Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.
Any other info please reach out to me off-list.
Zaid
Reaching out to DNS operators around the globe. Linkedin.com has had some issues with DNS
and would like DNS operators to flush their DNS. If you see www.linkedin.com resolving NS to
ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS.Any other info please reach out to me off-list.
While you're at it, www.usps.com, www.fidelity.com, and other well
known sites have had DNS poisoning problems. When I restarted my
cache, they look OK.
Yelp is evidently also affected
Not from here.
If the NS or www points to 204.11.56.0/24 for a production domain/hostname, that's "bad". Yelp seems to be resolving normally for me.
Sure enough:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;yelp.com. IN A
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 20 07:33:13 2013
;; MSG SIZE rcvd: 42
NetRange: 204.11.56.0 - 204.11.59.255
CIDR: 204.11.56.0/22
OriginAS: AS40034
NetName: CONFLUENCE-NETWORKS--TX3
NetHandle: NET-204-11-56-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
Comment: Hosted in Austin TX.
Comment: Abuse :
Comment: abuse@confluence-networks.com
Comment: +1-917-386-6118
RegDate: 2012-09-24
Updated: 2012-09-24
Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1
OrgName: Confluence Networks Inc
OrgId: CN
Address: 3rd Floor, Omar Hodge Building, Wickhams
Address: Cay I, P.O. Box 362
City: Road Town
StateProv: Tortola
PostalCode: VG1110
Country: VG
RegDate: 2011-04-07
Updated: 2011-07-05
Ref: http://whois.arin.net/rest/org/CN
OrgAbuseHandle: ABUSE3065-ARIN
OrgAbuseName: Abuse Admin
OrgAbusePhone: +1-917-386-6118
OrgAbuseEmail: abuse@confluence-networks.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN
OrgNOCHandle: NOCAD51-ARIN
OrgNOCName: NOC Admin
OrgNOCPhone: +1-415-462-7734
OrgNOCEmail: noc@confluence-networks.com
OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN
OrgTechHandle: TECHA29-ARIN
OrgTechName: Tech Admin
OrgTechPhone: +1-415-358-0858
OrgTechEmail: ipadmin@confluence-networks.com
OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
Patrick:
$ dig NS yelp.com @8.8.8.8 +short
ns1620.ztomy.com.
ns2620.ztomy.com.
Some DNS servers have the bad records - TLD for .com is updated already.
Cheers,
Tom
Ditto local:
; <<>> DiG 9.7.3 <<>> @[foohost] yelp.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20230
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;yelp.com. IN NS
;; ANSWER SECTION:
yelp.com. 300 IN NS ns1620.ztomy.com.
yelp.com. 300 IN NS ns2620.ztomy.com.
;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 20 07:48:06 2013
;; MSG SIZE rcvd: 74
- ferg
Anyone have news/explanation about what's happening/happened?
The only apparent link is registration thru network solutions
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
have no idea where the poison leaked in, or why. 
- ferg
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think "ztomy.com" smells really bad for some reason, looks like
100% advertising;
sure doesn't "appear" to be a DNS hosting provider, I sure can't
imagine two major domains entering incorrect authoritative
nameserver list changes on the same day...
"The domain ztomy.com was registered on November 22, 2007, and we have
nameserver history going back to December 9, 2007. It is listed as a
nameserver for 182,174 domains
Currently displaying 50 of 1,602 domain names transferred into
ztomy.com on June 19, 2013."
IIRC, Confluence Networks/ztomy pounce on expired domains to sell ads or somesuch. I seem to recall them grabbing the parent domain of name servers for ben.edu last year...
Regards,
-drc
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:
; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
<SNIP>
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through
prolexic...
I guess they're considering this as a DOS.
andree@bofh:~/src$ traceroute 204.11.57.20
traceroute to 204.11.57.20 (204.11.57.20), 64 hops max, 52 byte packets
1 10.200.200.200 (10.200.200.200) 17.089 ms 13.144 ms 13.552 ms
2 67.215.89.1 (67.215.89.1) 20.963 ms 15.371 ms 17.026 ms
3 67.215.93.14 (67.215.93.14) 20.486 ms 14.458 ms 16.917 ms
4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 19.449
ms 19.375 ms 15.274 ms
5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 17.107
ms 23.272 ms 16.019 ms
6 209.200.184.34 (209.200.184.34) 14.878 ms 19.062 ms 15.776 ms
7 unknown.prolexic.com (72.52.30.126) 67.871 ms 64.376 ms 66.988 ms
8 domain.not.configured (204.11.57.20) 71.729 ms 65.830 ms 67.823 ms
Reflection attacks are so yesterday...
