Flawed DNS Table Hijacks Yahoo, Microsoft Traffic
Page 1 of 1
Human error Saturday temporarily hijacked some of the traffic to the sites Yahoo.com and Microsoft.com (including MSN.com and a host of .NET sites), as well as some smaller sites, and showcased an issue that should have ISP executives waking up in a cold sweat.
Bermuda-based hosting company MyDomain.com said it inadvertently published an error-filled DNS table Saturday that redirected a fraction of Internet users seeking Yahoo.com or Microsoft.com -- and smaller sites like STARARCHIVE.com, a German site that compiles a database of contact information for thousands of celebrities -- to a MyDomains.com IP address for an "under construction" page. About 100,000 Internet users were affected, and the unexpected traffic crashed MyDomain.com's Web server until the company corrected the problem early Sunday morning.
"When it first started happening, our techs knew that something was wrong because all of a sudden we were getting traffic like we were under a waterfall," said MyDomain President Richard Lau. "At first we were thinking it was a denial-of-service attack, so we went down that road. It was a bit of a red herring. Then we found out that all these people were requesting domains that weren't resolving to our DNS."
Lau said the problem stemmed from customers who had entered erroneous domain forwarding information using MyDomain's online domain management system. However, he said that he did not think the mistakes were malicious. MyDomain.com keeps data from the management system in a holding bin -- where it sifts through the data for bogus IP addresses before updating its name servers -- until it was published Saturday. The consequences of that error highlights a frightening possibility for large-scale intentional hijacking.
When an Internet user requests a Web page URL, www.yahoo.com for instance, the user's browser must convert that URL into an IP address, like 18.104.22.168. To do that, an ISP's local name server contacts one of 13 root domain name servers which tells it which primary name server and secondary name server have the information about the requested URL. The local name server then contacts the primary name server which then supplies the information. If the primary name server doesn't have the information, the local name server repeats the process with the secondary name server. Once it has the IP address, the local name server passes the information to the user's browser, which then uses the IP address to contact the site.
That's how the process is supposed to work. It can also be cumbersome and slow. To get around that problem, ISPs often construct DNS tables -- or use those of local hosting companies like MyDomain.com -- with the IP addresses of commonly requested URLs. The DNS table sits on the local name server, bypassing the requesting process. However, that also means that URLs can be matched with incorrect IP addresses, sending users to sites other than those they intended to visit. And name servers are not that difficult to set up, meaning a hacker could create a name server and hijack traffic from a local area.
"The root of the problem is that people were asking us for the IP address of domains that we're not authoritative for," Lau said. "I guess the analogy I use is that if you were to put up a handwritten sign that says "Head Office of Microsoft" out on your front door, an all of a sudden you've got a lineup of people that wanting to see Bill Gates at your house, that doesn't make any sense. You're not authoritative for the head office of Microsoft, so what are these people even asking you if Bill gates is living at your house for? We accept responsibility for having made an error, and we would expect that to affect our internal users or our customers, but to have affected a completely independent ISP? That ISP has something incorrectly set up or they're using software that is not resolving DNS properly."