2 attacks on Top-Level-Domain registries

There were two successful attacks on TLD registries in the past week – the organizations that manages a top-level domain.

Attack on Gandi

On July 7 attackers took over more than 750 domains managed by one of Gandi’s partners showing up a web page with malware instead. The attack did not target the website or web server itself, but the domain name service of one Gandi partner. According to a statement by Gandi, the attacker did not get access to any server or system managed by Gandi itself, as domains from one partner were affected.

It is to point out that this attack itself was not noticed. Only after Gandi had received a notice they were able to start an investigation. 2 hours after the notice, Gandi restored all DNS data to the version before the attack. Due to the structure of the domain name system it took up to 12 hours for individual domains, until all changes made were corrected worldwide.

Attack on .IO

In general, this was not a real attack but rather a test of an security expert. The registrar of top-level domain .IO handed over the TLD to Afilias, who are in charge of .COM, .NET or .ORG. Usually this step would transfer all main DNS for the TLD to the new registrry – in this case, the previous registry decided to keep control on 3 DNS managing TLD .IO.

The security expert queried multiple domains in a program test, including the .IO DNS – he was rather surprised that he got reply that some of the domains were free for registration. He tried to register them and wondered again that his registration was succeeded after few minutes – with this, he owned the .IO main DNS domain names.

He tried to contact immediately the registry, but received only automated responses. Finally, he tried a telephone contact – but they just told him to send his complain to a specific email address. To force a reaction, he disabled the name servers that were assigned to him, so that requests to .IO domains were not answered anymore.

It took about 24 hours for Afilias to notice, cancel the registration and re-activate all DNS. The potential danger was immense – an attacker would have been able to redirect all IO domains to a malware server and thus infect millions PCs with malicious software.

In a statement Afilias said that usually on a TLD all DNS are handed over to the new registry. Therefore, the “attack” was only possible due to previous .IO registrar wanted to keep access to some of the main DNS.