The original White Hat
[index][src]

Mon May 19 21:23:58 UTC 2008

Which Internet are you using?

--

Are you using the Internet that ICANN thinks you are?

Or are you using an Internet that is … slightly different?

Site Finder

Back in September 2003, VeriSign started up their Site Finder service, which redirected any unregistered queries in .com and .net to their advertising portal search website. Not only did this push VeriSign's website traffic up (from ~ 2500th place to the top 10, according to Alexa ), but it also broke the expected DNS behaviour as per RFCs, and damaged connectivity for anything using the Internet for non-website traffic (i.e. email, FTP, etc)

After strong industry pressure and formal communication from ICANN, the service was discontinued in October 2003. During that time, the Internet you were seeing was not the same as the Internet that ICANN expected you to see.

YouTube Hijack

On February 24th 2008, Pakistan Telecom decided to block access to YouTube.com for its customers, by announcing a change to the network routing tables that should have affected only its own customers. However, the BGP announcement message was not blocked by their upstream ISP, and leaked out. It reconfigured pretty much all of the Internet within a minute, and took YouTube metwork administrators almost one and a half hours to regain control. The upstream ISP for Pakistan Telecom stopped their faulty announcements about 30 minutes after that.

During this time, people trying to access YouTube.com's website would have instead seen a Pakistan Telecom website. See http://www.ripe.net/news/study-youtube-hijacking.html for a nice description of the event.

The old L DNS Root Server

The “L” Root DNS server (there are 13 root DNS servers on the Internet) was originally set up in a network owned by Bill Manning and later on control was passed to ICANN. When they took control they didn't change the IP address of the server (this isn't an easy task); but decided to do so in November 2007 (See a fuller description at The Register)

In order for this change to succeed, nearly every machine on the Internet needs to be updated, and there is no way that can happen quickly (or indeed, at all). So we know that some machines will continue to send requests to the old non-existant server; this is not a problem, as they will be able to retry the other servers almost immediately.

However, things are not completely clear-cut. Bill Manning (who owns the old address block) had set up some monitoring services, trying to see who was still accessing the old service (see http://www.caida.org/workshops/wide/0611/slides/manning-wide0611.pdf for some of his older research) and this was eventually noticed by other Internet technicians; but they didn't know why this had been done. An entry on the Renesys blog paints the picture of a hostile takeover of the old L server, and speculates about the type of damage that be caused by it.

So, in this case, there was no attack on the Internet – but the techniques used for legitimate research could easily be abused …

Your ISP

Do you know what your own ISP is doing to your Internet traffic? For home user services, it is increasingly unlikely that you are actually connected to “the Internet” at all, as they deploy transparent HTTP proxies (to cut down on upstream traffic), traffic shaping (to reduce the load from P2P software, or to damage competing VoIP services), and prevent outgoing SMTP (to reduce the impact of botnet infected user PCs).

This sort of segregation is often carried out without announcement, and can cause both actual service problems, and frustration on the part of technicians trying to fix them. But I suspect that it is the future of home connectivity – if you want real “raw” Internet, you will probably have to purchase it as a premium service.

blog comments powered by Disqus --