Feeds

Top level domain explosion could wreak MAYHEM on NET

Suppose you owned '1'. Now you can set up 127.0.0.1 ...

5 things you didn’t know about cloud backup

Not your GoDaddy's domain

“It's a bunch of FUD,” he said, referring to the scenarios painted by Ray and other critics. “Yes, if domains like wpad or localhost or localdomain were assigned, bad things might happen. Those domains aren't going to get assigned. It's not like there aren't layers of approval that have to go in place to get a top level domain.”

The ICANN approval process Kaminsky was referring to calls for a $185,000 fee to be tacked onto each TLD application. The hefty charge is intended to winnow down the number of requests, so each one can be closely examined by human beings to make sure the proposed names comply with trademark and security criteria.

“This is not like going to GoDaddy and spending $40 for a domain,” Kaminsky added. “You have a $185,000 fee, and ICANN has a board that looks at this stuff.”

ICANN rules at the moment don't prohibit the registration of any specific TLDs, but the organization's Security, Stability and Advisory Committee in November issued a report (PDF) that obliquely hinted at the security threats end users might face if DNS servers stopped responding to certain invalid TLD requests with the standard "NXDOMAIN" error messages.

“Whereas the NXDOMAIN forces the querying application or user into an error resolution condition, the referral response from a root name server could cause recursion to continue (consider again the .lan scenario describe[d] above), with unpredictable results for the user,” the authors wrote.

The brief reference, buried near the end of the 10-page paper, doesn't warn of the huge opportunity a properly chosen TLD represents to a skilled attacker. What's more, it fails to acknowledge the large number of names that could wreak havoc.

TLDs such as “calicense” (PDF here), for example, or “isatap” could be exploited by attackers to breach corporate or government networks, since those strings are widely used to denote local resources by those deploying software from Computer Associates and Microsoft respectively.

“Basically, if you can control the ISATAP root TLD, you can talk to everyone's Windows machine on the planet with [IPv6 setting] 6in4 configured, since the ISATAP 'router' will be used,” Moore, of Rapid7, wrote in an email. If such names resolve at the DNS root level it “will destroy security on the internet as we know it.”

Innocuous domains aren't

Even TLDs containing innocuous-sounding words such as “accounting,” “mail,” and “search” could potentially be exploited, given the huge number of networks that use them to route local traffic.

“They're going to ignore all the small guys,” Ray, the PhoneFactor researcher, said, referring to the ICANN people responsible for vetting TLD applications for security problems. “Every little admin who hardcoded a short host name in some script somewhere is going to risk collision with a global top level domain unless that capability is somehow disabled entirely, which would imply that you can't actually serve anything from these global top level domains.”

F-Secure Chief Research Officer Mikko Hypponen recently speculated on the damage that could be done with a TLD consisting of the number 1, since it would allow the owner to create a routable host called 127.0.0.1, the IP address for “localhost.”

“While I'm at it, I'll also register 'intra', 'smtp', 'local' and 'mail'...maybe also 'con,'” he said in a follow-up tweet.

The longer term solution to problems such as these, Kaminsky and Vixie said, is to revamp DNS servers so that so-called A records never map an IP address to a single-label address.

Their proposal would close the security hole, but as Ray suggests, it would come at considerable cost. One of the presumed reasons a group or corporation would be willing to spend $185,000 for a TLD such as “nike” or “bank” is to have a website or email address that uses that string alone as the domain name (think http://nike/ or marketing@nike, as opposed to http://www.nike.com or marketing@nike.com). If dotless addresses are eliminated from A records, that won't be possible.

There's no indication ICANN or the Internet Engineering Task Force will be able to enact such a sweeping change by January, when ICANN will start accepting applications for the new TLDs.

The means that members vetting the proposed names better act as if the Sword of Damocles is dangling over their heads. The network they destroy could very well be their own. ®

5 things you didn’t know about cloud backup

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?