Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

15 of 131 comments (clear)

  1. Extremely vague article by Thornburg · · Score: 2, Informative

    Summary of this article should read:

    "Hey, something happened. No, we don't know who, what, when, or why. We do know where, but that's it. You got any ideas?"

    Should have been submitted as "Ask Slashdot"... Then maybe we might find out what happened, if anything. As is, it is a non-news item.

    1. Re:Extremely vague article by Anonymous Coward · · Score: 5, Informative

      nonsense. the article is very clear: here's what happened:

      icann hosted L-root on ip addresses they didn't have an exclusive right to use.

      they decided to stop doing that and moved L-root to somewhere else.

      shortly thereafter someone else decided to operate a name server on the very same IP addresses.

      that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.

  2. Re:Cashing In by Anonymous Coward · · Score: 3, Informative

    nope. as the article points out, the fake L-root that is still running right now appears to be returning correct data for existing domains and NX records for non existing domains.

    they may be gathering data from NX hits, though. who could say. well, community dns could say. perhaps they will.

  3. Re:Good Samaritans? by locofungus · · Score: 5, Informative

    From the link in the FA:

    http://blog.icann.org/?p=227

    It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service.

    1st November 2007 -> 1st May 2008 is 6 months. So they left it a few days over 6 months ...

    Tim.

    --
    God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  4. Make sure you are up to date! by SaDan · · Score: 4, Informative

    You can get the your root server hints files from:

    ftp://ftp.internic.net/domain/named.cache

    Slashdot's junk filter won't allow a cut and paste of the file's contents into a post.

    1. Re:Make sure you are up to date! by SaDan · · Score: 2, Informative

      The file doesn't change all that often, so checking it once a month should keep you up to date. If you needed a more immediate update schedule, I'd subscribe to the ICANN newsletter at:

      http://www.icann.org/newsletter/

  5. Re:Good Samaritans? by stoborrobots · · Score: 2, Informative

    Except that apparently ICANN switched their machine off on May 2nd. However, anticipating such a switch off, three other organisations around the world stepped in over the past 6 months to fill the void, and mostly went undetected for the last 6 months...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  6. Re:Read the ICANN notice by stoborrobots · · Score: 2, Informative

    October + 6 months = April. Also, the effective date of that notice was 1 November, which means that the 6 months expired on May 1.

    ICANN's server was switched off on May 2.

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  7. Re:Good Samaritans? by Jellybob · · Score: 2, Informative

    Most modern DNS servers will automatically update their hints file each time they're restarted, by making a request to whichever root they connected to for the current list.

  8. Re:Cashing In by Anonymous Coward · · Score: 3, Informative

    Right. Still returning correct data but collecting logs of names that don't exist so they can sell them to all those wacky people who register everything udner the sun and park adverts on it (I hate that). A story about this was /.'ed back in October but it was Verisign selling the data to third parties. http://www.domainnamenews.com/editorial/verisign-to-profit-from-rootserver-data/889

  9. Anonymous Coward by Anonymous Coward · · Score: 1, Informative

    This story is kind of silly actually. On the post available on the ICANN blog, it is clearly stated that the IP address will change on November, 1st and that "It is expected that the old address will continue to work for at least six months after the transition".

    Even a 6 year old child would be able to determine when the IP address would be eventually unused (end of May).

    From the article quoted as the source of the reference, it is clear that no one tried to verify the information. It would have been very simple to determine it was the same server on both address if only someone tried to check it...

  10. Not horribly major by Todd+Knarr · · Score: 2, Informative

    Bear in mind that BIND for one doesn't use the root nameserver hints file directly under normal conditions. One of the first things it does is contact one of the servers listed in the hints file and download the real root nameserver list. After that it uses the downloaded list and ignores the hints file. So unless you contacted the L server for that initial download, you'll get the correct root server list and won't ever contact the bogus ones. I'd have to check whether BIND picks a hints entry at random or cycles through starting from the first. If it picks at random the window of vulnerability is small, but if it starts at the first it's virtually nonexistent (most hints files list A, B, C and so on in sequence, and the chance of getting no answer at all from the A-K servers is close to zero).

  11. Re:Harvesting NXDOMAIN hits by mpeg4codec · · Score: 4, Informative

    I honestly doubt that typo-squatters care about the millions of requests for com, net, org, and all the other TLDs and ccTLDs, which is all you'll get if you have control of a root server. If someone makes a typo on some com domain, it won't make it any further than com's servers, so having control of the root is rather moot unless someone also makes a typo in the TLD.

    On the other hand, the person in control of the root could give bogus records for the name servers for something like com. This is unlikely to be a major problems since the TTL on all the records served by the root is 120 days. Most people are going to be querying a caching name server of some sort, so it's statistically unlikely to affect much of the population before it is detected and dealt with.

    Not to plug my own work too much, but as a part of my research, I work with a team that monitors DNSSEC deployment. This is something we would in theory be able to see from our distributed polling framework, and our datasets going back to 2005 don't show anything like a rogue TLD server being published. Kind of unfortunate in a way, being that DNS isn't exactly the most interesting research topic at face value.

  12. Re:This is the perfect Man In The Middle attack by cortana · · Score: 2, Informative

    Surely the users wouldn't just ignore the certificate warnings that their browsers presented them with... right?

  13. Re:So, if a root-server changes its IP address... by stoborrobots · · Score: 2, Informative

    Umm, also, you seem to have the whole operation of DNS upside down; you start at the root servers, which delegate you to the .com servers, which delegate you to the google.com servers, which can then tell you the address of www.google.com.

    Hopefully you also cache the results along the way, so that when you want to find news.google.com later you don't have to go to the root or .com servers, and when you want to find yahoo.com you don't have to go all the way back to the root and can start at .com.

    However, when you want to get slashdot.org, you have to go back to the root, which will direct you to the .org servers, etc...

    HTH. HAND. Cheers.

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco