-05-19 02:24 · Score: 5, Insightful

If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have .38% of the entire internet's DNS requests coming through them.

With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.

So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack .38% of all web traffic on the internet.

My guess is all your accounts belong to us.....

--
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
1. Re:This is the perfect Man In The Middle attack by Anonymous Coward · 2008-05-19 03:09 · Score: 0
  
  While your estimate of 0.38% of DNS requests looks correct, I'd say that they can have a much larger fraction of the actual traffic redirected to them by setting the cache times for their falsified DNS answers to the maximum possible.
2. Re:This is the perfect Man In The Middle attack by theelectron · 2008-05-19 03:26 · Score: 1
  
  That is what I was thinking. If you wanted to do a man in the middle attack transparently you would set up lookalike sites for a few financial institutions and only give false records for those sites while giving correct information for the rest of the internet. They don't know this was harmless by checking just a few sites against the rogue servers.
3. Re:This is the perfect Man In The Middle attack by Anonymous Coward · 2008-05-19 04:24 · Score: 1, Funny
  
  Assuming your bank didn't use debian or a derivative to generate their SSL key then banking, etc. should be fine...
4. Re:This is the perfect Man In The Middle attack by cortana · 2008-05-19 06:42 · Score: 2, Informative
  
  Surely the users wouldn't just ignore the certificate warnings that their browsers presented them with... right?
5. Re:This is the perfect Man In The Middle attack by Anonymous Coward · 2008-05-19 09:14 · Score: 0
  
  Ha ha, good one. And stop calling me Shirley.
What did they get out of it? Easy....root access! by Anonymous Coward · 2008-05-19 02:31 · Score: 2, Funny

Thank you, thank you!!! I'll get my coat... ;-)
What am I missing? by atheos · 2008-05-19 02:33 · Score: 1

I guess I don't see what the big deal is. The ICANN article stated that the old root DNS server would run for 6 more months, and that appears to be all that has happened.
What am I missing?

"It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service."
1. Re:What am I missing? by Anonymous Coward · 2008-05-19 02:46 · Score: 0
  
  if you RTFA they closed the DNS server on May 1.
  
  Interestingly the IP address space was reallocated by some much earlier than that
Make sure you are up to date! by SaDan · 2008-05-19 02:34 · Score: 4, Informative

You can get the your root server hints files from:

ftp://ftp.internic.net/domain/named.cache

Slashdot's junk filter won't allow a cut and paste of the file's contents into a post.
1. Re:Make sure you are up to date! by stoborrobots · 2008-05-19 02:46 · Score: 2, Insightful
  
  The problem is, if you do grab the hints file from there, you have to make sure you keep refreshing it to stay up to date... Otherwise you're just setting yourself up for the same attack the next time this happens...
  
  That said, I don't know if trusting your upstream provider is any better...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:Make sure you are up to date! by SaDan · 2008-05-19 02:48 · Score: 2, Informative
  
  The file doesn't change all that often, so checking it once a month should keep you up to date. If you needed a more immediate update schedule, I'd subscribe to the ICANN newsletter at:
  
  http://www.icann.org/newsletter/
3. Re:Make sure you are up to date! by stoborrobots · 2008-05-19 02:53 · Score: 1
  
  Oh, yeah, I realise that. In fact, given that the article states that the transition time is around 6 months, you could probably just update every 3 months, even.
  
  The point is, you have to have some system in place, either manual or automatic, to perform the update... Because it's easy to copy the file the first time, insert it into your configuration master image, and then forget about it as you roll out machines, and leave them in production for years with out-of-date hints files.
  
