Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

7 of 131 comments (clear)

  1. Harvesting NXDOMAIN hits by drags · · Score: 5, Interesting

    Evil marketing firms are always looking for ways to improve typo-squatting. Popping a root server's address space is the ultimate in NXDOMAIN (failed to match) lookups as every DNS server on the net that cannot resolve a domain (such as unregistered typo-domains) will go further and further back until it hits a root server. Hence having a root server's NXDOMAIN data is the ultimate in typo-squatting.

  2. Collecting valid IP addresses, reference data by n9891q · · Score: 2, Interesting

    Since they seem to be providing valid responses (as suggested in the article), it must be some traffic data that they are collecting. They now have a long list of valid IP addresses with data, consider it a list of targets. They also have some first-hand data on the most popular websites which they could sell to advertisers ("Are you sure you're getting the right billing from your advertising agents?"). It could also have been a set-up - benign now but gearing up to start attacking later. I hate to mention it, but they could have been testing a cyberattack technique and had the bad luck to get caught (the Manchurian DNS server).

  3. Could be several reasons by analog_line · · Score: 4, Interesting

    As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?


    A few reasons spring immediately to mind.

    1. Preliminary move with the intent of actual subversion of results at a later date. This gives you an idea of what the traffic looks like, the volume you're going to have to manage, and the technical requirements of managing the subversion on top of recording important information about the systems you just subverted for later exploitation, plus any statistical information you need/want to improve your subversion process.

    2. Preliminary move by a government, corporate entity, or some grouping with the intent of either wresting control of some portion of the DNS infrastructure from ICANN, or setting up a country-specific DNS infrastructure that is legally mandated. Again, you get valuable information about the kind of stuff you need to be dealing with, depending on exactly what you have in mind.

    3. Same as above, but more of an idealistic style intervention, fearing malicious intent from the US government which still controls the DNS system, and trying to prepare for a time when an ICANN-free DNS system may need to be put in place.

    Depending on where this stuff is actually going (and if it's the actual owner of the IP space that is doing this) of course...
  4. Re:Good Samaritans? by SatanicPuppy · · Score: 5, Interesting

    I upgraded a corporate DNS once and left the old system in place, just changed the CNAME to point to the new server. The new server (windows) ate itself later, and since the guy whose baby it was had been canned, I just switched the name back to the old servers.

    Later, my new boss wanted to switch to a Linux based system, instead of the windows system which I'd already repurposed. I quoted him a modest server, set it up as a secure proxy for some of our internal web applications, and let the original linux system keep chugging along.

    I figure I can get at least two more servers out of this, before I actually have to upgrade the system.

    Maybe the guys at root-servers just left some hardware running at the old address? ;)

    They should never have relinquished the address so damn quickly. Turn off the equipment for a few weeks first and let people see that that address no longer works...Don't just let someone move in seamlessly and hijack your junk.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  5. Re:Good Samaritans? by CrazedWalrus · · Score: 2, Interesting

    Here's my question:

    Isn't there some sort of authentication for DNS a la SSL certificates? If not, would this take a major overhaul of the DNS system to support it?

    As I understand it, there's also a man-in-the-middle type of attack with DNS where a local router (possibly a Hacked By Chinese(tm) "Cisco" router) will substitute its own DNS replies instead of passing the query to the real DNS server.

    Couldn't both of these issues be resolved by having a field on the DNS record where the reply is signed by the DNS server? Leave the original field as-is, but add a field where the same reply is cryptographically signed. Then systems who support it can verify it. I can't imagine it'd take very long for Linux and BSD to support it, and Mac and Windows probably would follow along eventually.

    What's wrong with this idea? Does it already exist in some form and just isn't widely used?

  6. Re:Good Samaritans? by Firehed · · Score: 4, Interesting

    According to l.root-servers.org linked above, the IP change happened on the first of November last year, and only a couple weeks ago was taken offline at the old address. Is six months not enough?

    --
    How are sites slashdotted when nobody reads TFAs?
  7. Re:Extremely vague article by subsoniq · · Score: 4, Interesting

    nonsense. the article is very clear: here's what happened: icann hosted L-root on ip addresses they didn't have an exclusive right to use. they decided to stop doing that and moved L-root to somewhere else. shortly thereafter someone else decided to operate a name server on the very same IP addresses. that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.

    you're missing something here. It wasn't just that "someone" else decided to operate a bogus L root server on that IP address, it's that several someones were doing this. The article states there were FOUR of these running on the OLD ip address. so you had the newly IP'd correct L server, and 4 bogus L servers (one of which was being run by ICANN itself), all using the same old IP address.

    How could this happen you ask? because 3 entities not authorized to announce they host that IP block did so anyway, so there were 4 different routes to that IP block on the Internet, resulting in 4 possible places you could end up at when sending DNS queries to the old address, 198.32.64.12.

    So basically there are 2 concerns here, one is that a couple of Internet entities were advertising routes for an IP block they were not authorized to advertise, and that they were running a bogus L root server from that IP block on it's old address. Bill Manning owned the IP block so his ISP was authorized to advertise that route, and it might be obvious why ICANN was also advertising a route for it as well (to try to get that traffic going to the old IP address for root lookups), but why were Community DNS and Diyixian.com advertising that route and running a bogus L root server?