This is a coordinated hacking. (Was Re: Need help in flushing DNS)

This is most definitely a coordinated and planned attack.

And by 'attack' I mean hijacking of domain names.

I show as of this morning nearly fifty thousand domain names that appear
suspicious.

I'm tempted to call uscentcom and/or related agencies (which agencies, who
the hell knows, as ICE seems to have some sort of authority over domains
(nearly two hundred fifty of them as I type this in COM alone and another
thirty-some in NET).

Anyone credentialed (credentialed /n/., "I know you or know of you,")
wanting data, e-mail me off-list for some TLD goodness.

It seems there may be a need for some sort of 'dns-health' check out there that can be done in semi-realtime.

I ran a report for someone earlier today on a domain doing an xref against open resolver data searching for valid responses vs invalid ones.

Is this of value? Does it need to be automated?

- Jared

I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
output, I see an odd number of domains (that have changed) with a listed
nameserver of "localhost.".

Is this some sort of tactic I'm unaware of?

Poisoning a domain's NS records with localhost will most certainly DOS the
domain, yes.

I have not yet seen the source of this; if anyone has a clue where the
updates are coming from please post the info.

Is there anything about ztomy.com that has been seen that's supicious as in
they might be the origin? This could be them, or could be a joe-job
against them. I do not want to point a finger lacking any sort of actual
data dump of the poisoning activity...

It's not poisoning. They somehow were able to modify the NS records; one
would presume, at the registrar/s.

As far as the logic of the DNS, it is functioning as designed (What's up,
Vix!) - There's another aspect of this that caused this situation.

Any Alexa or similar people on this list (Goog PR, etc)? I'd love to bulk
submit a domain list for some analytics. Contact me off list.

Not so easy and straightforward to do. You'll find that a lot of the
big names out there frequently tweak DNS, which will result in a
non-stop stream of "alerts".

Andy

Andrew Fried
andrew.fried@gmail.com

Wait, wait.

whois doesnt jive with dns.

.. Conspiracy Theory Hat On :

- Did someone gain access to the COM dispersion zone, or parts thereof?
- Did someone figure out how to [ insert theory here ] ?

I'm looking at domains that were solidly pointing at ztomy at 2:30AM (that
are 'recovered' to other nameservers) that show no "updates" in `whois`
records.

Curiouser and curiouser.

Paul?

https://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/

"small number of Network Solutions customers"

They must be staffed with physicists, astronomers, or economists.... I don't know anyone else that would consider "nearly fifty thousand" (from a previous post by Phil Fagan) to be a small number.

Wild speculation:

netsol says this is a human error incurred during DDOS mitigation.
ztomy.com is a wild-card DNS provider that seems to use prolexic.
Now imagine someone at netsol or its DDOS service providers
fat-fingered their DDOS-averting routing in such a way that netsol
DNS traffic arrived at ztomy.com instead of a netsol server.
The ztomy.com server would know how to answer the queries...

I have no data to base this speculation on.

Grüße, Carsten

Hello everyone, I'm new here.
+1 to this theory. I've been watching what's happening since 3am Eastern, because a domain of mine (of the many at NetSol) was a victim of this event.

-Gabor

It's relatively small when you consider there's something like 140M .com's

So it's okay to screw over "nearly fifty thousand" customer domains because
there are 140M .com's? When talking about inadvertently effecting that
many folks I don't think it is appropriate to trivialize the customer
impact by calling it small when you're talking about a handful of large
websites that aren't somehow magically shared over those 140M .coms. Also
it is untrue to limit it to only "the websites" given how many other things
folks are likely to be using DNS for...

.r'

So it's okay to screw over "nearly fifty thousand" customer domains because
there are 140M .com's?

luckily, none of the rest of us make mistakes

I don't think he was saying that at all. Just stating that from a pure numbers standpoint 50k/140mil is a small percentage.

OTOH, I agree to your point - Network Solutions definitely downplayed this in their release. Curiously so.

Ages ago I responded on a Cisco list where the topic was biggest screwup
you've made. I posted that I once forgot the implicit deny in an ACL and
accidentally blocked all traffic between 4 locations in 2 states for a
company I was working for. Downtime was a very brutal 60 seconds. Someone
very insightful responded with "anyone who hasn't done similar is lying
about the 10 years on their resume". So the real question would be, why
wasn't there someone who has already done this in the past working on this
zone?

-B

I think you are reading it the wrong way. Mr.Kletnieks never said it
was okay. He just stated that the numbers were trivial when compared to
the rest of potential customers being affected.
   Be cool, Richard Golodner

netsol screwed up. they screwed up bigtime. they are shoveling kitty
litter over it as fast as they can, and they have a professional kitty
litter, aka pr, department.

but none of this is surprising.

and dnssec did not save us. is there anything which could have?

randy

At the DNS Servers or service provider level, one can (and I often do) have redundant providers.

At the registrar level? ...

Not with our current infrastructure, as far as I know how.

The Internet: Discovering new SPOF since 1969!

George William Herbert

....at what point is the Internet a piece of infrastructure whereby we
actually need a way to watch this thing holistically as it is one system
and not just a bunch of inter-jointed systems? Who's job is it to do
nothing but ensure that the state of DNS and other services is running as
it should....who's the clearing house here.