|
||
|
||
There have been a number of attacks on the root name servers over the years, and much written on the topic. (A few references are here, here and here.) Even if you don’t know exactly what these servers do, you can’t help but figure they’re important when the US government says it is prepared to launch a military counterattack in response to cyber-attacks on them.
This posting is about an attack on one such root name server. Actually, “attack” isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims. And as we will see, you can’t really steal something you own. All we can say for certain is that many of you, if not most, probably used an unauthorized root name server over the past few months and were blissfully unaware of it. These bogus servers may have acted just like a normal root server, providing the correct answers to your queries without logging your requests. But since these servers are now shut down, we can no longer investigate what they were doing. And we can only guess at the motivations of those who set them up.
The following graph shows, over the past six months, the percentage of Renesys peers selecting each of these four competing choices for old L root name servers.
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign
Sponsored byDNIB.com
A World-Renowned Source for Internet Developments. Serving Since 2002.
there was agreement between root operators to collect data on some retired addresses for DITL-2008. the reasons for collecting that data was to check for correlation on querying nodes. The problems have been identified in NANOG presentations and at WIDE/CAIDA workshops over the
years… http://www.caida.org/workshops/wide/0611/ has one of my contributions there.
It is likely that an analysis of the 2008 data will be published later this year.
I understand that ISC is running a data collection service (SIE) and has asked for permission to
collect this type of data on an ongoing basis.
So its not as “nasty” as your title suggests. A little unorthodox, yes.
Hyperbole.
Best Regards,
Martin
Title says: “Identity Theft of Root Name Servers, Reason Unknown”. Then inside the article it says “This posting is about an attack on one such root name server. Actually, ‘attack’ isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft.” So, the title was completely wrong? Was there a point being made here or just a grab for attention?
Edward Lewis said:
This was the closest term that seemed to fit. If you went to the old IP during this time, you were implicitly assuming it was a legitimate root name server and the act of running a server on this IP assured that you would continue to do so. If someone assumes your identity, does it really matter if they give the correct answers to questions about you?
http://blog.icann.org/?p=309
Earl Zmijewski said:
I think you are half right. ICANN had no authorization from EP.NET to announce the route,
so they had been assuming EP.NET identity.
That said, there was agreement to announce the route and collect data for DITL between ICANN and EP.NET. You did not do your homework and it appears there are “chinese walls” inside ICANN, where one party is not talking to another.
The references noted for the article were also fairly out of date. There are other issues that seem more important though. Like root server data privacy.
-M<