Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

23 of 131 comments (clear)

  1. Good Samaritans? by FurtiveGlancer · · Score: 2, Insightful

    Somehow, I doubt that is the explanation, but wouldn't it be nice if it were true?

    --
    Invenio via vel creo
    1. Re:Good Samaritans? by stoborrobots · · Score: 3, Insightful

      Or possibly some attempt at stopping arbitrarily many of their customers setups from breaking... If you've got enough poorly configured machines, it might be easier to ensure that the servers they are looking for remain available, rather than trying to fix _all_ of them immediately... Especially if they're mission-critical systems...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    2. Re:Good Samaritans? by perlchild · · Score: 2, Insightful

      Then wouldn't need to advertise routes/ip space for their own customers... The very word advertise, in the context, means to third parties, as in BGP advertisement.

    3. Re:Good Samaritans? by zappepcs · · Score: 5, Insightful

      Mod parent up. Those IP addresses should NEVER have been let out in the cold where they could be misused. That's just not right

      --
      Support NYCountryLawyer RIAA vs People
    4. Re:Good Samaritans? by stoborrobots · · Score: 2, Insightful

      Umm, the "customers" in question might not have been on the same AS?

      And, for that matter, if Bill Manning authorized the use of the address space, then it's not even an attack!

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    5. Re:Good Samaritans? by SpinyNorman · · Score: 3, Insightful

      It does seem like the simplest explanation.

      For the owner of the original IP address now being vacated by ICANN, there is also maybe a self-interest motive of identifying the servers who hadn't updated so as to notify them and kill the unwanted traffic.

      Given how visible this is, it's hard to imagine anyone doing it for criminal purposes and thinking they could get away with it.

    6. Re:Good Samaritans? by stoborrobots · · Score: 5, Insightful

      There is DNS Security... But really, it's like any fix for SMTP - nobody bothers using it because nobody is using it...

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    7. Re:Good Samaritans? by aleph42 · · Score: 5, Insightful
      You guys are awefully optimistic; those who pulled that off had an enormous power for a short time. Quoting TFA:

      In general, they could engage in all sorts of mischief, ranging from very targeted ("let's get this one individual or organization") to very wide-ranging ("let's blow away .com today"). all the while completly undetected. I don't understand all the details, but from what I got the whole name resolving is a trust based system; so advertising a false youtube domain would temporarly work, but then you'd be busted and left with no karma. Except that these "root servers" are free of those constraint.

      The fact that those who did this had huge resources do not make it less scary, neither does the fact that nobody detected anything. Remeber how that guy operated a tor exit node to get a whole lot of interesting datas; the idea here is the same.

      (A concrete example would be to send your wikipedia request to a bogus wikipedia website. It would forward all your queries to the real wikipedia, so you couldn't tell the difference (man in the middle), but on some pages it would serve you an altered page; it could also make you feel like you wrote an article, but the article would actually only show up on your copy of the bogus website, not the real one. Encryption twarts this, otherwise it's really the worst case scenario.)

      And apparently, there is nothing to prevent it from happening again. Since people seem so little concerend, I must have missed some detail which makes everything fine; or at least I really hope so.
      --
      Don't take my posts literally; it's just code to control my botnet.
    8. Re:Good Samaritans? by Anonymous Coward · · Score: 2, Insightful

      Probably not. I'm sure there are still a lot of people using hints files from years, if not decades ago. Most people don't think to update them unless they're installing a new server. Even then they're unlikely to update them since they just copy the zone files from the old server to the new one and usually the hints file is included and overwrites whatever came with the new server's distribution. ;-/

    9. Re:Good Samaritans? by SatanicPuppy · · Score: 5, Insightful

      Not if it still works. You need to take the old address offline for a while.

      Most people don't pay much attention to their DNS infrastructure. The stuff doesn't need much maintenance. If it breaks, they'll notice that something is wrong, but if it continues working seamlessly, they'll ignore it.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    10. Re:Good Samaritans? by Jartan · · Score: 2, Insightful

      From my reading of the article they didn 't "relinquish" the ip at all. Basically some new groups claimed that they owned the ip address (when they didn't) and the sections of the internet just accepted that claim and started routing data to that IP to those groups.

      If you follow the article the actual change of IP address doesn't even matter. The server change merely provided a situation where they weren't paying as much attention to the old DNS.

      It sounds like the attack could be pulled off at any time vs a root server though. It would simply be caught quicker.

  2. Cashing In by kennyj449 · · Score: 2, Insightful

    They were probably running something similar to Verisign's SiteFinder that attempts to cash in on typos and non-registered domains.

