"Should we kidnap www.whitehouse.gov?"
That was the topic of discussion at Eugene Kashpureff's coffee table Tuesday morning. While holding InterNIC - the registry for the most popular top-level domains on the Net, such as .com and .org - hostage for 120 hours, Kashpureff had essentially taken InterNIC's Web site off the Net and replaced it with his own AlterNIC.
Meanwhile, all is quiet at InterNIC. Aggie Nteta, spokeswoman for Network Solutions Inc. - InterNIC's current government-appointed keepers - said, "I can't really speculate - we're still evaluating the situation, but hopefully [a decision] will be made soon."
Nteta said that last weekend's spoof appeared to have ended on Monday morning, but even Wednesday afternoon some name servers still resolve www.internic.net to www.alternic.net.
AlterNIC, an alternative domain registry that does not follow the government-appointed mandates for TLDs, has pulled domain pranks before - such as propagating AlterNIC sites to the Net like www.per earlier this summer. But this week's hack, which redirects someone else's domain, tops even that.
George Herbert is one of three security consultants who Kashpureff says has done a full analysis of the hack. "All three of them have the common sense to just shut up," said Kashpureff. "If they're not awed by what I've done - by the algorithm itself - they're horrified by it."
"What Eugene has done," said Herbert, "is hack the response packets to DNS queries to his server."
The Domain Name System is the Net's method for turning host names - such as www.website.com - into their respective Internet Protocol addresses. There is no one central authority for providing this information, but like much of the Net's protocols, it is distributed across thousands of name servers which provide the Net with information about local domains.
When you request a host - such as when using the Web - your computer must first query a name server to obtain that host's IP address. But when the server replies with the domain record in question, there is room for an additional record to be sent, said Herbert. "The intent behind additional records is to put things like the IP addresses of name servers in the first query," he said. This allows for an efficient means of accessing the proper name server should further queries for that domain be made.
However, he said, nearly all the DNS clients - such as on a typical netizen's computer - accepts this information as valid and saves it without checking it first.
This tacked-on information can be records that have nothing to do with the actual query that was sent - in fact, information can be pushed out involving any TLD imaginable, without having an entry in the world's global root name servers. Or, as Kashpureff has demonstrated with InterNIC, current domains can be redirected to anywhere else.
Some, such as Paul Vixie, say that this was an old hack waiting to happen; Vixie said he published a document a few years ago describing it, and said that it can be fixed by simply upgrading to a more recent version of Berkeley Internet Name Domain (BIND), the name-server software most commonly used on Unix systems.
The attack is a protest, Kashpureff said, of Network Solution's claim to ownership of the TLDs it currently manages. "Who's to say for the people of the world that .gov should belong to the US government?" asks Kashpureff. "Why should .mil belong to the US military? I'm not a warmonger, but why can't all the warmongers of the world have their own domain that we can filter out?"
Always one to skirt the edge of legality, he believes that the attack breaks no laws: "Every minute that goes by, they lose their legal ground to stand on," he said, "due to the fact that I've received zero requests to turn this thing off! They know I'm doing it - it's been reported in the media and I've got hit logs of just about every one of the internal Network Solutions machines coming through my pages. It's their duty, legally, to at least ask me to stop if they've found something wrong."
But even if a cease-and-desist letter does come, he said, the damages amount to nil. It isn't a complete denial-of-service attack because alternate links - such as [- still work, and a link to it exists on the redirected page. Besides, he said, he has yet to receive a user complaint. Network Solutions' silence on the matter is indicative of its fear, Kashpureff said. "It's not hard to tell the reason behind that - the more they talk, the more of a news story it's going to become," he said. "If Network Solutions gets me, I'm going to become a bigger martyr than Phil Zimmermann."
Others believe that Kashpureff has made a grave mistake.
"I think he's going to get charged with violations of the federal computer crime act, and odds are that MCI and Sprint, his upstreams, will disconnect him once they identify that the investigation shows he really did it," said Herbert. "It was a really, really dumb thing for Eugene to do."
Now that details of the technique are available and that nearly all machines on the Net are vulnerable, Herbert is waiting for a flood of DNS forgeries to begin.
"I'm truly demonstrating the power of what it is that we can do," said Kashpureff. "We can literally go down through the top 100 Web sites and switch them one-for-one, finding the best match - we can have all kinds of fun with this thing. I can take China off the air if I choose to do so."](http://internic.net/)
