Feeds

Top level domain explosion could wreak MAYHEM on NET

Suppose you owned '1'. Now you can set up 127.0.0.1 ...

SANS - Survey on application security programs

A plan to populate the internet with hundreds or thousands of new top-level domains has security researchers pondering some of the unintended consequences that could be exploited by online criminals. Some of the scenarios aren't pretty.

Consider the mayhem that might result from addresses that end in “exchange,” “mailserver,” “domain,” or other strings that are frequently used to designate highly sensitive resources on corporate and government networks.

If a glitch ever caused an email program or other application to reach one of these external addresses, instead of the internal server carrying the identical host name, the outcome could prove disastrous for the stability of the internet.

“There's going to be a lot of cause for confusion, and it's going to make things a lot more ambiguous than they are today,” said H D Moore, CSO of Rapid7 and chief architect of the Metasploit penetration testing project. “TLDs could break widely used software products.”

An even more dire scenario would arise if online criminals intentionally acquired a strategically named TLD and used the incoming connections to harvest passwords or mount attacks on the connecting clients.

A corporate laptop, for example, that connected to an airport hotspot rather than the normal enterprise network might connect to the domain name “mailserver” controlled by hackers, rather than the trusted internal server by the same name. Similar attacks could be waged with other strings, including “wpad,” “lan,” and “local.”

ICANN expand

The handwringing comes two weeks after the Internet Corporation for Assigned Names and Numbers approved a measure allowing anyone to submit applications for virtually any TLD. The change could add hundreds or thousands of new suffixes over the next few years that contain brand names such as “Nike” or “Ford,” as well as generic words such as “bank.”

Right now, there are fewer than 300 TLDs, and most of them contain nondescript two- and three-letter suffixes such as .com or .uk.

Despite criticisms from some that the security concerns are overblown (more about that later), there's ample reason to take them seriously. According to data (PDF) presented in 2009 by the DNS Operations, Analysis, and Research Center, 10 invalid TLDs represented 10 per cent of the total query load on the internet's DNS. Those non-conforming TLDs included “wpad,” “domain,” “localdomain,” and “localhost,” strongly suggesting that huge numbers of applications have for years unwittingly leaked local host names onto the internet.

Graph showing top 10 invalid top level domains

Traffic for top 10 invalid TLDs. Source: DNS Operations, Analysis, and Research Center, 2009

As DNS expert Paul Vixie recently explained, software applications that interact with host names on internal networks should never query the internet's domain name system for their location. But in practices, things don't always work that way. There's no guarantee that a so-called single-label internet address will be reachable on the internet, but likewise, there's no guarantee it won't.

“They won't work reliably,” Vixie told The Register. “The point you're getting at is they will also not fail reliably, so if somebody types a name without a dot, it might actually work.”

'There's simply *no* fixing this problem at ICANN'

Indeed, depending on the browser and operating system used, a handful of sites are already accessible by typing nothing more than the TLD into the address bar. Using Mozilla Firefox on Mac or Ubuntu computers, it's possible to reach ac merely by pointing the browser to “ac” (minus the quotes). The same is true for io and tm. Google Chrome on OS X and Ubuntu will also access these sites with a little coaxing.

Using a Windows XP SP3 computer, The Register was unable to reach any of the three sites above. But according to researcher and software developer Marsh Ray, a home PC of his that ran Windows Vista connected just fine, and to make matters more dire, the lack of a dot in the address fooled the operating system into placing the site in the “Local Intranet Zone,” which Windows reserves for trusted internal addresses that don't require the same security defenses as external ones.

The potential for abuse, he said, is definitely there.

“It doesn't help you if you run Windows and it accepts *any* name without dots in it as the more-trusted 'local intranet zone,'” Ray, who works for two-factor authentication service PhoneFactor, wrote in an email. “There's simply *no* fixing this problem at ICANN. I know guys inside Microsoft who are feeling a little annoyed about the idea of .apple serving web pages into their intranet zone.”

Not everyone agrees the TLD expansion carries such risks. Among the skeptics is Dan Kaminsky, a DNS expert and the chief scientist for security firm DKH.

Combat fraud and increase customer satisfaction

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
Google looks to LTE and Wi-Fi to help it lube YouTube tubes
Bandwidth hogger needs tube embiggenment if it's to succeed
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.