Wednesday, 29 July 2020 11:12

New Nominet drop catching flaw revealed?

On Saturday, I received an anonymous email with details of a new catching flaw at Nominet. They asked that I would publish it on my blog. I have done a bit of digging, and it all seems viable.

I don’t know who sent it, they have stated their motivations for posting it and I have no reasons to doubt them. I have never used it and no intentions of doing so.

Nominet DAC query limit flaw

A new flaw has been found in Nominet’s DAC allowing cheating dropcatchers free access to additional quotas.

On the face of it the gapping security hole is so simple even your average Grimsby plasterer could do it.

The new flaw is simple: You can get seperate quotas if you use multiple IP addresses with the DAC.

However there are some limits to the flaw:

- If you add IPv4 or IPv6 addresses for the same server, it sometimes has the same DAC quota

- If you add the IP address of another server with a different ISP, it tends to have a brand new quota

The rate limiting applied appears to be inconsistent with the Acceptable Use Policy.

Nominet has been unable to do the simple task of aggregating the count of query usage across the 4 IP addresses permitted in DAC Settings (or other addresses if these are subsequently changed). As such, the blocks are applied separately if the query limit is exceeded.

We have confirmed the issue ourselves, however we have NOT used it to catch names.

We added  new IP addresses to our DAC settings, the server that was previously configured had already used most of its DAC quota for the day:

#usage,C,60,1,86400,357048

DAC Usage from a different ISP after adding a new address IP address:

#usage,C,60,1,86400,1

The query limits check is broken. The last figure is the number of queries used in the last 24 hours. The usage command consumes one query from the limit, so this is a brand new query limit that is counted separately from the original server.

So not only are fake members multi tagging they are also using multiple IP addresses!

Why are we posting this?

We understand the issue has already been reported to Nominet, however they refuse to fix it. We presume Nominet is waiting to implement their moneymaking auctions instead and would rather not fix their DAC bugs.

As a huge amount of .uk names are due to drop in  September we thought it fair that everyone knows about this flaw and can make use of it.

When Nominet has spent millions on developing, marketing and even purchasing cyber security services, Nominet has been unable to keep its own house in order and protect its primary service of the UK National Infrastructure."

 

Comments (5)

This comment was minimized by the moderator on the site

I wouldn't be surprised if Nominet have just "accidentally" created flaw this to fuel their agenda to create more chaos in drop catching and make it sound like auctions were the only feasible option as a result.

How new is this flaw?

  Anonymous
This comment was minimized by the moderator on the site

The first I had heard of it was last Saturday, I asked around and everyone seemed to confirm that is was possible. After they confirmed it seemed legit, I decided to publish it.

I don't know if Nominet are aware of it or not. The message says that they do so I assume that they do. If they do...

The first I had heard of it was last Saturday, I asked around and everyone seemed to confirm that is was possible. After they confirmed it seemed legit, I decided to publish it.

I don't know if Nominet are aware of it or not. The message says that they do so I assume that they do. If they do know, it doesn't say how long they have known.

Read More
  GreyWing
This comment was minimized by the moderator on the site

I tested for this a year or so ago, and it wasn’t present then...someone has broken the aggregation function.

  Anonymous
This comment was minimized by the moderator on the site

I wonder if Nominet has closed this now, I couldn't replicate it last night. If so, good work to those that found it and sent it to GreyWing. Must have been tempting for those people to have used it themselves.

  Anonymous
This comment was minimized by the moderator on the site

Anonymous in the middle above again - just tried it again and couldn't replicate. Either I have an unlucky IP address pair or it is closed.

  Anonymous
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location