Home / Blogs

Identity Theft of Root Name Servers, Reason Unknown

Earl Zmijewski

There have been a number of attacks on the root name servers over the years, and much written on the topic. (A few references are here, here and here.) Even if you don't know exactly what these servers do, you can't help but figure they're important when the US government says it is prepared to launch a military counterattack in response to cyber-attacks on them.

This posting is about an attack on one such root name server. Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims. And as we will see, you can't really steal something you own. All we can say for certain is that many of you, if not most, probably used an unauthorized root name server over the past few months and were blissfully unaware of it. These bogus servers may have acted just like a normal root server, providing the correct answers to your queries without logging your requests. But since these servers are now shut down, we can no longer investigate what they were doing. And we can only guess at the motivations of those who set them up.

The following graph shows, over the past six months, the percentage of Renesys peers selecting each of these four competing choices for old L root name servers.

By Earl Zmijewski, VP and General Manager, Internet Data Services
Follow CircleID on
Related topics: Cybersecurity, DNS
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Identity Theft of Root Name Servers, Reason Unknown Bill Manning  –  May 19, 2008 12:57 PM PDT

there was agreement between root operators to collect data on some retired addresses for DITL-2008.  the reasons for collecting that data was to check for correlation on querying nodes. The problems have been identified in NANOG presentations and at WIDE/CAIDA workshops over the
years… http://www.caida.org/workshops/wide/0611/ has one of my contributions there.
It is likely that an analysis of the 2008 data will be published later this year.

I understand that ISC is running a data collection service (SIE) and has asked for permission to
collect this type of data on an ongoing basis.

So its not as "nasty" as your title suggests. A little unorthodox, yes.

Re: Identity Theft of Root Name Servers, Reason Unknown Martin Hannigan  –  May 19, 2008 9:43 PM PDT

Hyperbole.

Best Regards,

Martin

Re: Identity Theft of Root Name Servers, Reason Unknown Edward Lewis  –  May 20, 2008 7:13 AM PDT

Title says: "Identity Theft of Root Name Servers, Reason Unknown".  Then inside the article it says "This posting is about an attack on one such root name server. Actually, 'attack' isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft." So, the title was completely wrong?  Was there a point being made here or just a grab for attention?

Re: Identity Theft of Root Name Servers, Reason Unknown Earl Zmijewski  –  May 20, 2008 7:36 AM PDT

Edward Lewis said:

Title says: "Identity Theft of Root Name Servers, Reason Unknown".  Then inside the article it says "This posting is about an attack on one such root name server. Actually, 'attack' isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft." So, the title was completely wrong?  Was there a point being made here or just a grab for attention?

This was the closest term that seemed to fit.  If you went to the old IP during this time, you were implicitly assuming it was a legitimate root name server and the act of running a server on this IP assured that you would continue to do so.  If someone assumes your identity, does it really matter if they give the correct answers to questions about you?

Re: Identity Theft of Root Name Servers, Reason Unknown David Conrad  –  May 20, 2008 9:47 AM PDT

http://blog.icann.org/?p=309

Re: Identity Theft of Root Name Servers, Reason Unknown Bill Manning  –  May 20, 2008 10:58 AM PDT

Earl Zmijewski said:

Edward Lewis said:

Title says: "Identity Theft of Root Name Servers, Reason Unknown".  Then inside the article it says "This posting is about an attack on one such root name server. Actually, 'attack' isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft." So, the title was completely wrong?  Was there a point being made here or just a grab for attention?

This was the closest term that seemed to fit.  If you went to the old IP during this time, you were implicitly assuming it was a legitimate root name server and the act of running a server on this IP assured that you would continue to do so.  If someone assumes your identity, does it really matter if they give the correct answers to questions about you?

I think you are half right.  ICANN had no authorization from EP.NET to announce the route,
so they had been assuming EP.NET identity. 

That said, there was agreement to announce the route and collect data for DITL between ICANN and EP.NET.  You did not do your homework and it appears there are "chinese walls" inside ICANN, where one party is not talking to another.

Re: Identity Theft of Root Name Servers, Reason Unknown Martin Hannigan  –  May 20, 2008 3:54 PM PDT

That said, there was agreement to announce the route and collect data for DITL between ICANN and EP.NET.  You did not do your homework and it appears there are “chinese walls” inside ICANN, where one party is not talking to another.

The references noted for the article were also fairly out of date. There are other issues that seem more important though. Like root server data privacy.

-M<

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform