Whoever did this was NOT a hacker working from his bedroom

Posted May 20th, 2008 by Prometheus 6

Tech

Quick summary: One of the "traffic directors" of the Internet moved, and a bag of its subordinate traffic directors didn't notice, largely because THREE someone elses set up systems at the same address that filled all the same traffic direction requests accurately.

After the announced change, some interesting things started happening. The old address space (198.32.64.0/24) continued to be announced from ICANN (AS 20144), as they didn't shut down their old server until May 2nd of this year, as planned. But then, Community DNS (AS 42909) of England started announcing the old space, as well, on December 15th. Bill Manning's ep.net (AS 4555) did the same on March 18th, and, for good measure, so did Diyixian.com (AS 9584) of Hong Kong on April 1st. So if you inadvertently went looking for the old L root name server during this time, you might have ended up at any one of four very different places! And most of the planet would have done just that. That wouldn't matter too much, if these sites weren't themselves running a root name server, but until last week, they were indeed.

You should read the story. If you're not up on the tech, scroll down to the conclusion.

Identity Theft Hits the Root Name Servers

"Put all your eggs in the one basket -- and watch that basket." — Mark Twain

There have been a number of attacks on the root name servers over the years, and much written on the topic. (A few references are here, here and here.) Even if you don't know exactly what these servers do, you can't help but figure they're important when the US government says it is prepared to launch a military counterattack in response to cyber-attacks on them.

This posting is about an attack on one such root name server. Actually, "attack" isn't really an appropriate term. It was not really an attack or a hijack or even identity theft. For one thing, these terms imply the existence of both a victim and a villain. In this story, the villains are not obvious and there might not have been any victims. And as we will see, you can't really steal something you own. All we can say for certain is that many of you, if not most, probably used an unauthorized root name server over the past few months and were blissfully unaware of it. These bogus servers may have acted just like a normal root server, providing the correct answers to your queries without logging your requests. But since these servers are now shut down, we can no longer investigate what they were doing. And we can only guess at the motivations of those who set them up.

Bookmark/Search this post with: