Researcher Takes Over .IO Domain After Technical Blunder

A San Francisco-based security researcher was able to temporarily take over the majority of the nameservers handling .io web addresses last week, in an incident that highlights gaps in the Internet’s critical infrastructure.

Matthew Bryant, who conducts research on Domain Name System (DNS) security issues, said he was able to register four of the seven nameservers that handle traffic for the .io domain last week due to an error in a behind-the-scenes technical procedure.

Transition blunder

The issue occurred when NIC.IO, the organisation that handles technical matters for the .io top-level domain (TLDs), partially outsourced operations to a third party called Afilias.

During the transition four of the .io nameservers were mistakenly made available for anyone to purchase, according to Afilias.
Nameservers handle requests for a web address and forward that request to the required server.

Security researchers have highlighted the danger posed by potential attacks on this infrastructure, known collectively as the Domain Name System (DNS), which can allow hackers to redirect users to malicious websites.

The system is also vulnerable to denial-of-service attacks, which can be used to knock large numbers of websites offline, as occurred in an incident last October when sites including Amazon, Spotify and Reddit became temporarily inaccessible.

Exposure

Bryant said he noticed several of the .io nameservers were available to buy, and purchased one as an experiment. Several days later he received a confirmation that the domain had been transferred to his control and that requests were being handled by his own test DNS nameservers.

After attempting to contact NIC.IO and the Internet Computer Bureau (ICB), the UK organisation that handles administrative matters for .io, and receiving an error message from NIC.IO, Bryant purchased the other three available domains in order to protect them from miscreants.

“At the very least this could no longer be exploited by any random attacker,” he wrote in a blog post.

Later in the day Bryant contacted NIC.IO via telephone and was given another email address to send a notification to, which resulted in his control of the four nameservers being revoked about 24 hours later.

Malicious traffic

During the time he was in control of the four nameservers Bryant said he made his DNS servers reject all requests, so that the requests would be handled by the three legitimate servers.

But an attacker could have profited from the mistake to redirect traffic to malicious content, Bryant noted.
“Given the fact that we were able to take over four of the seven authoritative nameservers for the .io TLD we would be able to poison/redirect the DNS for all .io domain names registered,” he wrote. “Since we have control over a majority of the nameservers it’s actually more likely that clients will randomly select our hijacked nameservers.”

Bryant said his servers received “gigabytes” in domain name requests.

.io is the domain for the British Indian Ocean, but is marketed as an abode for high-tech companies and has more than 272,000 active addresses.

The transition to Afilias’ systems took place in June, meaning the servers were available for several weeks before Bryant spotted them, Afilias confirmed.

Afilias said upon being notified of the problem it reassigned and blocked the domains associated with ICB’s nameservers, according to an earlier report by The Register.

The company said it wasn’t aware of any issues arising from the “brief exposure”.

ICB and NIC.IO didn’t immediately respond to requests for comment.

Do you know all about security in 2017? Try our quiz!