Feeds

Top level domain explosion could wreak MAYHEM on NET

Suppose you owned '1'. Now you can set up 127.0.0.1 ...

The Essential Guide to IT Transformation

Not your GoDaddy's domain

“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”

The ICANN approval process Kaminsky was referring to calls for a $185,000 fee to be tacked onto each TLD application. The hefty charge is intended to winnow down the number of requests, so each one can be closely examined by human beings to make sure the proposed names comply with trademark and security criteria.

“This is not like going to GoDaddy and spending $40 for a domain,” Kaminsky added. “You have a $185,000 fee, and ICANN has a board that looks at this stuff.”

ICANN rules at the moment don't prohibit the registration of any specific TLDs, but the organization's Security, Stability and Advisory Committee in November issued a report (PDF) that obliquely hinted at the security threats end users might face if DNS servers stopped responding to certain invalid TLD requests with the standard "NXDOMAIN" error messages.

“Whereas the NXDOMAIN forces the querying application or user into an error resolution condition, the referral response from a root name server could cause recursion to continue (consider again the .lan scenario describe[d] above), with unpredictable results for the user,” the authors wrote.

The brief reference, buried near the end of the 10-page paper, doesn't warn of the huge opportunity a properly chosen TLD represents to a skilled attacker. What's more, it fails to acknowledge the large number of names that could wreak havoc.

TLDs such as “calicense” (PDF here), for example, or “isatap” could be exploited by attackers to breach corporate or government networks, since those strings are widely used to denote local resources by those deploying software from Computer Associates and Microsoft respectively.

“Basically, if you can control the ISATAP root TLD, you can talk to everyone's Windows machine on the planet with [IPv6 setting] 6in4 configured, since the ISATAP 'router' will be used,” Moore, of Rapid7, wrote in an email. If such names resolve at the DNS root level it “will destroy security on the internet as we know it.”

Innocuous domains aren't

Even TLDs containing innocuous-sounding words such as “accounting,” “mail,” and “search” could potentially be exploited, given the huge number of networks that use them to route local traffic.

“They're going to ignore all the small guys,” Ray, the PhoneFactor researcher, said, referring to the ICANN people responsible for vetting TLD applications for security problems. “Every little admin who hardcoded a short host name in some script somewhere is going to risk collision with a global top level domain unless that capability is somehow disabled entirely, which would imply that you can't actually serve anything from these global top level domains.”

F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”

“While I'm at it, I'll also register 'intra', 'smtp', 'local' and 'mail'...maybe also 'con,'” he said in a follow-up tweet.

The longer term solution to problems such as these, Kaminsky and Vixie said, is to revamp DNS servers so that so-called A records never map an IP address to a single-label address.

Their proposal would close the security hole, but as Ray suggests, it would come at considerable cost. One of the presumed reasons a group or corporation would be willing to spend $185,000 for a TLD such as “nike” or “bank” is to have a website or email address that uses that string alone as the domain name (think http://nike/ or marketing@nike, as opposed to http://www.nike.com or marketing@nike.com). If dotless addresses are eliminated from A records, that won't be possible.

There's no indication ICANN or the Internet Engineering Task Force will be able to enact such a sweeping change by January, when ICANN will start accepting applications for the new TLDs.

The means that members vetting the proposed names better act as if the Sword of Damocles is dangling over their heads. The network they destroy could very well be their own. ®

Build a business case: developing custom apps

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
What FTC lawsuit? T-Mobile US touts 10GB, $100 family-of-4 plan
Folks 'could use that money for more important things' says CEO Legere
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.