How did I use over a gigabyte of mobile data in a single day? Why is my phone as warm as a hot plate? If you have ever asked yourself either of these questions, you might be the victim of a malicious application that is using your device and consuming your mobile bandwidth to facilitate ad fraud. We have recently identified a large population of apps being distributed from the Google Play Store that support this behavior.  These apps are installed on devices on a majority of the major cell phone carriers around the world.  These carriers operate in the US (AT&T, Verizon, Sprint, and T-Mobile), Europe (KPN, Vodafone, Ziggo, Sky, Virgin, Talk Talk, BT, O2, and T-Mobile), and the Asia Pacific region (Optus, Telstra, iinet, and others) [Note: Mobile providers and Google have been notified]. Just this morning, before this article was published, Buzzfeed broke another ad fraud story.

The Mechanics of the Grift

Online advertising consists of a complex ecosystem of ad buyers, sellers, exchanges, and data providers. Operators of websites and application authors have available space in their content layout and interaction in the user experience that can be integrated to include various forms of Continue reading

The CNAME resource record was defined in RFC 1035 as “the canonical name for an alias.” It plays the role of a pointer, for example, the CNAME informs the requestor that www.containercult.com is really this other name, instance001.couldbalancer.example.com.

The CNAME record provides a “configure once” point of integration for third party platforms and services. A CNAME is often used as opposed to an A/AAAA record for the same reason developers often use variables in their code as opposed to hard coded values. The CNAME can easily be redefined by the third party or service provider without requiring the end user to make any changes.

A stipulation that prevents use of the CNAME at the apex is that no other records can exist at or alongside a CNAME. This specification is what prevents an end user from being able to place a CNAME at the apex of their zone due to the other records, which must be defined at the apex such as the Start of Authority (SOA).

ALIAS / ANAME – The way of the future 

The Oracle ALIAS record allows for CNAME-like functionality at the apex of a zone. The Oracle implementation of the Continue reading

Protecting end users starts with understanding their use and integration of services. For authoritative DNS, this includes human error when copying and pasting information between interfaces. After purchasing a new domain, such as “containercult.com,” the end user configures authoritative nameservers. Delegation is a “set it and forget it” operation; it is often made outside of scope of continuous integration pipelines and automated deployment systems. To quantify this risk and reconcile it with reality, we started to look at the existence of nameserver record typos in the .COM zone file.

There are typos in nameserver records for a number of authoritative DNS providers made across a number of zones, making it clear that end users make delegation typos. The existence of the typo is one thing, it’s another when the typo has been registered and another provider is serving responses. One of the typos of interest was dynect.ne, which was registered some time in February of 2016. At that time, it was delegated to a pair of authoritative nameservers operated by myhostadmin.net, a name related to a Chinese hosting provider. Sometime around January 2017, the authoritative nameservers changed over to Yandex, the Russian internet services provider, and Continue reading

The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control the flow of mail, CNAME records are used to implement content delivery networks (CDN) services, and TXT records are used to confirm access to and control over a namespace when implementing third party services. This post will cover an interesting case where control is exercised first via the DNS and then using BGP.

Below the DNS, in the depths of internet plumbing, is the lizard brain of internet routing, which is governed by the border gateway protocol (BGP). A common term to describe BGP routing is “hot potato” routing. BGP conversations occur between autonomous systems, ASes, which are identified by their autonomous system number ASN. The ASN represents a system of networks and the policy associated with their routing. ASes are issued regionally by Regional Internet Registries (RIRs), which receive blocks of AS numbers to hand out from the Internet Assigned Numbers Authority Continue reading