It's not poisoning. They somehow were able to modify the NS records; one would presume, at the registrar/s. As far as the logic of the DNS, it is functioning as designed (What's up, Vix!) - There's another aspect of this that caused this situation. Any Alexa or similar people on this list (Goog PR, etc)? I'd love to bulk submit a domain list for some analytics. Contact me off list. On Thu, Jun 20, 2013 at 3:14 PM, George Herbert <george.herbert@gmail.com>wrote:
Poisoning a domain's NS records with localhost will most certainly DOS the domain, yes.
I have not yet seen the source of this; if anyone has a clue where the updates are coming from please post the info.
Is there anything about ztomy.com that has been seen that's supicious as in they might be the origin? This could be them, or could be a joe-job against them. I do not want to point a finger lacking any sort of actual data dump of the poisoning activity...
On Thu, Jun 20, 2013 at 1:02 PM, jamie rishaw <j@arpa.com> wrote:
I'm rechecking realtime ns1620/2620 DNS right now and, looking at the output, I see an odd number of domains (that have changed) with a listed nameserver of "localhost.".
Is this some sort of tactic I'm unaware of?
On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <jared@puck.nether.net> wrote:
It seems there may be a need for some sort of 'dns-health' check out there that can be done in semi-realtime.
I ran a report for someone earlier today on a domain doing an xref against open resolver data searching for valid responses vs invalid ones.
Is this of value? Does it need to be automated?
- Jared
On Jun 20, 2013, at 3:53 PM, jamie rishaw <j@arpa.com> wrote:
This is most definitely a coordinated and planned attack.
And by 'attack' I mean hijacking of domain names.
I show as of this morning nearly fifty thousand domain names that appear suspicious.
I'm tempted to call uscentcom and/or related agencies (which agencies, who the hell knows, as ICE seems to have some sort of authority over domains (nearly two hundred fifty of them as I type this in COM alone and another thirty-some in NET).
Anyone credentialed (credentialed /n/., "I know you or know of you,") wanting data, e-mail me off-list for some TLD goodness.
On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan@gmail.com> wrote:
Agree'd in these "smaller" scenario's I just wonder if in a larger scale scenario, whatever that might look like, if its necessary. Whereby many organizations who provide "services" are effected. Perhaps the result of a State led campaign ....topic for another day.
On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson < fergdawgster@gmail.com
wrote:
I am betting that Netsol doesn't need any more "coordination" at the moment -- their phones are probably ringing off-the-hook. There are still ~400 domains still pointing to the ztomy NS:
; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;parsonstech.com. IN NS
;; ANSWER SECTION: parsonstech.com. 172800 IN NS ns2617.ztomy.com. parsonstech.com. 172800 IN NS ns1617.ztomy.com.
;; Query time: 286 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 19:16:25 2013 ;; MSG SIZE rcvd: 81
- ferg
On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan@gmail.com> wrote:
> I should caveat.....coordinate the "recovery" of. > > > On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth > <brandon@rd.bbc.co.uk>wrote: > >>> Is there an organization that coordinates outages like this amongst the >>> industry? >> >> No, usually they are surprise outages though Anonymous have tried >> coordinating a few >> >> brandon >> > > > > -- > Phil Fagan > Denver, CO > 970-480-7618
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- Phil Fagan Denver, CO 970-480-7618
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
-- -george william herbert george.herbert@gmail.com
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs