Not sure of some of the underlying details of the mechanics right now. http://news.softpedia.com/news/LinkedIn-Outage-Caused-by-DDOS-Attack-on-Netw... - ferg On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Do we know which DNS server started leaking the poisoned entry?
Being new to this, i still dont understand how could a hacker gain access to the DNS server and corrupt the entry there? Wouldnt it require special admin rights, etc. to log in?
Glen
On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
>Reaching out to DNS operators around the globe. Linkedin.com has > had some issues with DNS >and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. > >Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com