Press Release | 30.08.2004

DENIC analyzing meddling incident with ebay.de data

 In the course of the past weekend, the domain data of the Internet auction business, ebay.de, was illicitly changed for a short period of time. For a while, the domain was inaccessible. On Saturday morning, news of this unauthorized change reached DENIC. It reacted straight away and, in accord with eBay, restored the domain data to its previous settings. Since Saturday, DENIC has been investigating this incident in detail. Here are its findings as regards what happened:

In the vast majority of cases, domains are administered by a provider on behalf of the domain holder. The provider will either be a direct DENIC member themselves or will work through a DENIC member. DENIC members (and only they) can feed domain requests directly into DENIC's registration system, which, naturally, has secure access. Of course, it is possible for domain holders to move the administration of their domains from one provider to another. This is called a provider change, and DENIC processes tens of thousands of such transactions every month.

The process starts when the new provider submits a provider-change request to DENIC's automated registration system. This system then informs the current provider of the request and asks for confirmation. To prevent unauthorized provider changes, two control mechanisms have been built into the procedure. Firstly, the new provider must check the data of the person asking for the change. This data must be identical with the data of the domain holder or someone properly authorized to act on the domain holder's behalf. Furthermore, the new provider is required to perform this check before submitting the request for a provider change. Secondly, the ceding provider has a duty to reject the provider change unless they are absolutely certain that that is what the domain holder really wants. In the eBay case, it is evident that both these control mechanisms failed. The provider-change request was submitted, although eBay had no intention of changing provider. eBay's current provider failed to react to the request for a provider change within the usual deadline of five working days, which according to DENIC's rules is deemed as consent. So the provider change went through. To begin with, this simply meant a change in DENIC's database, and nothing would have been perceptible on the outside as yet.

Subsequently, the new provider submitted a so-called update request to DENIC to change the domain-holder and name-server data for the ebay.de domain. Once again, the provider has a duty to make sure that such instructions really come from the domain holder or that the old domain holder and the new one have entered into a formal agreement to transfer the domain. Just like the provider-change request, this update request was processed fully automatically by DENIC's registration system.

The change in the address referring to ebay.de did not take effect in the Internet until early on Saturday morning, when the .de zone was regenerated. Up until then, connections to eBay's website continued to go through correctly.

The unauthorized provider change and the equally unauthorized registration of a new domain holder were detected on 28 August 2004, and DENIC was informed immediately. It was clear from contacts with eBay that the legitimate domain holder had had nothing to do with these changes. DENIC therefore reversed the changes as quickly as it feasibly could and generated a new .de zone with the corrected data. It is the usual practice for name servers to hold Internet-provider zone entries in their cache, which explains why it took somewhat longer before all users were able to connect up to eBay correctly again at its ebay.de domain.

DENIC is now continuing to probe in detail with both the providers concerned how a change not authorized by the domain holder went through despite two checks that ought to have been performed, both of which should have stopped it. DENIC is also considering the possibility of legal action against the initiator of the bogus provider change and the request to change the domain-holder data.