Domain hijacking, InterNIC loopholes
While filling in details for modification of my domain (dxm.org) I realised that I haven't seen much written on domain hijacking. We all know about mail spoofing, which let's you pretend you're someone else. Mail spoofing is one-way - you can send, but not receive. This is the same with IP spoofing, where you pretend to be a trusted machine, but again you can send but not receive. Unlike IP spoofing, which can lead to major security breaks (you can become root on someone else's machine), domain hijacking is not so much a security issue as a commercial one. Domain hijacking uses loopholes in InterNIC domain registration procedures to completely take over a domain, allowing you to send and receive e-mail, and other traffic such as ftp/www. As I haven't seen this explained, and have seen no warnings for sysadmins, here goes: To do 'IP hijacking' (receive packets as well as send) you will need to modify routing tables all over the place, where you're not likely to have access. To do domain hijacking, you would need to modify DNS entries in several nameservers, to which again you're not likely to have privileged access. On the other hand, if you could associate an existing domain with a nameserver you _do_ control (root access on any machine connected to the Net is enough for this), your lack of access to the present nameservers would become irrelevant. So, 1. set up a nameserver on your machine, with address, cname or MX records as required for the victim domain address - victim.com. You can do fancy things with nslookup on victim.com's existing nameservers to find out what's required. Make sure the MX, address and cname records in your machine point to machines under your control. 2. send a modify domain mail to hostmaster@internic.net, with your machine as nameserver replacing any existing ones. The InterNIC has no authentication procedures for normal hostmaster requests, so your modification will get processed. 3. Ta DA! Wait for InterNIC to update its records and broadcast changes to other nameservers. From then on, a lookup for victim.com will go to ns.internic.net, find that ns.evil.org is the nameserver, and send all mail to @victim.com to victim.evil.org, route traffic to www.victim.com to www.evil.org, whatever you want. This is not a security risk? No. But, to quote a delightfully low-key document from InterNIC, "[such] an unauthorized update could lead a commercial organization to lose its presence on the Internet until that update is reversed." Ah. But that update will be reversed only when victim.com's sysadmins realise what's happened. If evil.org is clever enough, it will not halt the mail flow, but forward everything on to victim.com (after keeping a copy, of course). It could act as a proxy server to www.victim.com, accessing all URLs (using victim.com's real IP address) on demand and relaying them to browsers who are actually looking at www.evil.org. And so on. Unless victim.com's admins are particularly observant, they may not notice a thing. How many sysadmins out there do what victim.com could have done? I.e. run nslookup on victim.com regularly to check that the nameservers listed are as they should be, and if they're not, to immediately send a new update to InterNIC? Not many, I believe. On the other hand I know no case of domain hijacking actually taking place. But I don't know specific instances of WWW credit card fraud either. That delightful InterNIC document I mentioned is the draft paper on the InterNIC Guardian Object, first out in November 1995, latest version out earlier this month. It's an internal InterNIC proposal for a "Guardian Object" which would guard any other object (such as a domain name, or individual, or hostname, or even another guardian). It would allow a range of authentication methods, from none (very clever) and MAIL-FROM (easy to spoof) to CRYPT (1-way hash, like Unix passwd) and PGP (using public keys stored at InterNIC). All domain and other templates will be changed to work with guardians. The procedures in the original draft looked easy enough; the latest ones are formidable. Incidentally, this draft appeared two months after the InterNIC started charging. The wonders of the profit motive. Rishab ps. I'm not quite back on the Cypherpunks list yet, so please Cc responses you feel are important to me at rishab@dxm.org. pps. I quite forgot. The URL for the latest Guardian Object draft: ftp://rs.internic.net/policy/internic/internic-gen-1.txt
Rishab wrote:
On the other hand I know no case of domain hijacking actually taking place.
I do. The sysop at colossus.net told me this very thing happened to him last fall. I just can't believe this process is automated - I wonder what would happen if someone hijacked internic.net! Regards, Bob Rankin (BobRankin@MHV.net)
This is not a security risk? No. But, to quote a delightfully low-key document from InterNIC, "[such] an unauthorized update could lead a commercial organization to lose its presence on the Internet until that update is reversed."
