A San Francisco-based security researcher was able to temporarily take over the majority of the nameservers handling .io web addresses last week, in an incident that highlights gaps in the Internet’s critical infrastructure.
Matthew Bryant, who conducts research on Domain Name System (DNS) security issues, said he was able to register four of the seven nameservers that handle traffic for the .io domain last week due to an error in a behind-the-scenes technical procedure.
The issue occurred when NIC.IO, the organisation that handles technical matters for the .io top-level domain (TLDs), partially outsourced operations to a third party called Afilias.
During the transition four of the .io nameservers were mistakenly made available for anyone to purchase, according to Afilias.
Security researchers have highlighted the danger posed by potential attacks on this infrastructure, known collectively as the Domain Name System (DNS), which can allow hackers to redirect users to malicious websites.
The system is also vulnerable to denial-of-service attacks, which can be used to knock large numbers of websites offline, as occurred in an incident last October when sites including Amazon, Spotify and Reddit became temporarily inaccessible.
Bryant said he noticed several of the .io nameservers were available to buy, and purchased one as an experiment. Several days later he received a confirmation that the domain had been transferred to his control and that requests were being handled by his own test DNS nameservers.
After attempting to contact NIC.IO and the Internet Computer Bureau (ICB), the UK organisation that handles administrative matters for .io, and receiving an error message from NIC.IO, Bryant purchased the other three available domains in order to protect them from miscreants.
“At the very least this could no longer be exploited by any random attacker,” he wrote in a blog post.
Later in the day Bryant contacted NIC.IO via telephone and was given another email address to send a notification to, which resulted in his control of the four nameservers being revoked about 24 hours later.
During the time he was in control of the four nameservers Bryant said he made his DNS servers reject all requests, so that the requests would be handled by the three legitimate servers.
But an attacker could have profited from the mistake to redirect traffic to malicious content, Bryant noted.
Bryant said his servers received “gigabytes” in domain name requests.
.io is the domain for the British Indian Ocean, but is marketed as an abode for high-tech companies and has more than 272,000 active addresses.
The transition to Afilias’ systems took place in June, meaning the servers were available for several weeks before Bryant spotted them, Afilias confirmed.
Afilias said upon being notified of the problem it reassigned and blocked the domains associated with ICB’s nameservers, according to an earlier report by The Register.
The company said it wasn’t aware of any issues arising from the “brief exposure”.
ICB and NIC.IO didn’t immediately respond to requests for comment.
Do you know all about security in 2017? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…