Slashdot Mirror
Identity Theft Hits the Root Name Servers
aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"
Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims.
How do we go from this to a headline reading Identity Theft Hits the Root Servers?
There is no reason to believe that it was malicious at all. We all are familiar with that black hat turned grey or white that wants to help out by demonstrating vulnerabilities in the system. That is just as plausible as anything else. Maybe it's the free-masons!! The Illumanati, maybe!!! The only certain thing about this is the need to secure name service. We should be glad even though it was compromised, there is no apparent damage done.
I got a catholic block.
If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have .38% of the entire internet's DNS requests coming through them.
With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.
So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack .38% of all web traffic on the internet.
My guess is all your accounts belong to us.....
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
Or possibly some attempt at stopping arbitrarily many of their customers setups from breaking... If you've got enough poorly configured machines, it might be easier to ensure that the servers they are looking for remain available, rather than trying to fix _all_ of them immediately... Especially if they're mission-critical systems...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
If they did not answer the name requests then the client would go on retriying and retrying, being a more effective DOS on thier network. So the only correct action was to put a DNS server on the announced DNS adresses.
Mod parent up. Those IP addresses should NEVER have been let out in the cold where they could be misused. That's just not right
Support NYCountryLawyer RIAA vs People
It does seem like the simplest explanation.
For the owner of the original IP address now being vacated by ICANN, there is also maybe a self-interest motive of identifying the servers who hadn't updated so as to notify them and kill the unwanted traffic.
Given how visible this is, it's hard to imagine anyone doing it for criminal purposes and thinking they could get away with it.
There is DNS Security... But really, it's like any fix for SMTP - nobody bothers using it because nobody is using it...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
The fact that those who did this had huge resources do not make it less scary, neither does the fact that nobody detected anything. Remeber how that guy operated a tor exit node to get a whole lot of interesting datas; the idea here is the same.
(A concrete example would be to send your wikipedia request to a bogus wikipedia website. It would forward all your queries to the real wikipedia, so you couldn't tell the difference (man in the middle), but on some pages it would serve you an altered page; it could also make you feel like you wrote an article, but the article would actually only show up on your copy of the bogus website, not the real one. Encryption twarts this, otherwise it's really the worst case scenario.)
And apparently, there is nothing to prevent it from happening again. Since people seem so little concerend, I must have missed some detail which makes everything fine; or at least I really hope so.
Don't take my posts literally; it's just code to control my botnet.
Not if it still works. You need to take the old address offline for a while.
Most people don't pay much attention to their DNS infrastructure. The stuff doesn't need much maintenance. If it breaks, they'll notice that something is wrong, but if it continues working seamlessly, they'll ignore it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
why traffic goes to "retired" address space is a difficult question to answer. http://www.caida.org/workshops/wide/0611/ has a pointer to some early work done on the "B" renumbering. There was agreement by the operators of "B","L","J", and "M" to collect data during the DITL-2008 collection to see if any correlation btwn querying nodes. That said, ICANN should have renumbered the node when they took it over. They did not. They have not had permission to use the prefix since 2004 - but for stability sake, I did not make a big fuss.
bill manning