Ah. But that update will be reversed only when victim.com's sysadmins realise what's happened. If evil.org is clever enough, it will not halt the mail flow, but forward everything on to victim.com (after keeping a copy, of course). It could act as a proxy server to www.victim.com, accessing all URLs (using victim.com's real IP address) on demand and relaying them to browsers who are actually looking at www.evil.org. And so on. Unless victim.com's admins are particularly observant, they may not notice a thing.
That delightful InterNIC document I mentioned is the draft paper on the InterNIC Guardian Object, first out in November 1995, latest version out earlier this month. It's an internal InterNIC proposal for a "Guardian Object" which would guard any other object (such as a domain name, or individual, or hostname, or even another guardian). It would allow a range of authentication methods, from none (very clever) and MAIL-FROM (easy to spoof) to CRYPT (1-way hash, like Unix passwd) and PGP (using public keys stored at InterNIC). All domain and other templates will be changed to work with guardians. The procedures in the original draft looked easy enough; the latest ones are formidable.
Incidentally, this draft appeared two months after the InterNIC started charging. The wonders of the profit motive.
The InterNIC Guardian Object Draft has been made publicly available to the Internet community for comments. As mentioned, the URL is: ftp://rs.internic.net/policy/internic/internic-gen-1.txt We welcome any comments or suggestions you might have about this draft. The InterNIC has made siginificant improvements to the draft over the past several months based on public comments. Eric Eden erice@internic.net
I don't think Domain hijacking is a terribly big threat. First of all, the modification process insn't fully automated. Second of all, it takes several weeks for the changes to go through. Before the changes go through, the internic sends out mail to a bunch of people, including all previous administrators and administrators of all domains which contain old or new nameservers. Thus, I'd say the domain modification process is slightly more secure than First Virtual :-) :-) :-). It relies on the security of the network routers and existing nameservers, and requires one or more active attacks or viruses to defeat. Probably your best is to wait for as many as possible of the relevant sysadmins to go on vacation, and then mail-bomb them rest so hard they end up not reading all of their real E-mail. Then again, there's always the possibility that the domain administrator knows how to use procmail... David
David Mazieres wrote:
I don't think Domain hijacking is a terribly big threat. First of all, the modification process insn't fully automated. Second of all, it takes several weeks for the changes to go through. Before the
My new ISP got the domain modified in a day, or so. The proces _is_ automated, as long as you follow the template perfectly.
changes go through, the internic sends out mail to a bunch of people, including all previous administrators and administrators of all domains which contain old or new nameservers.
More to the point, the InterNIC informs all the major nameservers (such as ns.nasa.gov and all those that mirror ns.internic.net). Obviously. Without that, how would anyone know where to find your domain (even if 'hijacked')? But I never did say domain hijacking was a security threat - unlike spoofing, this can't in itself compromise your systems. But, as the InterNIC admits, it can have "serious consequences" on commercial organisations, for whom the loss of net presence for even a day could be considerable.
Thus, I'd say the domain modification process is slightly more secure than First Virtual :-) :-) :-). It relies on the security of the network routers and existing nameservers, and requires one or more active attacks or viruses to defeat. Probably your best is to wait
You obviously didn't get the point. There are no routers involved at all, or even nameservers. The Internet domain registry structure (unlike much else) is strictly hierarchic - the InterNIC is the source of all. Modify the InterNIC record, and the new record is official, and will be promptly accepted by all the nameservers that bother to track these things.
for as many as possible of the relevant sysadmins to go on vacation, and then mail-bomb them rest so hard they end up not reading all of their real E-mail. Then again, there's always the possibility that the domain administrator knows how to use procmail...
Again, whether the sysadmin eventually catches on is not the point. Unless the hijacker is exceptionally sophisticated (by, for example, not interrupting but only intercepting web and mail traffic) and the victim exceptionally stupid, the truth will be known soon. But perhaps not soon enough for, say, Hotwired or Yahoo who can't afford to go down. To drive my point home: suppose the owners of www.howtired.com (yes, it does exist) were to hijack hotwired. Further suppose that they mirrored (or otherwise replicated) hotwired's content, displaying it to users with some nasty changes, and filtering out all complaint mail. One assumes HotWired's admins are savvy enough to think of this, but you never know, and if they took a few days or more over fixing it, it would not be nice for them. Of course, their lawyers wouldn't make it nice for howtired either, if they had their address, and it wasn't in ... China! Rishab
participants (5)
-
Bob Rankin -
David Mazieres -
Eric Eden -
Rishab Aiyer Ghosh -
rishab@dxm.org