  I know - I've probably done it on machines before, too... Thankfully I've long since moved away from the naive default BIND setup which includes a copy of the hints file from some arbitrary date, used long after it's safe to do so...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
4. Re:Make sure you are up to date! by birdpen · 2008-05-19 02:56 · Score: 1
  
  Assuming in future when you try to resolve ftp.internic.net, you get the result via real root name servers and thus you can trust ftp://ftp.internic.net/domain/named.cache by itself. DNS works at the thin edge of trust, as the article tried to emphasize. Root name servers are the pivots for the Internet infrastructure, that we don't realize in our day to day activities. Any damage there is always catastrophic that had been proven in the past. The article emphasized what could go wrong, without knowing you and me for months.
5. Re:Make sure you are up to date! by SaDan · 2008-05-19 02:59 · Score: 1
  
  At previous jobs, I had a cronjob that would poll the file from InterNIC, and alert me if it had changed or failed to poll the file correctly. Worked great!
  
  I do not rely on package maintainers to keep this file up to date.
6. Re:Make sure you are up to date! by stoborrobots · 2008-05-19 03:11 · Score: 2, Funny
  
  Cool, then we are in agreement. :) Cron is really the way to go.
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
7. Re:Make sure you are up to date! by SaDan · 2008-05-19 03:40 · Score: 1
  
  It is. :-)
  
  If you really wanted to be paranoid about the whole thing, you could also do a lookup for ftp.internic.net via every root server listed in your current named.cache file, and look for discrepancies there as well before you download the file and update your system.
8. Re:Make sure you are up to date! by dacut · 2008-05-19 04:10 · Score: 1
  
  Great! I'll just resolve ftp.internic.net from the address I have on file for the L-root server...
9. Re:Make sure you are up to date! by Phroggy · 2008-05-19 10:07 · Score: 1
  
  Assuming, of course, that your DNS server is returning the correct IP address for ftp.internic.net, rather than some other FTP server that happens to have a /domain/named.cache file...
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
10. Re:Make sure you are up to date! by Kalriath · 2008-05-19 16:20 · Score: 1
  
  If you really wanted to be paranoid about the whole thing, you could also do a lookup for ftp.internic.net via every root server listed in your current named.cache file The root servers wont resolve that though. The furthest they can go is telling you what server to contact for the domain "net"
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
11. Re:Make sure you are up to date! by SaDan · 2008-05-20 02:01 · Score: 1
  
  That is true.
  
  Set up a DNS server and use each root server individually to verify consistent answers for ftp.internic.net.
Gain trust by esocid · 2008-05-19 02:45 · Score: 1

Maybe whoever set up the "fake" RNS was trying to hide and appear to be safe until some time when it could collaborate some DDOS. We won't know since they aren't up and running, but having such a highly used server would have been beneficial for whatever the purpose was in the first place, to everyone if it were a positive one or to them if it were negative. But what do I know, I'm purely speculating.

--
Absolute power corrupts absolutely. indymedia
1. Re:Gain trust by Sobrique · 2008-05-19 03:02 · Score: 1
  
  Well, if I put my evil hat on, I'd be thinking less in terms of DDOS and more in terms of phishing. I mean, it'd be superb for introducting a MITM style attack on internet banking sites, or whatnot.
Obvious answer already given by Captain+Spam · 2008-05-19 02:49 · Score: 1

As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it? So how long has the submitter had this habit of answering his/her own questions before he/she asked them? Staggering amounts of traffic. That IS your answer. Victim machines whose upstream DNS servers didn't update the root server file could be redirected to ad-wrapped versions of "real" websites. If there was far more malicious intent involved, they can redirect, say, baking sites to whatever site they want. Plain and simple.

/me quickly darts off to make sure his root file is up-to-date

--
Demanding constant attention will only lead to attention.
1. Re:Obvious answer already given by Dachannien · 2008-05-19 03:09 · Score: 1
  
  Well, they suggest that the rogue root DNS was serving the same results as the legit one, but given that the Renesys guys only did a "very cursory examination of the results", and given that many malvertisement operators take pains to target their malware campaigns to certain geographical regions and to keep their ads hidden from the people who can ultimately block them, it's quite possible that the rogue DNS was only giving bad results for certain targeted domains (or perhaps was only giving bad results to certain IP ranges).
  