  3. statistics? profiling? by apodyopsis · · Score: 2, Insightful

    statistics? profiling?

    that data would be worth something to ad men surely...

  4. What? by explosivejared · · Score: 5, Insightful

    Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims.

    How do we go from this to a headline reading Identity Theft Hits the Root Servers?

    There is no reason to believe that it was malicious at all. We all are familiar with that black hat turned grey or white that wants to help out by demonstrating vulnerabilities in the system. That is just as plausible as anything else. Maybe it's the free-masons!! The Illumanati, maybe!!! The only certain thing about this is the need to secure name service. We should be glad even though it was compromised, there is no apparent damage done.

    --
    I got a catholic block.
    1. Re:What? by billcopc · · Score: 2, Insightful

      If by liberal, you meant "American", then you're absolutely correct!

      Media is biased, because humans are biased. No single political party is any more or less inclined to distort facts in-line with their own beliefs.

      Would you have preferred a headline reading "Rogue DNS server running for 6 months with no adverse effects. Spread the lulz!" ?!

      --
      -Billco, Fnarg.com
  5. This is the perfect Man In The Middle attack by colinmcnamara · · Score: 5, Insightful

    If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have .38% of the entire internet's DNS requests coming through them.

    With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.

    So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack .38% of all web traffic on the internet.

    My guess is all your accounts belong to us.....

    --
    Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
  6. Re:What they got by leuk_he · · Score: 4, Insightful

    If they did not answer the name requests then the client would go on retriying and retrying, being a more effective DOS on thier network. So the only correct action was to put a DNS server on the announced DNS adresses.

  7. Re:Make sure you are up to date! by stoborrobots · · Score: 2, Insightful

    The problem is, if you do grab the hints file from there, you have to make sure you keep refreshing it to stay up to date... Otherwise you're just setting yourself up for the same attack the next time this happens...

    That said, I don't know if trusting your upstream provider is any better...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  8. It only takes one redirected query... by grizdog · · Score: 2, Insightful

    My uncle used to say that he preferred corrupt judges to incompetent judges, since the corrupt judges would be careful to get things right 95% of the time, so that they would be well placed when the time came to undermine the system. The incompetent judges, on the other hand, would screw things up far more frequently than that, and ruin far more lives than the corrupt judges. A very few redirected queries could get lost in the huge number of correct responses, but still provide big benefits to a criminal. And if they compromised a secretive bank, or the Defense Department, it's unlikely that we would ever hear about it.

  9. So, if a root-server changes its IP address... by imyy4u3 · · Score: 1, Insightful

    How will anyone else know, since it's the root system responsible for giving out IP addresses?

    Example: I request www.google.com. Parent doesn't know, its parent doesn't know, blah blah blah until I go to the "root hints" which are hard-coded IP addresses. There I look up www.google.com, and get my IP address. Now if that root server has a different IP, how the hell do I find it?

    Is this a catch-22 or what?

  10. Why indeed... by blumesa · · Score: 4, Insightful

    why traffic goes to "retired" address space is a difficult question to answer. http://www.caida.org/workshops/wide/0611/ has a pointer to some early work done on the "B" renumbering. There was agreement by the operators of "B","L","J", and "M" to collect data during the DITL-2008 collection to see if any correlation btwn querying nodes. That said, ICANN should have renumbered the node when they took it over. They did not. They have not had permission to use the prefix since 2004 - but for stability sake, I did not make a big fuss.

    bill manning

  11. Domain-Name Knocking by giminy · · Score: 2, Insightful

    Maybe the reason that the nameserver is providing correct responses is due to something like port-knocking for domain names?

    If a phisher wanted to use this, they would only supply a bogus dns pointer to a query if the query was preceded by some 'primer' query. E.g. first someone tries to resolve alpha.com, then beta.com within a few seconds, only then will the root server give the incorrect response for beta.com. This would be pretty easy to do with some cross-site scripting magic.

    You can never disprove a conspiracy, after all...

    --
    The Right Reverend K. Reid Wightman,
  12. This needs to be fixed. by Jane+Q.+Public · · Score: 2, Insightful

    The Internet was originally designed to be a "self-healing" system, able to route around damage like (no joke) a nuclear war.

    However, the system as it currently exists has one SERIOUS flaw: the reliance on root servers.

    We need to switch to a system that does not rely on root servers. There are at least several such systems that are workable. Yes, the U.S. government would lose control over the whole thing. Does ANYBODY in their right mind think that is a bad thing? As long as nobody else can gain root control either, and there are various schemes that can ensure that.