2 February 2005—It's 4:30 a.m. Do you know where your Internet address is? At about that time on 15 January, Alexis Rosen, owner of Public Access Networks Corp., New York City's oldest Internet service provider (ISP), and its flagship domain panix.com, certainly didn't. It was at that early hour that he first discovered that his company's Internet address and its entire business had been stolen in the night. Rosen's first thoughts were unprintable.

Panix.com's disappearance, while not the first cyberattack of its kind, was unusual, and different from the virus or denial-of-service attacks that have hit companies like eBay, Amazon, and Microsoft in years past. Those succeeded by overwhelming servers with data. In this case, Panix had complete control of its servers and systems. Instead, the domain name itself, panix.com, became dissociated from the four-part numerical address that is the actual means by which packets of data make their way to it on the Internet.

As a consequence, e-mail intended for Panix subscribers wound up in a random server in Canada. Panix officials believe none of the e-mail was opened, but have said they "cannot be absolutely sure" of that. Besides e-mail, there was the matter of the Internet domains that Panix hosts for its business customers, and the personal domains of its individual users. Sites with URLs like http://www.panix.com/~steven were unreachable, because their routing depends on the correct operation of the panix.com domain name.

Why would someone hijack a domain? A favored theory among Panix's customers is that the perpetrator was an unhappy former subscriber. "Panix has pissed off a lot of people over the years," was a common theme on a hyperactive private Panix message board called "panix.questions." With more pride than chagrin, Rosen agrees. "We've been around a long time, and we're pretty vocal about the way we think things should work," he says. "We've made our share of enemies—spammers, blackhat hackers, you name it."

Exactly when the hijacking began isn't known because such a change takes hours to propagate through the domain name system, or DNS. The DNS is a hierarchical structure of servers that each contain some domain name records, and know what other servers have additional relevant records. (See "Striking at the Internet's Heart," a December 2001 article in IEEE Spectrum, for a detailed explanation of how the DNS operates.) It takes a day for a change to be fully reflected in the domain name system, because servers routinely cache individual domain name records, such as Panix's for 24 hours.

It took about 36 hours of frantic work by a globe-spanning group of Internet specialists to finally regain control of the Panix domains. However, the e-mail misdeliveries were stopped well before that, through the heroic efforts of a lone Canadian network engineer, acting on his own authority. The person or persons responsible for the attack remain unknown and at large, and the success of the scheme has left ISPs on edge. Extensive interviews by Spectrum with key people involved showed the attack on Panix was less of a technological feat than an exploitation of human fallibility, and it was very human efforts that in the end rescued the stricken ISP.

Rosen Learned of the Hijacking when he was awakened by his pager. It was Panix's systems administrator. "When I turned on the computer, I saw we had a serious problem," he says. He realized that the hijacking threatened not only his customers' data but Panix's reputation—in the ethereal world of the Internet, nothing is more important—and therefore the business itself.

Rosen immediately began "reaching out to Panix's many customers and friends." And among them, Rosen says, are "certain relatively high-ranking people in law enforcement, who reached out to me," to see if they could be of any help. He also contacted fellow administrators on a small semi-private mailing list for key U.S. network operators.

The immediate need was to re-associate the various panix.com services, such as e-mail and Web pages, with Panix's block of Internet Protocol addresses. Those numerical addresses could in some cases be used directly. For example, the Web address http:// 166.84.1.1 would still take you to Panix's home page. But IP addresses are rarely used directly in that way, and if you typed "http://www.panix.com" last Saturday morning, your Web browser would have displayed a default page at a server, www.freeparking.co.uk, which is, despite its British suffix, located in Canada.

The hijacking exploited the fairly recent relaxation of some rules governing Web site ownership and a confusion among the entities that associate Internet domain names with IP addresses. These registrars—there are hundreds of them around the world—are authorized to make changes in a database of Internet names and numbers known as a registry. Confusingly, the owner of the database is also called a registry. In the case of Internet names that end with ".com," the registry is VeriSign Inc., of Mountain View, Calif.

Anyone can buy a domain name if it isn't already taken. An individual registration record—the record that matches the name to an IP address—can be modified only by the registrar listed in the record. Panix's registration is, or was, until Saturday 15 January, held by Dotster Inc., a Vancouver, Wash.-based registrar. Somehow, and for reasons that were still unknown a week after the attack, the registration was moved to Melbourne IT Ltd., in Melbourne, Australia.

The change in Panix's registration was made by a company known as Fibranet Services Ltd., which resells Melbourne IT's domain name registration service. Fibranet, which is officially registered in Douglas, on the Isle of Man, in the Irish Sea, operates the freeparking.co.uk site that showed up on Saturday morning instead of Panix's home page.

Someone—we still don't know who—used a stolen credit card account to sign up as a Fibranet customer. Claiming to be the rightful owner of the panix.com domain name, this party initiated a transfer of Panix's registration from Dotster to Melbourne IT. There are a number of reasons a domain name owner might legitimately initiate such a transfer. One registrar can be cheaper than another, or offer better customer support. "We've done hundreds of thousands of transfers," says Bruce Tonkin, Melbourne IT's chief technology officer. "This was the first genuine hijacking."

According to Bruce Tonkin, Melbourne IT has "a couple of hundred" resellers. A handful, "fewer than ten," he says, have agreements with Melbourne IT whereby they are responsible for obtaining the registrant's (Panix in this case) authorization, before initiating a transfer to Melbourne IT. In the case of its other resellers, Melbourne IT itself performs the authorization check.

"The reseller should look up the existing WHOIS record published by the original registrar," Tonkin says. Whois.net is an Internet-wide database whose records have complete contact information for the registrant, including names, street addresses, and an e-mail address. "The reseller is supposed to send a standardized e-mail to the authorized contact for the domain name saying, in effect, 'We've received a request for a transfer. Did you initiate it?' They're not supposed to make the transfer without this step."

According to Tonkin, Fibranet didn't take that step. "They sign a legal agreement that they will follow our procedures, and we audit them, to make sure they comply. As a result of this incident Melbourne IT is carrying out an immediate audit of all its resellers that authenticate transfers, and will implement improvements to its regular audit process."

If Fibranet enjoys privileges shared by few Melbourne IT resellers, it's an odd choice. Its ethereal structure hardly inspires confidence. The company is incorporated on the Isle of Man, a tiny island tax haven within the British Isles, but provides pay-per-minute customer telephone support from a remote location in Spain, says Richard Cox, an investigator for the London-based Internet volunteer organization, Spamhaus Project, Ltd. He notes that Fibranet's servers are in Canada, and some of its domains are owned by a company incorporated in Wilmington, Del. "So many entities on the Net nowadays feel they don't need a physical presence," Cox says, with some annoyance.

"Normally, where there is a dispute with respect to a transfer, the DNS information has not been changed," says Melbourne IT's Tonkin. That is, in the usual case, even if a registration record were erroneously moved from one registrar to another, the domain name would point to the same IP address, and the registrant's Internet services would function just as they did before. But when the stolen-credit-card-wielding hijacker initiated the transfer of Panix's registration to Fibranet, he or she changed the association between the domain name and the IP address. And other fields in the registration record were altered as well, including the names and affiliations of the individuals responsible for the domain.

This all presented a nearly insuperable problem for Panix. The company with which it has a business relationship, Dotster, no longer had any control over the registration record. The company now in control of the record had no knowledge of how it came to be in control, nor could it be sure who should have control. It didn't know Panix, from the man in the moon.

Since the transfer of Panix's registration was made erroneously—probably even illegally—and bypassed normal procedures, there were few log file entries that could help sort the situation out. After all, when something doesn't happen, there usually isn't an explicit record of it. The only other party that could have corrected the erroneous registration record was the registry—VeriSign. And yet, in the absence of any documentation that said who should own panix.com, and what IP address should be associated with it, VeriSign says it was helpless to act.

Further complicating Rosen's plight was the timing of the attack, and the time difference between New York and Melbourne—16 hours. Early Saturday morning in the United States is late Saturday night in Australia. While Melbourne IT has 24-hour phone support on weekdays, its support office is closed from Saturday afternoon to Monday morning—precisely when Rosen desperately needed to reach someone.