[This was originally published on the OSVDB blog.]
Did you know that RFC 2606 provides for the Internet Assigned Numbers Authority (IANA) to reserve several top level domains, as well as three second level domains in order to provide a safe domain name? To avoid conflict and confusion the domains example.com, example.net and example.org are all reserved so that professionals can use them for private testing, examples in documentation, DNS experiments and other uses.
This is a good thing for IANA to do, and something that security researchers should be aware of. Currently, we see hundreds of disclosures each month use other “example” type domains, many of which point to real sites. This is a bad thing as it can cause a world of annoyance and potential harm to these sites. Think about hundreds of sites that mirror Bugtraq or Full-Disclosure, and all of the search engines, web bots, and spiders that follow all links without bias. Each time they encounter http://example.com/hi.txt, they try to follow it. For those who follow the guidelines in RFC 2606, this is acceptable and no one really gets harmed. For those using other domains, you may be causing additional traffic (often with exploit like code/requests) to sites that shouldn’t receive it, even if using 127.0.0.1 or other reserved internal IP addresses. OSVDB goes one step farther by using [target] and [attacker] to designate examples. This is done for consistency of course, and yes I realize some older entries don’t follow that guideline, but also on the off chance that some wiley hacker type doesn’t decide to screw with DNS servers. What happens when tomorrow, dozens of high traffic DNS servers start pointing example.com to [target].com?
In just the last couple of months, we see examples of the advertising site www.vuln.com, Site Services Inc.’s www.site.com, the non-existant host_evil.com, the broken web site of www.anysite.com, a possibly ironicly defaced web site of www.vulnerablesite.com, the adult content laden site www.XXX.com, the large corporate retail store www.target.com, and the domain squatted attacker.com are all used as example domains for exploits. Every day that a web spider or search engine goes crawling, odds are these sites get some odd traffic. If they run intrusion detection systems, i’d hate to be the one tasked to monitor them.
The most amusing of this list is probably victim.com which contains a quote and link to a published exploit in which a lack of following RFC 2606 may have lead to one person’s frustration, and this resulting site.