This is a coordinated hacking. (Was Re: Need help in flushing DNS)
Jared Mauch
jared at puck.nether.net
Thu Jun 20 19:57:12 UTC 2013
It seems there may be a need for some sort of 'dns-health' check out there that can be done in semi-realtime.
I ran a report for someone earlier today on a domain doing an xref against open resolver data searching for valid responses vs invalid ones.
Is this of value? Does it need to be automated?
- Jared
On Jun 20, 2013, at 3:53 PM, jamie rishaw <j at arpa.com> wrote:
> This is most definitely a coordinated and planned attack.
>
> And by 'attack' I mean hijacking of domain names.
>
> I show as of this morning nearly fifty thousand domain names that appear
> suspicious.
>
> I'm tempted to call uscentcom and/or related agencies (which agencies, who
> the hell knows, as ICE seems to have some sort of authority over domains
> (nearly two hundred fifty of them as I type this in COM alone and another
> thirty-some in NET).
>
> Anyone credentialed (credentialed /n/., "I know you or know of you,")
> wanting data, e-mail me off-list for some TLD goodness.
>
>
>
>
>
>
> On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan at gmail.com> wrote:
>
>> Agree'd in these "smaller" scenario's I just wonder if in a larger scale
>> scenario, whatever that might look like, if its necessary. Whereby many
>> organizations who provide "services" are effected. Perhaps the result of a
>> State led campaign ....topic for another day.
>>
>>
>>
>>
>> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <fergdawgster at gmail.com
>>> wrote:
>>
>>> I am betting that Netsol doesn't need any more "coordination" at the
>>> moment -- their phones are probably ringing off-the-hook. There are
>>> still ~400 domains still pointing to the ztomy NS:
>>>
>>>
>>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;parsonstech.com. IN NS
>>>
>>> ;; ANSWER SECTION:
>>> parsonstech.com. 172800 IN NS ns2617.ztomy.com.
>>> parsonstech.com. 172800 IN NS ns1617.ztomy.com.
>>>
>>> ;; Query time: 286 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Thu Jun 20 19:16:25 2013
>>> ;; MSG SIZE rcvd: 81
>>>
>>> - ferg
>>>
>>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan at gmail.com>
>> wrote:
>>>
>>>> I should caveat.....coordinate the "recovery" of.
>>>>
>>>>
>>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
>>>> <brandon at rd.bbc.co.uk>wrote:
>>>>
>>>>>> Is there an organization that coordinates outages like this amongst
>>> the
>>>>>> industry?
>>>>>
>>>>> No, usually they are surprise outages though Anonymous have tried
>>>>> coordinating a few
>>>>>
>>>>> brandon
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Phil Fagan
>>>> Denver, CO
>>>> 970-480-7618
>>>
>>>
>>>
>>> --
>>> "Fergie", a.k.a. Paul Ferguson
>>> fergdawgster(at)gmail.com
>>>
>>
>>
>>
>> --
>> Phil Fagan
>> Denver, CO
>> 970-480-7618
>>
>
>
>
> --
> Jamie Rishaw // .com.arpa at j <- reverse it. ish.
> [Impressive C-level Title Here], arpa / arpa labs
More information about the NANOG
mailing list