Full cause of massive Internet redirection still unclear

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Full cause of massive Internet redirection still unclear

By Jaikumar Vijayan, Computerworld

SOME SECURITY ANALYSTS said it's still unclear what really happened last weekend when a technology glitch redirected Internet traffic meant for Web sites run by Yahoo, Microsoft, and other companies to one owned by a Bermuda-based Web hosting and domain registration firm.

On Saturday, an estimated 100,000 Internet users trying to access various Web sites were instead routed to a page operated by MyDomain.com, which is part of a Hamilton, Bermuda, company called Global Internet Investments under an acquisition that was announced last spring. The traffic eventually caused MyDomain.com's Web site to crash.

MyDomain.com claims to host more than 350,000 Internet domains. Richard Lau, the company's president, this week said the redirecting problem started with faulty entries in MyDomain.com's DNS table but was then compounded by misconfigured systems being run by different ISPs.

"Our situation reveals a massive flaw in some DNS resolution server software being used by some ISPs," Lau said, asserting that the prospect of an incorrect setting at MyDomain.com affecting other ISPs on its own "goes against all fundamentals."

While ISPs may indeed bear some fault, the incident also appears to have been the result of MyDomain.com taking advantage of a well-known DNS vulnerability, said Ryan Russell, an incident analyst at the SecurityFocus.com online bulletin board and security information portal in San Mateo, Calif. By putting the bulk of the blame on unnamed ISPs, Russell said, MyDomain.com is "trying to . . . save face a little bit."

When a user enters a Web site address into a browser, a request for the corresponding numeric IP address is sent to a so-called "authoritative" name server, many of which are distributed around the world. To speed up the process, Lau said, some ISPs construct DNS tables containing the IP addresses of commonly requested Web addresses or use DNS lists belonging to hosting companies such as MyDomain.com.

Because of "human error," Lau said, MyDomain.com's DNS list became corrupted last Saturday and incorrectly redirected users to its own servers instead of the Web addresses they had requested. But the problem wouldn't have been so bad if ISPs used the appropriate name servers instead of relying on data provided by MyDomain.com's DNS table, Lau claimed.

But Russell said MyDomain.com itself may have had a hand in encouraging ISPs to do that, based on information that SecurityFocus.com received from an employee at the company. By taking advantage of the DNS vulnerability, he said, MyDomain.com appears to have actively presented itself as a sort of name server authority to users who visited the domains it hosts.

That may have contributed to last Saturday's incident, Russell said, although he noted that ISPs also are responsible for making sure holes such as the DNS vulnerability are closed in the first place.

In addition, Russ Cooper, an analyst at security consulting firm TruSecure in Reston, Va., said it appears that some of the mapping information in MyDomain.com's DNS tables shouldn't have been there because it doesn't belong to the company.

There is also no evidence that external ISPs were knowingly using MyDomain.com's DNS lists, Cooper said. "If they were, then customers have a right to know who they were and why they were relying on [MyDomain.com's] information," he added.

http://www.infoworld.com/articles/hn/xml/01/01/24/010124hnmisroute.xml

-- Martin Thompson (mthom1927@aol.com), January 25, 2001

Answers

Date: 30 January 2001 Source: Daily News Four flaws threaten 80% of the world's Web sites

Matthew Burgess

Up to 80% of the world's Web sites rely on domain name server software that is vulnerable to Microsoft-style denial of service attacks.

A security centre at Carnegie Mellon University in the US has identified four flaws in the Berkeley Internet Name Domain server software, which translates text-based domain names into the numeric IP addresses used by computers to identify Web sites.

Hackers could make use of these flaws to control traffic to and from Web sites including file downloads and email.

JJ Gray, a security architect at digital security consultancy @stake said that if BIND software were compromised, intruders could cause a lot more problems than denying access to a site.

"It would be possible to redirect people to other sites without their knowledge. If someone were to replicate the site of a financial institution, the customers they diverted to this replica would be unwittingly giving away all their personal information" said Gray.

The Internet Software Consortium two weeks ago released patches that upgrade BIND to version 9, which is not open to such attacks. These can be found at www.isc.org/products/BIND/bind-security.html

http://www.computerweekly.co.uk/cwarchive/daily/20010130/cwcontainer.a sp?name=C8.HTML&SubSection=6&ct=home

-- Martin Thompson (mthom1927@aol.com), January 30, 2001.


Hmmm, could there be a connection here with these 2 ariicles.

"It would be possible to redirect people to other sites without their knowledge. If someone were to replicate the site of a financial institution, the customers they diverted to this replica would be unwittingly giving away all their personal information" said Gray.

-- Martin Thompson (mthom1927@aol.com), January 30, 2001.


Moderation questions? read the FAQ