  Or it could have been sheer altruism. Who knows.
2. Re:Obvious answer already given by Jellybob · 2008-05-19 03:33 · Score: 1
  
  If there was far more malicious intent involved, they can redirect, say, baking sites to whatever site they want.
  
  Providing recipies for spam flavoured muffins.
  
  Mmmmm... malicious
3. Re:Obvious answer already given by argent · 2008-05-19 03:55 · Score: 1
  
  Victim machines whose upstream DNS servers didn't update the root server file could be redirected to ad-wrapped versions of "real" websites.
  
  But that doesn't *seem* to have been happening... that is, they didn't see any indication of it happening in a cursory examination of the sites so if they were they'd have to be pretty carefully targeting it.
  
  One thing that occurred to me is that this would give them a way to scan for common domain typos over a lot of the internet: signals intelligence for later spam serving.
Read the ICANN notice by Anonymous Coward · 2008-05-19 02:53 · Score: 0

"It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service."

The notice is dated Oct 24th '07, which means the six months isn't up yet.

Nothing to see here, they are being nice and keeping the old one up for a while to make sure people have read the notice and acted on it.
1. Re:Read the ICANN notice by stoborrobots · 2008-05-19 02:55 · Score: 2, Informative
  
  October + 6 months = April. Also, the effective date of that notice was 1 November, which means that the 6 months expired on May 1.
  
  ICANN's server was switched off on May 2.
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Missing Something by Gay+for+Linux · 2008-05-19 03:06 · Score: 1

If the real server went offline May 2, does that mean the "spooky" fake servers would only have been getting traffic after May 2, so in the last two weeks, or were they getting traffic over the last six months? If so, how did that happen?
1. Re:Missing Something by stoborrobots · 2008-05-19 03:19 · Score: 1
  
  Firstly, there's nothing spooky about the fake servers, the article lists who was running them... Not listing them in the summary was just simple Slashdot sensationalisation...
  
  And as far as how they got traffic (which they did, as per the graph in the FA), the hosting companies in question, (in the UK, US, and Hong Kong) started advertising the routes through BGP, (the protocol which tells the backbone routers on the Internet which routers host which IP addresses). So routers which were closer to Community DNS would send their packets to it, while those closer to ICANN would route theirs there instead, and likewise for those closer to ep.net (US) and Diyixian.com (HK).
  
  The IP addresses in question belong to ep.net, so one might argue that they were within their rights to use the address space. Whether Community DNS and/or Diyixian.com were operating with permission or not is unclear at this stage...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Mmmmm.... by Anonymous Coward · 2008-05-19 03:20 · Score: 0

I think they just got a warm and fuzzy feeling out of it.

The problem with modern life is everyone's so damned paranoid all the time. Sometimes people do things that are nice believe it or not ;)
1. Re:Mmmmm.... by Tastecicles · 2008-05-19 05:33 · Score: 1
  
  Rubbish. If everyone were so damn paranoid nobody'd be using Microsoft malware.~
  
  --
  Operation Guillotine is in effect.
Anonymous Coward by Anonymous Coward · 2008-05-19 04:15 · Score: 1, Informative

This story is kind of silly actually. On the post available on the ICANN blog, it is clearly stated that the IP address will change on November, 1st and that "It is expected that the old address will continue to work for at least six months after the transition".

Even a 6 year old child would be able to determine when the IP address would be eventually unused (end of May).

From the article quoted as the source of the reference, it is clear that no one tried to verify the information. It would have been very simple to determine it was the same server on both address if only someone tried to check it...
historic UK dns name servers by speculatrix · 2008-05-19 04:32 · Score: 1

long long ago in the mists of time I worked for PSINet Inc's UK division, which had previously been EUNet GB before it was bought by PSI. One of the old EUNet machines called "nelson", an old Sun Sparc 5 (or maybe it was a 10, I forget), was both a name server and resolver, and had existed since some of the earliest days of the internet in the UK.
when the old eunet service was finally shut down, there were still a considerable number of people using it as a resolver, and there were still live domains hosted on it where we're been unable to find anyone able to move them!
the /24 IP block was quite useful, so it was re-routed to a different site, and no sooner than machines were deployed on that address, DNS queries began to arrive despite the whole IP block having been unused and unroutable for about a year!
my point is that you can get 99% of the internet to accept updates, but there's a huge number of neglected legacy systems which never get reconfigured because people often don't even know they're there!
It only takes one redirected query... by grizdog · 2008-05-19 04:54 · Score: 2, Insightful

My uncle used to say that he preferred corrupt judges to incompetent judges, since the corrupt judges would be careful to get things right 95% of the time, so that they would be well placed when the time came to undermine the system. The incompetent judges, on the other hand, would screw things up far more frequently than that, and ruin far more lives than the corrupt judges. A very few redirected queries could get lost in the huge number of correct responses, but still provide big benefits to a criminal. And if they compromised a secretive bank, or the Defense Department, it's unlikely that we would ever hear about it.
Maybe it was still running? by qazwart · 2008-05-19 05:00 · Score: 1

They changed the IP address of the "L" root server, but might have kept the old one active just because not everyone was going to change their configuration in lock step.

They could have kept the address, but then provided a note that the configuration was incorrect, but that really dones' help a lot. I, as an end user can't do much to change the configuration of my nameserver. Besides, my nameserver might have been using another nameserver which used another before it got to the root server. All that would have done would be to frustrate a lot of people, but not allow them to get around the problem.

So, unless it is known that the old L root server IP was actually hijacked and that ICANN didn't just leave it running in a deprecated state for about six months to allow other name servers the time they needed to update their records, I can't really say this is an issue.

Maybe someone should contact ICANN to see if they have any statement on this issue.
Not horribly major by Todd+Knarr · 2008-05-19 05:02 · Score: 2, Informative

Bear in mind that BIND for one doesn't use the root nameserver hints file directly under normal conditions. One of the first things it does is contact one of the servers listed in the hints file and download the real root nameserver list. After that it uses the downloaded list and ignores the hints file. So unless you contacted the L server for that initial download, you'll get the correct root server list and won't ever contact the bogus ones. I'd have to check whether BIND picks a hints entry at random or cycles through starting from the first. If it picks at random the window of vulnerability is small, but if it starts at the first it's virtually nonexistent (most hints files list A, B, C and so on in sequence, and the chance of getting no answer at all from the A-K servers is close to zero).
Yup. by SatanicPuppy · 2008-05-19 05:43 · Score: 1

Pre-coffee posting. I NAT'ed it in the firewall rules so the traffic that had been routed to 127.0.0.1 got redirected to 127.0.0.2.

I was redoing some DNS stuff earlier (switching out a server) and I had CNAME on the brain.

Sad that you're the only person who noticed =P

--
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
So, if a root-server changes its IP address... by imyy4u3 · 2008-05-19 06:08 · Score: 1, Insightful

How will anyone else know, since it's the root system responsible for giving out IP addresses?

Example: I request www.google.com. Parent doesn't know, its parent doesn't know, blah blah blah until I go to the "root hints" which are hard-coded IP addresses. There I look up www.google.com, and get my IP address. Now if that root server has a different IP, how the hell do I find it?

Is this a catch-22 or what?
1. Re:So, if a root-server changes its IP address... by stoborrobots · 2008-05-19 10:57 · Score: 1
  
  Umm, ICANN puts out a public notice, and then implements a 6-month transition period?
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:So, if a root-server changes its IP address... by stoborrobots · 2008-05-19 11:41 · Score: 2, Informative
  
  Umm, also, you seem to have the whole operation of DNS upside down; you start at the root servers, which delegate you to the .com servers, which delegate you to the google.com servers, which can then tell you the address of www.google.com.
  
  Hopefully you also cache the results along the way, so that when you want to find news.google.com later you don't have to go to the root or .com servers, and when you want to find yahoo.com you don't have to go all the way back to the root and can start at .com.
  
