Wednesday, 29 July 2020 11:12

New Nominet drop catching flaw revealed?

On Saturday, I received an anonymous email with details of a new catching flaw at Nominet. They asked that I would publish it on my blog. I have done a bit of digging, and it all seems viable.

I don’t know who sent it, they have stated their motivations for posting it and I have no reasons to doubt them. I have never used it and no intentions of doing so.

Nominet DAC query limit flaw

A new flaw has been found in Nominet’s DAC allowing cheating dropcatchers free access to additional quotas.

On the face of it the gapping security hole is so simple even your average Grimsby plasterer could do it.

The new flaw is simple: You can get seperate quotas if you use multiple IP addresses with the DAC.

However there are some limits to the flaw:

- If you add IPv4 or IPv6 addresses for the same server, it sometimes has the same DAC quota

- If you add the IP address of another server with a different ISP, it tends to have a brand new quota

The rate limiting applied appears to be inconsistent with the Acceptable Use Policy.

Nominet has been unable to do the simple task of aggregating the count of query usage across the 4 IP addresses permitted in DAC Settings (or other addresses if these are subsequently changed). As such, the blocks are applied separately if the query limit is exceeded.

We have confirmed the issue ourselves, however we have NOT used it to catch names.

We added  new IP addresses to our DAC settings, the server that was previously configured had already used most of its DAC quota for the day:

#usage,C,60,1,86400,357048

DAC Usage from a different ISP after adding a new address IP address:

#usage,C,60,1,86400,1

The query limits check is broken. The last figure is the number of queries used in the last 24 hours. The usage command consumes one query from the limit, so this is a brand new query limit that is counted separately from the original server.

So not only are fake members multi tagging they are also using multiple IP addresses!

Why are we posting this?

We understand the issue has already been reported to Nominet, however they refuse to fix it. We presume Nominet is waiting to implement their moneymaking auctions instead and would rather not fix their DAC bugs.

As a huge amount of .uk names are due to drop in  September we thought it fair that everyone knows about this flaw and can make use of it.

When Nominet has spent millions on developing, marketing and even purchasing cyber security services, Nominet has been unable to keep its own house in order and protect its primary service of the UK National Infrastructure."