This is a coordinated hacking. (Was Re: Need help in flushing DNS)

Andrew Fried andrew.fried at gmail.com
Thu Jun 20 20:35:45 UTC 2013


Not so easy and straightforward to do.  You'll find that a lot of the
big names out there frequently tweak DNS, which will result in a
non-stop stream of "alerts".

Andy

Andrew Fried
andrew.fried at gmail.com

On 6/20/13 3:57 PM, Jared Mauch wrote:
> It seems there may be a need for some sort of 'dns-health' check out there that can be done in semi-realtime.
> 
> I ran a report for someone earlier today on a domain doing an xref against open resolver data searching for valid responses vs invalid ones.
> 
> Is this of value?  Does it need to be automated?
> 
> - Jared
> 
> On Jun 20, 2013, at 3:53 PM, jamie rishaw <j at arpa.com> wrote:
> 
>> This is most definitely a coordinated and planned attack.
>>
>> And by 'attack' I mean hijacking of domain names.
>>
>> I show as of this morning nearly fifty thousand domain names that appear
>> suspicious.
>>
>> I'm tempted to call uscentcom and/or related agencies (which agencies, who
>> the hell knows, as ICE seems to have some sort of authority over domains
>> (nearly two hundred fifty of them as I type this in COM alone and another
>> thirty-some in NET).
>>
>> Anyone credentialed (credentialed /n/., "I know you or know of you,")
>> wanting data, e-mail me off-list for some TLD goodness.
>>
>>
>>
>>
>>
>>
>> On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan at gmail.com> wrote:
>>
>>> Agree'd in these "smaller" scenario's I just wonder if in a larger scale
>>> scenario, whatever that might look like, if its necessary. Whereby many
>>> organizations who provide "services" are effected. Perhaps the result of a
>>> State led campaign ....topic for another day.
>>>
>>>
>>>
>>>
>>> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <fergdawgster at gmail.com
>>>> wrote:
>>>
>>>> I am betting that Netsol doesn't need any more "coordination" at the
>>>> moment -- their phones are probably ringing off-the-hook. There are
>>>> still ~400 domains still pointing to the ztomy NS:
>>>>
>>>>
>>>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
>>>> ; (1 server found)
>>>> ;; global options: +cmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;parsonstech.com.        IN    NS
>>>>
>>>> ;; ANSWER SECTION:
>>>> parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
>>>> parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
>>>>
>>>> ;; Query time: 286 msec
>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>>> ;; WHEN: Thu Jun 20 19:16:25 2013
>>>> ;; MSG SIZE  rcvd: 81
>>>>
>>>> - ferg
>>>>
>>>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan at gmail.com>
>>> wrote:
>>>>
>>>>> I should caveat.....coordinate the "recovery" of.
>>>>>
>>>>>
>>>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
>>>>> <brandon at rd.bbc.co.uk>wrote:
>>>>>
>>>>>>> Is there an organization that coordinates outages like this amongst
>>>> the
>>>>>>> industry?
>>>>>>
>>>>>> No, usually they are surprise outages though Anonymous have tried
>>>>>> coordinating a few
>>>>>>
>>>>>> brandon
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Phil Fagan
>>>>> Denver, CO
>>>>> 970-480-7618
>>>>
>>>>
>>>>
>>>> --
>>>> "Fergie", a.k.a. Paul Ferguson
>>>> fergdawgster(at)gmail.com
>>>>
>>>
>>>
>>>
>>> --
>>> Phil Fagan
>>> Denver, CO
>>> 970-480-7618
>>>
>>
>>
>>
>> -- 
>> Jamie Rishaw // .com.arpa at j <- reverse it. ish.
>> [Impressive C-level Title Here], arpa / arpa labs
> 
> 




More information about the NANOG mailing list