Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Hits the Root Name Servers

Posted by CmdrTaco on from the i-don't-think-i-am-who-you-think-i-am dept.

aos101 writes "The Renesys blog has an interesting story about networks advertising the old address space of the L root name server after ICANN changed the IP address last November. These networks were also running root name servers on the old IP address of the L root name server up until last week, so any DNS servers still using the old IP address might have been getting their answers from these bogus name servers. A very cursory examination by Renesys of one of these bogus servers found that it appeared to be providing correct responses, which might be why no one noticed the problem. As Renesys points out, the volume of traffic to a root server is staggering, so the people running these bogus root servers must have had a reason. What did they get out of it?"

10 of 131 comments (clear)

  1. What? by explosivejared · · Score: 5, Insightful

    Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims.

    How do we go from this to a headline reading Identity Theft Hits the Root Servers?

    There is no reason to believe that it was malicious at all. We all are familiar with that black hat turned grey or white that wants to help out by demonstrating vulnerabilities in the system. That is just as plausible as anything else. Maybe it's the free-masons!! The Illumanati, maybe!!! The only certain thing about this is the need to secure name service. We should be glad even though it was compromised, there is no apparent damage done.

    --
    I got a catholic block.
  2. Harvesting NXDOMAIN hits by drags · · Score: 5, Interesting

    Evil marketing firms are always looking for ways to improve typo-squatting. Popping a root server's address space is the ultimate in NXDOMAIN (failed to match) lookups as every DNS server on the net that cannot resolve a domain (such as unregistered typo-domains) will go further and further back until it hits a root server. Hence having a root server's NXDOMAIN data is the ultimate in typo-squatting.

  3. This is the perfect Man In The Middle attack by colinmcnamara · · Score: 5, Insightful

    If only 5% of DNS servers hadn't updated their root servers list, and this server is listed as 1 of the 13 root servers, then these people will have .38% of the entire internet's DNS requests coming through them.

    With "control" of a root server (or at least what a DNS client believed was a root server. They would be free to insert whatever records for anything they want. Think banking, finance, email, etc.

    So really, the title of this article should have been if you were in organized crime, what would you do if you could transparent MITM (man in the middle) attack .38% of all web traffic on the internet.

    My guess is all your accounts belong to us.....

    --
    Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
  4. Re:Extremely vague article by Anonymous Coward · · Score: 5, Informative

    nonsense. the article is very clear: here's what happened:

    icann hosted L-root on ip addresses they didn't have an exclusive right to use.

    they decided to stop doing that and moved L-root to somewhere else.

    shortly thereafter someone else decided to operate a name server on the very same IP addresses.

    that's *what* happened. perhaps you meant to say that the article doesn't say *why* it happened. that would be a fair criticism.

  5. Re:Good Samaritans? by SatanicPuppy · · Score: 5, Interesting

    I upgraded a corporate DNS once and left the old system in place, just changed the CNAME to point to the new server. The new server (windows) ate itself later, and since the guy whose baby it was had been canned, I just switched the name back to the old servers.

    Later, my new boss wanted to switch to a Linux based system, instead of the windows system which I'd already repurposed. I quoted him a modest server, set it up as a secure proxy for some of our internal web applications, and let the original linux system keep chugging along.

    I figure I can get at least two more servers out of this, before I actually have to upgrade the system.

    Maybe the guys at root-servers just left some hardware running at the old address? ;)

    They should never have relinquished the address so damn quickly. Turn off the equipment for a few weeks first and let people see that that address no longer works...Don't just let someone move in seamlessly and hijack your junk.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  6. Re:Good Samaritans? by locofungus · · Score: 5, Informative

    From the link in the FA:

    http://blog.icann.org/?p=227

    It is expected that the old address will continue to work for at least six months after the transition, but will ultimately be retired from service.

    1st November 2007 -> 1st May 2008 is 6 months. So they left it a few days over 6 months ...

    Tim.

    --
    God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  7. Re:Good Samaritans? by zappepcs · · Score: 5, Insightful

    Mod parent up. Those IP addresses should NEVER have been let out in the cold where they could be misused. That's just not right

    --
    Support NYCountryLawyer RIAA vs People
  8. Re:Good Samaritans? by stoborrobots · · Score: 5, Insightful

    There is DNS Security... But really, it's like any fix for SMTP - nobody bothers using it because nobody is using it...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  9. Re:Good Samaritans? by aleph42 · · Score: 5, Insightful
    You guys are awefully optimistic; those who pulled that off had an enormous power for a short time. Quoting TFA:

    In general, they could engage in all sorts of mischief, ranging from very targeted ("let's get this one individual or organization") to very wide-ranging ("let's blow away .com today"). all the while completly undetected. I don't understand all the details, but from what I got the whole name resolving is a trust based system; so advertising a false youtube domain would temporarly work, but then you'd be busted and left with no karma. Except that these "root servers" are free of those constraint.

    The fact that those who did this had huge resources do not make it less scary, neither does the fact that nobody detected anything. Remeber how that guy operated a tor exit node to get a whole lot of interesting datas; the idea here is the same.

    (A concrete example would be to send your wikipedia request to a bogus wikipedia website. It would forward all your queries to the real wikipedia, so you couldn't tell the difference (man in the middle), but on some pages it would serve you an altered page; it could also make you feel like you wrote an article, but the article would actually only show up on your copy of the bogus website, not the real one. Encryption twarts this, otherwise it's really the worst case scenario.)

    And apparently, there is nothing to prevent it from happening again. Since people seem so little concerend, I must have missed some detail which makes everything fine; or at least I really hope so.
    --
    Don't take my posts literally; it's just code to control my botnet.
  10. Re:Good Samaritans? by SatanicPuppy · · Score: 5, Insightful

    Not if it still works. You need to take the old address offline for a while.

    Most people don't pay much attention to their DNS infrastructure. The stuff doesn't need much maintenance. If it breaks, they'll notice that something is wrong, but if it continues working seamlessly, they'll ignore it.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.