Some security analysts said it's still unclear what really happened last weekend when a technology glitch redirected Internet traffic meant for Web sites run by Yahoo, Microsoft and other companies to one owned by a Bermuda-based Web hosting and domain registration firm.
On Saturday, an estimated 100,000 Internet users trying to access various Web sites were instead routed to a page operated by MyDomain.com, which is part of a Hamilton, Bermuda, company called Global Internet Investments under an acquisition that was announced last spring. The traffic eventually caused MyDomain.com's Web site to crash.
MyDomain.com claims to host more than 350,000 Internet domains. Richard Lau, the company's president, this week said the redirecting problem started with faulty entries in MyDomain.com's Domain Name System (DNS) table but was then compounded by misconfigured systems being run by different Internet service providers.
"Our situation reveals a massive flaw in some DNS resolution server software being used by some ISPs," Lau said, asserting that the prospect of an incorrect setting at MyDomain.com affecting other ISPs on its own "goes against all fundamentals".
But while ISPs may indeed bear some fault, the incident also appears to have been the result of MyDomain.com taking advantage of a well-known DNS vulnerability, said Ryan Russell, an incident analyst at the SecurityFocus.com online bulletin board and security information portal in California. By putting the bulk of the blame on unnamed ISPs, Russell said, MyDomain.com is "trying to . . . save face a little bit."
When a user enters a Web site address into his browser, a request for the corresponding numeric IP address is sent to a so-called "authoritative" name server, many of which are distributed around the world. To speed up the process, Lau said, some ISPs construct DNS tables containing the IP addresses of commonly requested Web addresses or use DNS lists belonging to hosting companies such as MyDomain.com.
Because of "human error", Lau said, MyDomain.com's DNS list became corrupted last Saturday and incorrectly redirected users to its own servers instead of the Web addresses they had requested. But the problem wouldn't have been so bad if ISPs used the appropriate name servers instead of relying on data provided by MyDomain.com's DNS table, Lau claimed.
However, Russell said MyDomain.com itself may have had a hand in encouraging ISPs to do that, based on information that SecurityFocus.com received from an employee at the company. By taking advantage of the DNS vulnerability, he said, MyDomain.com appears to have actively presented itself as a sort of name server authority to users who visited the domains it hosts.
That may have contributed to last Saturday's incident, Russell said, although he noted that ISPs also are responsible for making sure holes such as the DNS vulnerability are closed in the first place.
In addition, Russ Cooper, an analyst at US-based security consulting firm TruSecure, said it appears that some of the mapping information in MyDomain.com's DNS tables shouldn't have been there because it doesn't belong to the company.
There's also no evidence that external ISPs were knowingly using MyDomain.com's DNS lists, Cooper said. "If they were, then customers have a right to know who they were and why they were relying on [MyDomain.com's] information," he added.
