NordVPN Promotion

Home / Blogs

Identity Theft of Root Name Servers, Reason Unknown

There have been a number of attacks on the root name servers over the years, and much written on the topic. (A few references are here, here and here.) Even if you don’t know exactly what these servers do, you can’t help but figure they’re important when the US government says it is prepared to launch a military counterattack in response to cyber-attacks on them.

This posting is about an attack on one such root name server. Actually, “attack” isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims. And as we will see, you can’t really steal something you own. All we can say for certain is that many of you, if not most, probably used an unauthorized root name server over the past few months and were blissfully unaware of it. These bogus servers may have acted just like a normal root server, providing the correct answers to your queries without logging your requests. But since these servers are now shut down, we can no longer investigate what they were doing. And we can only guess at the motivations of those who set them up.

The following graph shows, over the past six months, the percentage of Renesys peers selecting each of these four competing choices for old L root name servers.

By Earl Zmijewski, VP and General Manager, Internet Data Services

Filed Under

Comments

Bill Manning  –  May 19, 2008 7:57 PM

there was agreement between root operators to collect data on some retired addresses for DITL-2008.  the reasons for collecting that data was to check for correlation on querying nodes. The problems have been identified in NANOG presentations and at WIDE/CAIDA workshops over the
years…  http://www.caida.org/workshops/wide/0611/  has one of my contributions there.
It is likely that an analysis of the 2008 data will be published later this year.

I understand that ISC is running a data collection service (SIE) and has asked for permission to
collect this type of data on an ongoing basis.

So its not as “nasty” as your title suggests. A little unorthodox, yes.

Martin Hannigan  –  May 20, 2008 4:43 AM

Hyperbole.

Best Regards,

Martin

Edward Lewis  –  May 20, 2008 2:13 PM

Title says: “Identity Theft of Root Name Servers, Reason Unknown”.  Then inside the article it says “This posting is about an attack on one such root name server. Actually, ‘attack’ isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft.”  So, the title was completely wrong?  Was there a point being made here or just a grab for attention?

Earl Zmijewski  –  May 20, 2008 2:36 PM

Edward Lewis said:

Title says: “Identity Theft of Root Name Servers, Reason Unknown”.  Then inside the article it says “This posting is about an attack on one such root name server. Actually, ‘attack’ isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft.”  So, the title was completely wrong?  Was there a point being made here or just a grab for attention?


This was the closest term that seemed to fit.  If you went to the old IP during this time, you were implicitly assuming it was a legitimate root name server and the act of running a server on this IP assured that you would continue to do so.  If someone assumes your identity, does it really matter if they give the correct answers to questions about you?

David Conrad  –  May 20, 2008 4:47 PM
Bill Manning  –  May 20, 2008 5:58 PM

Earl Zmijewski said:

Edward Lewis said:

Title says: “Identity Theft of Root Name Servers, Reason Unknown”.  Then inside the article it says “This posting is about an attack on one such root name server. Actually, ‘attack’ isn’t really an appropriate term. It was not really an attack or a hijack or even identity theft.”  So, the title was completely wrong?  Was there a point being made here or just a grab for attention?


This was the closest term that seemed to fit.  If you went to the old IP during this time, you were implicitly assuming it was a legitimate root name server and the act of running a server on this IP assured that you would continue to do so.  If someone assumes your identity, does it really matter if they give the correct answers to questions about you?

 

I think you are half right.  ICANN had no authorization from EP.NET to announce the route,
so they had been assuming EP.NET identity. 

That said, there was agreement to announce the route and collect data for DITL between ICANN and EP.NET.  You did not do your homework and it appears there are “chinese walls” inside ICANN, where one party is not talking to another.

Martin Hannigan  –  May 20, 2008 10:54 PM

That said, there was agreement to announce the route and collect data for DITL between ICANN and EP.NET.  You did not do your homework and it appears there are “chinese walls” inside ICANN, where one party is not talking to another.


The references noted for the article were also fairly out of date. There are other issues that seem more important though. Like root server data privacy.

-M<

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion