This is a coordinated hacking. (Was Re: Need help in flushing DNS)

jamie rishaw j at arpa.com
Thu Jun 20 20:02:28 UTC 2013


I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
output, I see an odd number of domains (that have changed) with a listed
nameserver of "localhost.".

Is this some sort of tactic I'm unaware of?


On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <jared at puck.nether.net> wrote:

> It seems there may be a need for some sort of 'dns-health' check out there
> that can be done in semi-realtime.
>
> I ran a report for someone earlier today on a domain doing an xref against
> open resolver data searching for valid responses vs invalid ones.
>
> Is this of value?  Does it need to be automated?
>
> - Jared
>
> On Jun 20, 2013, at 3:53 PM, jamie rishaw <j at arpa.com> wrote:
>
> > This is most definitely a coordinated and planned attack.
> >
> > And by 'attack' I mean hijacking of domain names.
> >
> > I show as of this morning nearly fifty thousand domain names that appear
> > suspicious.
> >
> > I'm tempted to call uscentcom and/or related agencies (which agencies,
> who
> > the hell knows, as ICE seems to have some sort of authority over domains
> > (nearly two hundred fifty of them as I type this in COM alone and another
> > thirty-some in NET).
> >
> > Anyone credentialed (credentialed /n/., "I know you or know of you,")
> > wanting data, e-mail me off-list for some TLD goodness.
> >
> >
> >
> >
> >
> >
> > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan at gmail.com>
> wrote:
> >
> >> Agree'd in these "smaller" scenario's I just wonder if in a larger scale
> >> scenario, whatever that might look like, if its necessary. Whereby many
> >> organizations who provide "services" are effected. Perhaps the result
> of a
> >> State led campaign ....topic for another day.
> >>
> >>
> >>
> >>
> >> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <fergdawgster at gmail.com
> >>> wrote:
> >>
> >>> I am betting that Netsol doesn't need any more "coordination" at the
> >>> moment -- their phones are probably ringing off-the-hook. There are
> >>> still ~400 domains still pointing to the ztomy NS:
> >>>
> >>>
> >>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
> >>> ; (1 server found)
> >>> ;; global options: +cmd
> >>> ;; Got answer:
> >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
> >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >>>
> >>> ;; QUESTION SECTION:
> >>> ;parsonstech.com.        IN    NS
> >>>
> >>> ;; ANSWER SECTION:
> >>> parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
> >>> parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
> >>>
> >>> ;; Query time: 286 msec
> >>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>> ;; WHEN: Thu Jun 20 19:16:25 2013
> >>> ;; MSG SIZE  rcvd: 81
> >>>
> >>> - ferg
> >>>
> >>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan at gmail.com>
> >> wrote:
> >>>
> >>>> I should caveat.....coordinate the "recovery" of.
> >>>>
> >>>>
> >>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
> >>>> <brandon at rd.bbc.co.uk>wrote:
> >>>>
> >>>>>> Is there an organization that coordinates outages like this amongst
> >>> the
> >>>>>> industry?
> >>>>>
> >>>>> No, usually they are surprise outages though Anonymous have tried
> >>>>> coordinating a few
> >>>>>
> >>>>> brandon
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Phil Fagan
> >>>> Denver, CO
> >>>> 970-480-7618
> >>>
> >>>
> >>>
> >>> --
> >>> "Fergie", a.k.a. Paul Ferguson
> >>> fergdawgster(at)gmail.com
> >>>
> >>
> >>
> >>
> >> --
> >> Phil Fagan
> >> Denver, CO
> >> 970-480-7618
> >>
> >
> >
> >
> > --
> > Jamie Rishaw // .com.arpa at j <- reverse it. ish.
> > [Impressive C-level Title Here], arpa / arpa labs
>
>


-- 
Jamie Rishaw // .com.arpa at j <- reverse it. ish.
[Impressive C-level Title Here], arpa / arpa labs



More information about the NANOG mailing list