Misdirected Net traffic is a mystery yet

Some security analysts say it's still unclear what really happened when a technology glitch redirected Internet traffic meant for Web sites run by Yahoo Inc., Microsoft Corp. and other companies to one owned by a Bermuda-based Web hosting and domain registration firm.

On Jan. 20, an estimated 100,000 Internet users trying to access various Web sites were instead routed to a page operated by MyDomain.com, which is part of a Hamilton, Bermuda, company called Global Internet Investments Inc. The traffic eventually caused MyDomain.com's Web site to crash.

MyDomain.com claims to host more than 350,000 Internet domains. Richard Lau, the company's president, this week said the redirecting problem started with faulty entries in MyDomain.com's domain name server (DNS) table but was then compounded by misconfigured systems being run by different Internet service providers.

"Our situation reveals a massive flaw in some DNS resolution server software being used by some ISPs," Lau said, asserting that the prospect of an incorrect setting at MyDomain.com affecting other service providers on its own "goes against all fundamentals."

But while Internet service providers may indeed bear some fault, the incident also appears to have been the result of MyDomain.com taking advantage of a well-known DNS vulnerability, said Ryan Russell, an incident analyst at the SecurityFocus.com online bulletin board and security information portal in San Mateo, California. By putting the bulk of the blame on unnamed service providers, Russell said, MyDomain.com is "trying to . . . save face a little bit."

When a user enters a Web site address into his browser, a request for the corresponding numeric IP address is sent to a so-called authoritative name server, many of which are distributed around the world. To speed up the process, Lau said, some service providers construct DNS tables containing the IP addresses of commonly requested Web addresses or use DNS lists belonging to hosting companies such as MyDomain.com.

Because of human error, Lau said, MyDomain.com's DNS list became corrupted Jan. 20 and incorrectly redirected users to its own servers instead of the Web addresses they had requested. But the problem wouldn't have been so bad if Internet service providers had used the appropriate name servers instead of relying on data provided by MyDomain.com's DNS table, Lau claimed.

However, Russell said MyDomain.com may have had a hand in encouraging Internet service providers to do that, based on information that SecurityFocus.com received from an employee at the company. By taking advantage of the DNS vulnerability, he said, MyDomain.com appears to have actively presented itself as a sort of name server authority to users who visited the domains it hosts.

That may have contributed to the incident, Russell said, although he noted that service providers also are responsible for making sure holes such as the DNS vulnerability are closed in the first place.

In addition, it appears that some of the mapping information in MyDomain.com's DNS tables shouldn't have been there because it doesn't belong to the company, said Russ Cooper, an analyst at security consulting firm TruSecure Corp. in Reston, Virginia.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Global Internet InvestmentsMicrosoftSecurityFocusTruSecureYahoo

Show Comments