This is a coordinated hacking. (Was Re: Need help in flushing DNS)

jamie rishaw j at arpa.com
Thu Jun 20 20:21:07 UTC 2013


It's not poisoning.  They somehow were able to modify the NS records; one
would presume, at the registrar/s.

As far as the logic of the DNS, it is functioning as designed (What's up,
Vix!) - There's another aspect of this that caused this situation.

Any Alexa or similar people on this list (Goog PR, etc)?  I'd love to bulk
submit a domain list for some analytics.  Contact me off list.



On Thu, Jun 20, 2013 at 3:14 PM, George Herbert <george.herbert at gmail.com>wrote:

> Poisoning a domain's NS records with localhost will most certainly DOS the
> domain, yes.
>
> I have not yet seen the source of this; if anyone has a clue where the
> updates are coming from please post the info.
>
> Is there anything about ztomy.com that has been seen that's supicious as
> in they might be the origin?  This could be them, or could be a joe-job
> against them.  I do not want to point a finger lacking any sort of actual
> data dump of the poisoning activity...
>
>
>
>
> On Thu, Jun 20, 2013 at 1:02 PM, jamie rishaw <j at arpa.com> wrote:
>
>> I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
>> output, I see an odd number of domains (that have changed) with a listed
>> nameserver of "localhost.".
>>
>> Is this some sort of tactic I'm unaware of?
>>
>>
>> On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <jared at puck.nether.net>
>> wrote:
>>
>> > It seems there may be a need for some sort of 'dns-health' check out
>> there
>> > that can be done in semi-realtime.
>> >
>> > I ran a report for someone earlier today on a domain doing an xref
>> against
>> > open resolver data searching for valid responses vs invalid ones.
>> >
>> > Is this of value?  Does it need to be automated?
>> >
>> > - Jared
>> >
>> > On Jun 20, 2013, at 3:53 PM, jamie rishaw <j at arpa.com> wrote:
>> >
>> > > This is most definitely a coordinated and planned attack.
>> > >
>> > > And by 'attack' I mean hijacking of domain names.
>> > >
>> > > I show as of this morning nearly fifty thousand domain names that
>> appear
>> > > suspicious.
>> > >
>> > > I'm tempted to call uscentcom and/or related agencies (which agencies,
>> > who
>> > > the hell knows, as ICE seems to have some sort of authority over
>> domains
>> > > (nearly two hundred fifty of them as I type this in COM alone and
>> another
>> > > thirty-some in NET).
>> > >
>> > > Anyone credentialed (credentialed /n/., "I know you or know of you,")
>> > > wanting data, e-mail me off-list for some TLD goodness.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan at gmail.com>
>> > wrote:
>> > >
>> > >> Agree'd in these "smaller" scenario's I just wonder if in a larger
>> scale
>> > >> scenario, whatever that might look like, if its necessary. Whereby
>> many
>> > >> organizations who provide "services" are effected. Perhaps the result
>> > of a
>> > >> State led campaign ....topic for another day.
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <
>> fergdawgster at gmail.com
>> > >>> wrote:
>> > >>
>> > >>> I am betting that Netsol doesn't need any more "coordination" at the
>> > >>> moment -- their phones are probably ringing off-the-hook. There are
>> > >>> still ~400 domains still pointing to the ztomy NS:
>> > >>>
>> > >>>
>> > >>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
>> > >>> ; (1 server found)
>> > >>> ;; global options: +cmd
>> > >>> ;; Got answer:
>> > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
>> > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>> > >>>
>> > >>> ;; QUESTION SECTION:
>> > >>> ;parsonstech.com.        IN    NS
>> > >>>
>> > >>> ;; ANSWER SECTION:
>> > >>> parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
>> > >>> parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
>> > >>>
>> > >>> ;; Query time: 286 msec
>> > >>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> > >>> ;; WHEN: Thu Jun 20 19:16:25 2013
>> > >>> ;; MSG SIZE  rcvd: 81
>> > >>>
>> > >>> - ferg
>> > >>>
>> > >>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan at gmail.com>
>> > >> wrote:
>> > >>>
>> > >>>> I should caveat.....coordinate the "recovery" of.
>> > >>>>
>> > >>>>
>> > >>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
>> > >>>> <brandon at rd.bbc.co.uk>wrote:
>> > >>>>
>> > >>>>>> Is there an organization that coordinates outages like this
>> amongst
>> > >>> the
>> > >>>>>> industry?
>> > >>>>>
>> > >>>>> No, usually they are surprise outages though Anonymous have tried
>> > >>>>> coordinating a few
>> > >>>>>
>> > >>>>> brandon
>> > >>>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> --
>> > >>>> Phil Fagan
>> > >>>> Denver, CO
>> > >>>> 970-480-7618
>> > >>>
>> > >>>
>> > >>>
>> > >>> --
>> > >>> "Fergie", a.k.a. Paul Ferguson
>> > >>> fergdawgster(at)gmail.com
>> > >>>
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> Phil Fagan
>> > >> Denver, CO
>> > >> 970-480-7618
>> > >>
>> > >
>> > >
>> > >
>> > > --
>> > > Jamie Rishaw // .com.arpa at j <- reverse it. ish.
>> > > [Impressive C-level Title Here], arpa / arpa labs
>> >
>> >
>>
>>
>> --
>> Jamie Rishaw // .com.arpa at j <- reverse it. ish.
>> [Impressive C-level Title Here], arpa / arpa labs
>>
>
>
>
> --
> -george william herbert
> george.herbert at gmail.com
>



-- 
Jamie Rishaw // .com.arpa at j <- reverse it. ish.
[Impressive C-level Title Here], arpa / arpa labs



More information about the NANOG mailing list