16 January 2005
Panix in the streets
Public Access Networks Corporation, an ISP which traces its origins back to 1989, had its primary panix.com domain hijacked this weekend.
A lot of DNS records get screwed up from time to time, and it's as often due to stupidity as it is to malice, but this particular incident looks, well, evil. The company briefly posted a notice on its alternate panix.net domain; it's gone now, but Dawn Eden transcribed it:
Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.
Indeed, a check of whois.sc last night, which I repeated this morning, identifies the registrar as Melbourne IT, Ltd. d/b/a Internet Names Worldwide, lists the owner as one Vanessa Miranda, 1010 Grand Cerritos Avenue, Las Vegas, NV 89123, and designates the admin contact as Burnhill Business Center, Beckenham, Kent, England. At this writing, http://www.panix.com/ brings up the stock Under Construction screen from freeparking.co.uk; the specified nameserver is ns1.ukdnsservers.co.uk. The 18.104.22.168 IP address given resolves to Koallo Inc. in Canada.
As Dawn says, "This is bizarre and scary." It won't affect The Dawn Patrol, which is not hosted at Panix, but the potential for screwing with people's email is certainly substantial.
Panix, as it happens, was the victim of the first publicized Denial of Service attack, as Bruce Scheier reported in his book Secrets & Lies: Digital Security in a Networked World:
In Sept 1996, an unknown hacker attacked the Public Access Networks Corporation (aka Panix) which was a New York based internet service provider. What they did was send hello messages (SYN packets) to the Panix computers. What's supposed to happen is for the remote computer to send Panix this hello message, for Panix to respond, and then for the remote computer to continue the conversation. What the attackers did was to manipulate the return address of the remote computers, so Panix ended up trying to synchronize with computers that essentially did not exist. The Panix computers waited 75 seconds after responding for the remote computer to acknowledge the response before abandoning the attempt. The hackers flooded Panix with as many as 50 of these wake-up messages per second. This was too much for the Panix computers to handle, and they caused the computers to crash.
These days, SYN flooding is treatable: we know better. But the present-day Panix attack is something quite a bit more insidious, since it goes directly to the heart of a shared resource and screws with the allocations therein.
(Update, 8 pm: Progress is being made; the domain transfer back to the proper owners is underway. However, it will be a day or two before all the DNS servers worldwide are updated with the correct information.)