DNS Hijacking: The largest single breach of privacy and security thus far online...
From: Tony (ntBugTraq_at_ATTRON.COM)
Date: Tue, 16 Sep 2003 04:39:05 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
This is one of the most flagrant abuses of the public trust that I have
seen in a long time and it is important that people understand the impact
that it will have on their use of the Internet.
In a reckless fashion, Verisign has seized control of every non-existent
domain, zone, and DNS record in the .com and .net top-level domains
around 12:00pm EDT on September 15, 2003. Their so-called 'Site Finder
service' causes any DNS lookup for a non-existent zone beneath .com and
.net to resolve to an IP address under Verisign's control. For instance,
if you type ww.company.net (missing the third 'w') you will be directed
to a Verisign web site without your prior knowledge or consent.
This hijacking of namespace was announced by firstname.lastname@example.org on a
public mailing list of network administrators many hours AFTER the change
was implemented. I am not aware of any formal or informal attempt to
involve traditional Internet standards bodies in this decision.
What this Means to Your Network
Every mistyped URL, mistaken DNS query, email to a removed mail server,
and other traffic is redirected to Verisign's network for their
collection and use.
Your customers who mistype your web address (like ww.company.net) will be
redirected to a Verisign web site containing content of their choosing.
All domain-level cookies are sent to Verisign when a mistyped address is
entered for a lower-level-domain (visiting incorrect.store.company.net
sends all .company.com and .store.company.com-level cookies to Verisign's
on every commercial web site in the US...
Any application that expects a NXDOMAIN response to an invalid DNS lookup
in .com and .net will no longer receive such a reply. This could wreak
havoc on spam filters, network analysis tools, intrusion detection, and
other infrastructure-supporting network services that have previously
functioned as expected.
The IP that is currently being used in response to all invalid queries
listens on port 25 (SMTP) and appears to respond with exactly the same
pattern for each SMTP session.
New resource-exhaustion attacks on caching name servers are possible and
likely. Diagnosing DNS problems has become an order of magnitude more
Non-lowest-precedence mail exchangers will not receive mail if the
primary mail exchanger's address record is removed/unavailable.
These are simply a few of the primary effects that will happen as a
matter of course. There are untold new methods of abuse and misuse
available to employees, contractors, and owners of Verisign's network
devices (who issues SSL certificates.) Not to mention the additional
'useless traffic' generated by unintended TCP connections.
This redirection will most likely cause a denial-of-service on the
Verisign network preventing a large portion of the traffic from reaching
If we act quickly and collectively we can minimize the amount of traffic
misdirected from our systems.
What Can You Do?
If you reside in the US, call, email, and fax your representatives. Tell
them that Verisign is no longer capable of administrating the
infrastructure with which they have been entrusted. Urge them to draft a
resolution to remove their authority to operate .com/.net and immediately
delegate that authority to an alternate entity. This is not the first
time that the public trust has been violated by Verisign and it will not
be the last unless their custodial role is minimized.
Redirect traffic for Verisign's 'Site Finder system' IP range to a server
under your control and put up a web site there describing the situation.
Note that there is a 15-minute timeout on the A record for the wildcard
entry. This means that they can change the IP in less than 15 minutes.
It is currently 220.127.116.11 which is part of a /24 (256 addresses) from
an InterNAP /16 (65536 addresses.)
Encourage your upstream ISP(s) to null route traffic for these Verisign
IP addresses or change the behavior of their name servers to revert to
the previous non-wildcard status. Unfortunately, changes to the DNS
system can be catastrophic for network connectivity and should be
undertaken only as a last resort by experienced DNS admins. Modifying
DNS server operation will most likely lead to unforeseen fallout in the
Concise overview of the Domain Name System:
The Definitive Guide to DNS:
Verisign's Description of their 'Search System':
Slashdot discussion of this issue:
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----