[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Daniel Karrenberg daniel.karrenberg at ripe.net
Mon May 26 08:03:34 UTC 2008


On 23.05 08:24, Duane Wessels wrote:
> 
> 
> On Fri, 23 May 2008, Daniel Karrenberg said:
> 
> >Again: What is the real extent of this problem?
> >...
> 
> I guess for me there is another very important aspect to this
> problem.  In this case, mutliple third parties were able to announce
> routes for the root server address and receive queries.  According
> to what Robert Edmonds showed us, AS 42909 was announcing 198.32.64.0/24
> from 2007-12-15 until 2008-05-17.  Five months and nobody noticed!
> 
> Now granted this was the old address and they were answering honestly,
> but the stream of query data they recieved has huge value to people
> in the DNS monetization business (and others).

Point taken. 

The route hijacking problem exists in general; see recent YouTube
issues.  Of course renesys is pointing it out repeatedly all for their
own legitimate business reasons. But one should not exaggerate it either.

As Randy has pointed out earlier in this thread the detection problem
has been studied and solves.  Even in the face of anycasting it is not
that hard.  I believe Renesys has products that can help.  The RIPE NCC
also has something that can help:

	http://www.ris.ripe.net/myasn.html

Acting on detection is mostly manual work with ISPs. This will remain
so until the ISP community have come around to more tight provisioning
and routing practises.  Trying to fudge this by introducing "platinum"
prefixes will not really help with that problem.  Imho it would just
create more obvious targets. 

Daniel



More information about the dns-operations mailing list