Dud queries swamp US Internet Root servers

Security Alert


Broken queries are swamping US Internet servers with unnecessary traffic. A detailed analysis of 152 million messages received on Oct. 4, 2002 by one of the root servers in California showed that only 2 per cent of the queries were legitimate.

The Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) which conducted the research is trying to understand why the roots get so many broken queries from Internet service providers.

DNS root servers provide a critical service to Internet users by mapping text host names to numeric Internet Protocol (IP) addresses. The 13 roots are operated by a mix of volunteers and U.S. government agencies. The U.S. Department of Commerce is the agency responsible for managing the root system which serves most Internet users.

"If the system were functioning properly, it seems that a single source should need to send no more than 1,000 or so queries to a root name server in a 24-hour period," said CAIDA researcher Duane Wessels. "Yet we see millions of broken queries from certain sources."

CAIDA researchers speculate that 70 per cent of the bad requests are due to misconfigured packet filters, firewalls, or other security mechanisms intended to restrict network traffic. Twelve per cent of the illegitimate traffic however could not be explained and was for nonexistent top-level domains, such as ".elvis", ".corp" and "localhost".

.elvis is alive and well and living in an Alternative Root Universe

CAIDA’s results are no surprise to Bradley Thornton, a root server operator at PacificRoot and director of the Top Level Domain Association, an organization of domain operators. He operates the “.corp” alternative TLD for the business community.

The "localhost" queries are to be expected, he says. A computer can have many names - but all computers use "localhost" on the Internet as the host name of the local loopback interface. "The localhost naming convention is an Internet standard and the localhost errors represent misconfigured DNS settings at the user or ISP level,” he says. The rest of the "nonexistent" illegitimate traffic is a vote of confidence in the "inclusive namespace" (i.e. alternative TLDs) which Thornton helped pioneer.

"There may only be one Internet," explains Thornton, "but we now have many namespaces and that’s confusing the legacy root system." Top-level domains in the U.S. roots include country codes such as ".uk" for England, ".ca" for Canada, or ".us" for the United States, as well as generic domains such as ".com", ".net", and ".edu". There are some 300 top level domains in the US root but inclusive namespace has over 10,000 listed.

Thornton thinks that inclusive namespace user activity is the cause of much of the rogue traffic. "Anytime one of our users publishes a URL from our namespace or any namespace in email or via the web that link becomes available to potentially millions of U.S. root users. When those users clicks one of our URLs a query is generated."

This explains the dud traffic discovered by CAIDA, he says. In the inclusive namespace universe ".corp" is a busy top level domain and Thornton speculates that ".elvis" is alive and well and living in some unknown root system heaven.

According to KC Claffy, a resident research scientist at CAIDA, traffic originating from the inclusive namespace system is “likely part” of the results. But Wessels, the project leader, emphasized “there was not much evidence of alternative (inclusive namespace) TLDs” in the data collected.

Thornton disagrees: "the data clearly shows we’re having an effect." A TLD only needs an average of 10,000 hits in the root to show significant activity based on the CAIDA data of 3 million legitimate queries for 300 listed TLDs, he argues.

"CAIDA reports that “.corp” got 51,000 queries and that's very significant evidence,” he says. ®

Joe Baptista is involved in the running of dot-god.com, the "official domain registry for web addresses ending in .god and .satan".

Related Link

CAIDA Press Release


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022