Cheers,
Andree
I have no knowledge of any DDoS -related activity involving Yelp! and
Prolexic. Even if there is one, the fact that their DNS records have
been poisoned has not direct relationship to any current DDoS (there
isn't one that I am aware of).
- ferg
.-- My secret spy satellite informs me that at 2013-06-20 12:31 AM
Andree Toonk wrote:
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:; <<>> DiG 9.7.3 <<>> @localhost yelp.com A
<SNIP>
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20Interesting to see that traffic to this IP addresses is going through
prolexic...
I guess they're considering this as a DOS.andree@bofh:~/src$ traceroute 204.11.57.20
traceroute to 204.11.57.20 (204.11.57.20), 64 hops max, 52 byte packets
1 10.200.200.200 (10.200.200.200) 17.089 ms 13.144 ms 13.552 ms
2 67.215.89.1 (67.215.89.1) 20.963 ms 15.371 ms 17.026 ms
3 67.215.93.14 (67.215.93.14) 20.486 ms 14.458 ms 16.917 ms
4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 19.449
ms 19.375 ms 15.274 ms
5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 17.107
ms 23.272 ms 16.019 ms
6 209.200.184.34 (209.200.184.34) 14.878 ms 19.062 ms 15.776 ms
7 unknown.prolexic.com (72.52.30.126) 67.871 ms 64.376 ms 66.988 ms
8 domain.not.configured (204.11.57.20) 71.729 ms 65.830 ms 67.823 ms
Slight correction for the archives, the trace above was going to
204.11.57.20 (not 204.11.56.20) which is the IP of the NS server
(ns1620.ztomy.com), which also goes through prolexic (see above)
andree@bofh:~/src$ dig @a.gtld-servers.net www.craigslist.com ns
; <<>> DiG 9.8.3-P1 <<>> @a.gtld-servers.net www.craigslist.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52520
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.craigslist.com. IN NS
;; AUTHORITY SECTION:
craigslist.com. 172800 IN NS ns1620.ztomy.com.
craigslist.com. 172800 IN NS ns2620.ztomy.com.
;; ADDITIONAL SECTION:
ns1620.ztomy.com. 172800 IN A 204.11.56.20
ns2620.ztomy.com. 172800 IN A 204.11.57.20
;; Query time: 120 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Thu Jun 20 00:50:49 2013
;; MSG SIZE rcvd: 116
This is the trace to 204.11.56.20 also via prolexic
andree@bofh:~/src$ sudo tcptraceroute 204.11.56.20 80
Tracing the path to 204.11.56.20 on TCP port 80 (http), 30 hops max
1 10.200.200.200 14.840 ms 21.474 ms 13.641 ms
2 67.215.89.1 19.265 ms 13.646 ms 14.769 ms
3 67.215.93.14 15.000 ms 15.161 ms 15.159 ms
4 ge-0-7-0-5.r06.snjsca04.us.bb.gin.ntt.net (128.241.219.145) 15.358
ms 14.852 ms 16.432 ms
5 ae-2.prolexic.snjsca04.us.bb.gin.ntt.net (128.241.219.242) 13.735
ms 16.149 ms 17.957 ms
6 204.11.56.20 [open] 15.447 ms 16.897 ms 15.821 ms
Btw, one more interesting detail these used to be announced as one /23.
As of this week that's two /24's currently 204.11.56.0/24 (june 17) and
204.11.57.0/24 (june 19)
Andree
Hi,
.-- My secret spy satellite informs me that at 2013-06-20 12:38 AM Paul
Ferguson wrote:
I have no knowledge of any DDoS -related activity involving Yelp! and
Prolexic. Even if there is one, the fact that their DNS records have
been poisoned has not direct relationship to any current DDoS (there
isn't one that I am aware of).
That's not what I was trying to say.
The domains like yelp, linkedin, craigslist all incorrectly have (or
had) NS record like:
ns1620.ztomy.com. 172800 IN A 204.11.56.20
ns2620.ztomy.com. 172800 IN A 204.11.57.20
Traffic to these IP's is going through Prolexic (see previous mail).
Thought that was interesting...
Andree
I have domains that are *not* expired, which are being affected by this.
Domains are hosted via Dynect, and are resolving into this 204.11.56.0/24 range across the globe.
Dynect management portal was down until minutes ago as well.
- Charles
Smileyface aside, I'm disappointed to see operators simply flushing caches
and not performing at the least a dumpdb for possible future forensic
analysis.
This is what I call the "Windows solution," - 'Oh, just reboot, and it'll
work'.
We're better than that.
(Aren't we?)
I am not speaking officially, but the evidence so far is that this was not
DNS poisoning, but domain name hijacking. My colleagues will have more to
say later today.
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
ng/
Frank