[163877] in North American Network Operators' Group
Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jun 20 15:57:46 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CABL6YZQ7=92xa9d02g_mRR18UYWydgVS_JAnSuHDxhwb7a_fCw@mail.gmail.com>
Date: Thu, 20 Jun 2013 15:57:12 -0400
To: jamie rishaw <j@arpa.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It seems there may be a need for some sort of 'dns-health' check out =
there that can be done in semi-realtime.
I ran a report for someone earlier today on a domain doing an xref =
against open resolver data searching for valid responses vs invalid =
ones.
Is this of value? Does it need to be automated?
- Jared
On Jun 20, 2013, at 3:53 PM, jamie rishaw <j@arpa.com> wrote:
> This is most definitely a coordinated and planned attack.
>=20
> And by 'attack' I mean hijacking of domain names.
>=20
> I show as of this morning nearly fifty thousand domain names that =
appear
> suspicious.
>=20
> I'm tempted to call uscentcom and/or related agencies (which agencies, =
who
> the hell knows, as ICE seems to have some sort of authority over =
domains
> (nearly two hundred fifty of them as I type this in COM alone and =
another
> thirty-some in NET).
>=20
> Anyone credentialed (credentialed /n/., "I know you or know of you,")
> wanting data, e-mail me off-list for some TLD goodness.
>=20
>=20
>=20
>=20
>=20
>=20
> On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan@gmail.com> =
wrote:
>=20
>> Agree'd in these "smaller" scenario's I just wonder if in a larger =
scale
>> scenario, whatever that might look like, if its necessary. Whereby =
many
>> organizations who provide "services" are effected. Perhaps the result =
of a
>> State led campaign ....topic for another day.
>>=20
>>=20
>>=20
>>=20
>> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson =
<fergdawgster@gmail.com
>>> wrote:
>>=20
>>> I am betting that Netsol doesn't need any more "coordination" at the
>>> moment -- their phones are probably ringing off-the-hook. There are
>>> still ~400 domains still pointing to the ztomy NS:
>>>=20
>>>=20
>>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>>=20
>>> ;; QUESTION SECTION:
>>> ;parsonstech.com. IN NS
>>>=20
>>> ;; ANSWER SECTION:
>>> parsonstech.com. 172800 IN NS ns2617.ztomy.com.
>>> parsonstech.com. 172800 IN NS ns1617.ztomy.com.
>>>=20
>>> ;; Query time: 286 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Thu Jun 20 19:16:25 2013
>>> ;; MSG SIZE rcvd: 81
>>>=20
>>> - ferg
>>>=20
>>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan@gmail.com>
>> wrote:
>>>=20
>>>> I should caveat.....coordinate the "recovery" of.
>>>>=20
>>>>=20
>>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
>>>> <brandon@rd.bbc.co.uk>wrote:
>>>>=20
>>>>>> Is there an organization that coordinates outages like this =
amongst
>>> the
>>>>>> industry?
>>>>>=20
>>>>> No, usually they are surprise outages though Anonymous have tried
>>>>> coordinating a few
>>>>>=20
>>>>> brandon
>>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> --
>>>> Phil Fagan
>>>> Denver, CO
>>>> 970-480-7618
>>>=20
>>>=20
>>>=20
>>> --
>>> "Fergie", a.k.a. Paul Ferguson
>>> fergdawgster(at)gmail.com
>>>=20
>>=20
>>=20
>>=20
>> --
>> Phil Fagan
>> Denver, CO
>> 970-480-7618
>>=20
>=20
>=20
>=20
> --=20
> Jamie Rishaw // .com.arpa@j <- reverse it. ish.
> [Impressive C-level Title Here], arpa / arpa labs