  However, when you want to get slashdot.org, you have to go back to the root, which will direct you to the .org servers, etc...
  
  HTH. HAND. Cheers.
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
trust by slashkitty · 2008-05-19 07:12 · Score: 1

The problem is that the underlying BGP is a trust based system. That's really what trust was taken advantage of. When you learn how that works and how BGP hijacking can happen, you realize how important HTTPS is and how vulnerable to man-in-the-middle attacks everything else is.

--
-- these are only opinions and they might not be mine.
Why indeed... by blumesa · 2008-05-19 07:44 · Score: 4, Insightful

why traffic goes to "retired" address space is a difficult question to answer. http://www.caida.org/workshops/wide/0611/ has a pointer to some early work done on the "B" renumbering. There was agreement by the operators of "B","L","J", and "M" to collect data during the DITL-2008 collection to see if any correlation btwn querying nodes. That said, ICANN should have renumbered the node when they took it over. They did not. They have not had permission to use the prefix since 2004 - but for stability sake, I did not make a big fuss.

bill manning
1. Re:Why indeed... by stoborrobots · 2008-05-19 11:07 · Score: 1
  
  Oh, you're here...
  
  Can you answer a relevant question which is buzzing around in the background - did CommunityDNS and/or Diyixian have permission to advertise the address space?
  
  Also, as someone else above asked, why did you choose to set up a server at that address, given the bandwidth load and technical effort involved?
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
2. Re:Why indeed... by stoborrobots · 2008-05-19 11:26 · Score: 1
  
  Oh, and I should probably also say: thanks for all the work you've done so far to contribute to getting DNS to be as useful as it is...
  
  Someday I hope you succeed in getting all the IPv6 stuff going - we'd all like to see that...
  
  --
  "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
3. Re:Why indeed... by orange · 2008-05-21 20:31 · Score: 1
  
  Oh, you're here... You're assuming billmanning hasn't pulled a bill manning on billmanning ;-)
Domain-Name Knocking by giminy · 2008-05-19 10:14 · Score: 2, Insightful

Maybe the reason that the nameserver is providing correct responses is due to something like port-knocking for domain names?

If a phisher wanted to use this, they would only supply a bogus dns pointer to a query if the query was preceded by some 'primer' query. E.g. first someone tries to resolve alpha.com, then beta.com within a few seconds, only then will the root server give the incorrect response for beta.com. This would be pretty easy to do with some cross-site scripting magic.

You can never disprove a conspiracy, after all...

--
The Right Reverend K. Reid Wightman,
This needs to be fixed. by Jane+Q.+Public · 2008-05-19 15:43 · Score: 2, Insightful

The Internet was originally designed to be a "self-healing" system, able to route around damage like (no joke) a nuclear war.

However, the system as it currently exists has one SERIOUS flaw: the reliance on root servers.

We need to switch to a system that does not rely on root servers. There are at least several such systems that are workable. Yes, the U.S. government would lose control over the whole thing. Does ANYBODY in their right mind think that is a bad thing? As long as nobody else can gain root control either, and there are various schemes that can ensure that.
Good Grief! by mdm42 · 2008-05-19 17:52 · Score: 1

Updating hints is a one-line cronjob that you can run weekly or monthly. How hard is that to set up while you're setting up your DNS in the first place?

--
New mod option wanted: -1 DrunkenRambling
Re:Apple Leopard Server still shipping w/old L by Douglas+Goodall · 2008-05-19 18:11 · Score: 1

I checked my Leopard Server and /var/named/named.ca still had the old number in there, So I guess all the Apple servers out there except for those run by very hip people have been subject to some trouble. Someone should look at the common dists and see how common this is...
Re: NO NO It is much worse than that!!! by Giant+Electronic+Bra · 2008-06-01 07:24 · Score: 1

Suppose I follow that link to get that named.cache file. Who's serving me the DNS when I get that link? Once the squatters GET control, it is going to require non-DNS reliant methods for update. Certainly people will have to validate the sig on the file against the legitimate author's key.

--
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson