Links

Ben Laurie blathering


Who Pwns The Internet?

Update: Ben Hyde suggested I should use the (undocumented) “concentrate” option to dot, which certainly tidies up the graphs. So I did.

A remark on the IETF DNS Working Group’s mailing list got me thinking.

Suppose I were the owner of nordu.net (to pick an example at random), then I could take control of sunet.se, for about 25% of Internet users, since one of their four nameservers is server.nordu.net. Similarly, I could then take control of ripe.net for 25% of those 25% (via sunic.sunet.se). One in seven of those guys could fall victim to my ownership of nic.fr via ns-sec.ripe.net, and from there I have complete control of fr (that is, France) – ok, by now, for only a bit under 1% of the Internet, but even so, that’s kinda worrying, don’t you think? And obviously if I own sunet.se then it would be more like 3.5%…

On the other hand, uk does not suffer from this problem: it depends only on nic.uk. Which seems like a much better idea. Anyway, I got to wondering just how bad this problem actually is, which led to me having more fun with dot. So, for a taster, here’s France’s dependencies…

France's dependencies

And here’s the UK’s

UK's dependencies

And here’s Fiji (I include this for Jasvir, who is getting married there soon, and ought to know the terrible risk he’s taking)

Fiji's dependencies

And all the top level domains put together

All TLDs' dependencies

So that one is pretty but a bit hard to digest. Obviously the main news is that there are a lot of domains which could interfere with one or more TLDs!

Another way to think about this is to wonder who could pwn the most TLDs? Well, the answer (after the root, of course) is that nstld.com, gtld-servers.net, com and net come in equal first with 228 TLDs pwnable. Next up is Affilias, through a variety of domains, including org and info, able to control 187 TLDs. After that comes se (Sweden) with 158 and nordu.net, sunet.se, chalmers.se, kth.se, uninett.no, uu.se, edu, no, norid.no, lth.se and uit.no, all able to have a go at 157 TLDs.

Food for thought. Especially if you’re thinking about DNSSEC.

10 Comments

  1. The comment on namedroppers was probably Matt Dempsky’s: http://shinobi.dempsky.org/~matthew/dnstrust/graphs/

    Comment by Adam Langley — 14 Jun 2009 @ 17:54

  2. Have you seen Matthew Dempsky’s similar graphs?

    http://shinobi.dempsky.org/~matthew/dnstrust/graphs/

    Comment by Tony Finch — 14 Jun 2009 @ 18:22

  3. I think your percentages are miscalculated. My understanding is that caches that load balance based on RTT will still periodically contact all name servers to keep their RTT estimates accurate. If you send the target cache a stream of queries for nonce domain names, one of them will eventually result in the cache contacting your malicious name server.

    Comment by Matthew Dempsky — 15 Jun 2009 @ 0:00

  4. I’m trying to convert that large graph to a PNG so I can print it out and hang it up.

    However, any SVG converter I’ve found crashes. Any ideas how to convert this image to a printable format? (i’ll check back on this comment page)

    Comment by Anonymous — 15 Jun 2009 @ 0:54

  5. The converter I used to make the thumbnails is rsvg.

    Comment by Ben — 15 Jun 2009 @ 15:10

  6. Does anyone know a way to convert that large SVG image? I’ve attempted with a couple converters but I think the large size of the image is crashing them. I’d like to convert this to a printable format and hang it up somewhere (of course with the image owners permission)

    Comment by Ojones — 15 Jun 2009 @ 1:00

  7. Feel free to make a print.

    Comment by Ben — 15 Jun 2009 @ 15:10

  8. You suggest that if a site has 4 nameservers listed in DNS, and one of them can be compromised, then the attacker might be able to affect 25% of the site’s users. I wonder if a more clever attacker might be able to get that up to 100% of the site’s users, by DoSing the other 3 nameservers.

    Comment by David Wagner — 16 Jun 2009 @ 0:03

  9. djbdns’s dnscache has always randomly shuffled the order of name servers for every query. According to what documentation I can find on BIND, Unbound, and PowerDNS, they all use some combination of RTT and randomness to decide what name server to contact for each individual query. So sending 100 queries to a cache for distinct names within a zone has a good chance of hitting each name server at least once.

    Comment by Matthew Dempsky — 17 Jun 2009 @ 22:32

  10. […] LinksBen Laurie blathering « Who Pwns The Internet? […]

    Pingback by Links » Who Pwns The Internet? (Take 2) — 20 Jun 2009 @ 20:08

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress