Need help in flushing DNS
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. Any other info please reach out to me off-list. Zaid
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
Yelp is evidently also affected On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
Not from here. If the NS or www points to 204.11.56.0/24 for a production domain/hostname, that's "bad". Yelp seems to be resolving normally for me. -- TTFN, patrick
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
Not from here.
Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com. Some DNS servers have the bad records - TLD for .com is updated already. Cheers, Tom
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
Not from here.
Patrick:
$ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
Some DNS servers have the bad records - TLD for .com is updated already.
Cheers, Tom
Ditto local: ; <<>> DiG 9.7.3 <<>> @[foohost] yelp.com NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20230 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yelp.com. IN NS ;; ANSWER SECTION: yelp.com. 300 IN NS ns1620.ztomy.com. yelp.com. 300 IN NS ns2620.ztomy.com. ;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:48:06 2013 ;; MSG SIZE rcvd: 74 - ferg -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day... http://www.dailychanges.com/ztomy.com/#transferred-in "The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
On Jun 19, 2013, at 11:23 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore I think "ztomy.com" smells really bad for some reason, looks like 100% advertising;
IIRC, Confluence Networks/ztomy pounce on expired domains to sell ads or somesuch. I seem to recall them grabbing the parent domain of name servers for ben.edu last year... Regards, -drc
I have domains that are *not* expired, which are being affected by this. Domains are hosted via Dynect, and are resolving into this 204.11.56.0/24 range across the globe. Dynect management portal was down until minutes ago as well. - Charles On Jun 20, 2013, at 12:45 AM, David Conrad <drc@virtualized.org> wrote:
On Jun 19, 2013, at 11:23 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore I think "ztomy.com" smells really bad for some reason, looks like 100% advertising;
IIRC, Confluence Networks/ztomy pounce on expired domains to sell ads or somesuch. I seem to recall them grabbing the parent domain of name servers for ben.edu last year...
Regards, -drc
Some news coverage here with pretty pictures of LinkedIn access: http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki ng/ Frank -----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day... http://www.dailychanges.com/ztomy.com/#transferred-in "The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
Is there an organization that coordinates outages like this amongst the industry? On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk <frnkblk@iname.com> wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki ng/<http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacking/>
Frank
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day...
http://www.dailychanges.com/ztomy.com/#transferred-in
"The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
-- Phil Fagan Denver, CO 970-480-7618
I'm sure that folks in the ICANN SSAC will be talking about this subject well in to the future once a postmortem is completed. Also, perhaps even the DNS-OARC community. Coordination? This is the Internet! :-) - ferg On Thu, Jun 20, 2013 at 8:49 AM, Phil Fagan <philfagan@gmail.com> wrote:
Is there an organization that coordinates outages like this amongst the industry?
On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk <frnkblk@iname.com> wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki ng/<http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacking/>
Frank
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com> wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day...
http://www.dailychanges.com/ztomy.com/#transferred-in
"The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
-- Phil Fagan Denver, CO 970-480-7618
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Hah..knew it On Thu, Jun 20, 2013 at 9:53 AM, Paul Ferguson <fergdawgster@gmail.com>wrote:
I'm sure that folks in the ICANN SSAC will be talking about this subject well in to the future once a postmortem is completed. Also, perhaps even the DNS-OARC community.
Coordination? This is the Internet! :-)
- ferg
On Thu, Jun 20, 2013 at 8:49 AM, Phil Fagan <philfagan@gmail.com> wrote:
Is there an organization that coordinates outages like this amongst the industry?
On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk <frnkblk@iname.com> wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
ng/< http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki...
Frank
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com>
wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day...
http://www.dailychanges.com/ztomy.com/#transferred-in
"The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote: > Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
-- Phil Fagan Denver, CO 970-480-7618
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- Phil Fagan Denver, CO 970-480-7618
I don't think there's one recognized authority. However, https://isc.sans.edu/ is pretty up to date. --chip On Thu, Jun 20, 2013 at 11:53 AM, Paul Ferguson <fergdawgster@gmail.com>wrote:
I'm sure that folks in the ICANN SSAC will be talking about this subject well in to the future once a postmortem is completed. Also, perhaps even the DNS-OARC community.
Coordination? This is the Internet! :-)
- ferg
On Thu, Jun 20, 2013 at 8:49 AM, Phil Fagan <philfagan@gmail.com> wrote:
Is there an organization that coordinates outages like this amongst the industry?
On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk <frnkblk@iname.com> wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
ng/< http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki...
Frank
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com>
wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day...
http://www.dailychanges.com/ztomy.com/#transferred-in
"The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote:
On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> wrote: > Yelp is evidently also affected Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
-- Phil Fagan Denver, CO 970-480-7618
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- Just my $.02, your mileage may vary, batteries not included, etc....
Is there a need for such authority or coordination center? On Thu, Jun 20, 2013 at 9:59 AM, chip <chip.gwyn@gmail.com> wrote:
I don't think there's one recognized authority. However, https://isc.sans.edu/ is pretty up to date.
--chip
On Thu, Jun 20, 2013 at 11:53 AM, Paul Ferguson <fergdawgster@gmail.com>wrote:
I'm sure that folks in the ICANN SSAC will be talking about this subject well in to the future once a postmortem is completed. Also, perhaps even the DNS-OARC community.
Coordination? This is the Internet! :-)
- ferg
On Thu, Jun 20, 2013 at 8:49 AM, Phil Fagan <philfagan@gmail.com> wrote:
Is there an organization that coordinates outages like this amongst the industry?
On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk <frnkblk@iname.com> wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
ng/< http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki...
Frank
-----Original Message----- From: Jimmy Hess [mailto:mysidia@gmail.com] Sent: Thursday, June 20, 2013 1:23 AM To: Paul Ferguson Cc: NANOG list Subject: Re: Need help in flushing DNS
On 6/20/13, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka <tom@cloudflare.com>
wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like 100% advertising; sure doesn't "appear" to be a DNS hosting provider, I sure can't imagine two major domains entering incorrect authoritative nameserver list changes on the same day...
http://www.dailychanges.com/ztomy.com/#transferred-in
"The domain ztomy.com was registered on November 22, 2007, and we have nameserver history going back to December 9, 2007. It is listed as a nameserver for 182,174 domains Currently displaying 50 of 1,602 domain names transferred into ztomy.com on June 19, 2013."
<patrick@ianai.net>wrote: > On Jun 20, 2013, at 01:30 , Grant Ridder <shortdudey123@gmail.com> > wrote: > > Yelp is evidently also affected > Not from here. Patrick: $ dig NS yelp.com @8.8.8.8 +short ns1620.ztomy.com. ns2620.ztomy.com.
-- -JH
-- Phil Fagan Denver, CO 970-480-7618
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- Just my $.02, your mileage may vary, batteries not included, etc....
-- Phil Fagan Denver, CO 970-480-7618
* philfagan@gmail.com (Phil Fagan) [Thu 20 Jun 2013, 17:50 CEST]:
Is there an organization that coordinates outages like this amongst the industry?
No; all outages on the Internet happen independently from each other and are not coordinated to (not) coincide in any way. -- Niels. -- "It's amazing what people will do to get their name on the internet, which is odd, because all you really need is a Blogspot account." -- roy edroso, alicublog.blogspot.com
Sure enough: ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yelp.com. IN A ;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20 ;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42 NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1 OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # - ferg On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Anyone have news/explanation about what's happening/happened? On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
The only apparent link is registration thru network solutions On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net>wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com
wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-) - ferg On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Smileyface aside, I'm disappointed to see operators simply flushing caches and not performing at the least a dumpdb for possible future forensic analysis. This is what I call the "Windows solution," - 'Oh, just reboot, and it'll work'. We're better than that. (Aren't we?) On Thu, Jun 20, 2013 at 1:02 AM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com
wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs
Hi, Do we know which DNS server started leaking the poisoned entry? Being new to this, i still dont understand how could a hacker gain access to the DNS server and corrupt the entry there? Wouldnt it require special admin rights, etc. to log in? Glen On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com
wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
The indications and claim are that the root cause was registrar internal goof, not hostile action against name servers. The story is not yet detailed enough to add up; getting from point A to point B requires steps that so far don't really make sense. A more detailed explanation is hopefully to be forthcoming... On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Do we know which DNS server started leaking the poisoned entry?
Being new to this, i still dont understand how could a hacker gain access to the DNS server and corrupt the entry there? Wouldnt it require special admin rights, etc. to log in?
Glen
On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster@gmail.com
wrote:
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson < fergdawgster@gmail.com wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder < shortdudey123@gmail.com
wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
>Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS >and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. > >Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- -george william herbert george.herbert@gmail.com
Not sure of some of the underlying details of the mechanics right now. http://news.softpedia.com/news/LinkedIn-Outage-Caused-by-DDOS-Attack-on-Netw... - ferg On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Do we know which DNS server started leaking the poisoned entry?
Being new to this, i still dont understand how could a hacker gain access to the DNS server and corrupt the entry there? Wouldnt it require special admin rights, etc. to log in?
Glen
On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgster@gmail.com> wrote:
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.buie@frozenfeline.net> wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;yelp.com. IN A
;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Jun 20 07:33:13 2013 ;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255 CIDR: 204.11.56.0/22 OriginAS: AS40034 NetName: CONFLUENCE-NETWORKS--TX3 NetHandle: NET-204-11-56-0-1 Parent: NET-204-0-0-0-0 NetType: Direct Allocation Comment: Hosted in Austin TX. Comment: Abuse : Comment: abuse@confluence-networks.com Comment: +1-917-386-6118 RegDate: 2012-09-24 Updated: 2012-09-24 Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc OrgId: CN Address: 3rd Floor, Omar Hodge Building, Wickhams Address: Cay I, P.O. Box 362 City: Road Town StateProv: Tortola PostalCode: VG1110 Country: VG RegDate: 2011-04-07 Updated: 2011-07-05 Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN OrgAbuseName: Abuse Admin OrgAbusePhone: +1-917-386-6118 OrgAbuseEmail: abuse@confluence-networks.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN OrgNOCName: NOC Admin OrgNOCPhone: +1-415-462-7734 OrgNOCEmail: noc@confluence-networks.com OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN OrgTechName: Tech Admin OrgTechPhone: +1-415-358-0858 OrgTechEmail: ipadmin@confluence-networks.com OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
- ferg
On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder <shortdudey123@gmail.com> wrote:
Yelp is evidently also affected
On Wed, Jun 19, 2013 at 10:19 PM, John Levine <johnl@iecc.com> wrote:
>Reaching out to DNS operators around the globe. Linkedin.com has > had some issues with DNS >and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. > >Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul Ferguson wrote:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A <SNIP> ;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through prolexic... I guess they're considering this as a DOS. andree@bofh:~/src$ traceroute 204.11.57.20 traceroute to 204.11.57.20 (204.11.57.20), 64 hops max, 52 byte packets 1 10.200.200.200 (10.200.200.200) 17.089 ms 13.144 ms 13.552 ms 2 67.215.89.1 (67.215.89.1) 20.963 ms 15.371 ms 17.026 ms 3 67.215.93.14 (67.215.93.14) 20.486 ms 14.458 ms 16.917 ms 4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 19.449 ms 19.375 ms 15.274 ms 5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 17.107 ms 23.272 ms 16.019 ms 6 209.200.184.34 (209.200.184.34) 14.878 ms 19.062 ms 15.776 ms 7 unknown.prolexic.com (72.52.30.126) 67.871 ms 64.376 ms 66.988 ms 8 domain.not.configured (204.11.57.20) 71.729 ms 65.830 ms 67.823 ms Reflection attacks are so yesterday... Cheers, Andree
I have no knowledge of any DDoS -related activity involving Yelp! and Prolexic. Even if there is one, the fact that their DNS records have been poisoned has not direct relationship to any current DDoS (there isn't one that I am aware of). - ferg On Thu, Jun 20, 2013 at 12:31 AM, Andree Toonk <andree+nanog@toonk.nl> wrote:
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul Ferguson wrote:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A <SNIP> ;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through prolexic... I guess they're considering this as a DOS.
andree@bofh:~/src$ traceroute 204.11.57.20 traceroute to 204.11.57.20 (204.11.57.20), 64 hops max, 52 byte packets 1 10.200.200.200 (10.200.200.200) 17.089 ms 13.144 ms 13.552 ms 2 67.215.89.1 (67.215.89.1) 20.963 ms 15.371 ms 17.026 ms 3 67.215.93.14 (67.215.93.14) 20.486 ms 14.458 ms 16.917 ms 4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 19.449 ms 19.375 ms 15.274 ms 5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 17.107 ms 23.272 ms 16.019 ms 6 209.200.184.34 (209.200.184.34) 14.878 ms 19.062 ms 15.776 ms 7 unknown.prolexic.com (72.52.30.126) 67.871 ms 64.376 ms 66.988 ms 8 domain.not.configured (204.11.57.20) 71.729 ms 65.830 ms 67.823 ms
Reflection attacks are so yesterday...
Cheers, Andree
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Hi, .-- My secret spy satellite informs me that at 2013-06-20 12:38 AM Paul Ferguson wrote:
I have no knowledge of any DDoS -related activity involving Yelp! and Prolexic. Even if there is one, the fact that their DNS records have been poisoned has not direct relationship to any current DDoS (there isn't one that I am aware of).
That's not what I was trying to say. The domains like yelp, linkedin, craigslist all incorrectly have (or had) NS record like: ns1620.ztomy.com. 172800 IN A 204.11.56.20 ns2620.ztomy.com. 172800 IN A 204.11.57.20 Traffic to these IP's is going through Prolexic (see previous mail). Thought that was interesting... Andree
.-- My secret spy satellite informs me that at 2013-06-20 12:31 AM Andree Toonk wrote:
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul Ferguson wrote:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A <SNIP> ;; ANSWER SECTION: yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through prolexic... I guess they're considering this as a DOS.
andree@bofh:~/src$ traceroute 204.11.57.20 traceroute to 204.11.57.20 (204.11.57.20), 64 hops max, 52 byte packets 1 10.200.200.200 (10.200.200.200) 17.089 ms 13.144 ms 13.552 ms 2 67.215.89.1 (67.215.89.1) 20.963 ms 15.371 ms 17.026 ms 3 67.215.93.14 (67.215.93.14) 20.486 ms 14.458 ms 16.917 ms 4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 19.449 ms 19.375 ms 15.274 ms 5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 17.107 ms 23.272 ms 16.019 ms 6 209.200.184.34 (209.200.184.34) 14.878 ms 19.062 ms 15.776 ms 7 unknown.prolexic.com (72.52.30.126) 67.871 ms 64.376 ms 66.988 ms 8 domain.not.configured (204.11.57.20) 71.729 ms 65.830 ms 67.823 ms
Slight correction for the archives, the trace above was going to 204.11.57.20 (not 204.11.56.20) which is the IP of the NS server (ns1620.ztomy.com), which also goes through prolexic (see above) andree@bofh:~/src$ dig @a.gtld-servers.net www.craigslist.com ns ; <<>> DiG 9.8.3-P1 <<>> @a.gtld-servers.net www.craigslist.com ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52520 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.craigslist.com. IN NS ;; AUTHORITY SECTION: craigslist.com. 172800 IN NS ns1620.ztomy.com. craigslist.com. 172800 IN NS ns2620.ztomy.com. ;; ADDITIONAL SECTION: ns1620.ztomy.com. 172800 IN A 204.11.56.20 ns2620.ztomy.com. 172800 IN A 204.11.57.20 ;; Query time: 120 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Thu Jun 20 00:50:49 2013 ;; MSG SIZE rcvd: 116 This is the trace to 204.11.56.20 also via prolexic andree@bofh:~/src$ sudo tcptraceroute 204.11.56.20 80 Tracing the path to 204.11.56.20 on TCP port 80 (http), 30 hops max 1 10.200.200.200 14.840 ms 21.474 ms 13.641 ms 2 67.215.89.1 19.265 ms 13.646 ms 14.769 ms 3 67.215.93.14 15.000 ms 15.161 ms 15.159 ms 4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 15.358 ms 14.852 ms 16.432 ms 5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 13.735 ms 16.149 ms 17.957 ms 6 204.11.56.20 [open] 15.447 ms 16.897 ms 15.821 ms Btw, one more interesting detail these used to be announced as one /23. As of this week that's two /24's currently 204.11.56.0/24 (june 17) and 204.11.57.0/24 (june 19) Andree
I am not speaking officially, but the evidence so far is that this was not DNS poisoning, but domain name hijacking. My colleagues will have more to say later today. On Thu, Jun 20, 2013 at 1:19 AM, John Levine <johnl@iecc.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well known sites have had DNS poisoning problems. When I restarted my cache, they look OK.
http://www.networksolutions.com/blog/2013/06/important-update-for-network-so... - Jared On Jun 19, 2013, at 11:42 PM, Zaid Ali Kahn <zaid@zaidali.com> wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
Zaid
participants (20)
-
Alex Buie -
Andree Toonk -
Andrew Sullivan -
Charles Richards -
chip -
David Conrad -
Frank Bulk -
George Herbert -
Glen Kent -
Grant Ridder -
jamie rishaw -
Jared Mauch -
Jimmy Hess -
John Levine -
Niels Bakker -
Patrick W. Gilmore -
Paul Ferguson -
Phil Fagan -
Tom Paseka -
Zaid Ali Kahn