I'm rechecking realtime ns1620/2620 DNS right now and, looking at the output, I see an odd number of domains (that have changed) with a listed nameserver of "localhost.".
Is this some sort of tactic I'm unaware of? On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch <ja...@puck.nether.net> wrote: > It seems there may be a need for some sort of 'dns-health' check out there > that can be done in semi-realtime. > > I ran a report for someone earlier today on a domain doing an xref against > open resolver data searching for valid responses vs invalid ones. > > Is this of value? Does it need to be automated? > > - Jared > > On Jun 20, 2013, at 3:53 PM, jamie rishaw <j...@arpa.com> wrote: > > > This is most definitely a coordinated and planned attack. > > > > And by 'attack' I mean hijacking of domain names. > > > > I show as of this morning nearly fifty thousand domain names that appear > > suspicious. > > > > I'm tempted to call uscentcom and/or related agencies (which agencies, > who > > the hell knows, as ICE seems to have some sort of authority over domains > > (nearly two hundred fifty of them as I type this in COM alone and another > > thirty-some in NET). > > > > Anyone credentialed (credentialed /n/., "I know you or know of you,") > > wanting data, e-mail me off-list for some TLD goodness. > > > > > > > > > > > > > > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfa...@gmail.com> > wrote: > > > >> Agree'd in these "smaller" scenario's I just wonder if in a larger scale > >> scenario, whatever that might look like, if its necessary. Whereby many > >> organizations who provide "services" are effected. Perhaps the result > of a > >> State led campaign ....topic for another day. > >> > >> > >> > >> > >> On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <fergdawgs...@gmail.com > >>> wrote: > >> > >>> I am betting that Netsol doesn't need any more "coordination" at the > >>> moment -- their phones are probably ringing off-the-hook. There are > >>> still ~400 domains still pointing to the ztomy NS: > >>> > >>> > >>> ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS > >>> ; (1 server found) > >>> ;; global options: +cmd > >>> ;; Got answer: > >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064 > >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > >>> > >>> ;; QUESTION SECTION: > >>> ;parsonstech.com. IN NS > >>> > >>> ;; ANSWER SECTION: > >>> parsonstech.com. 172800 IN NS ns2617.ztomy.com. > >>> parsonstech.com. 172800 IN NS ns1617.ztomy.com. > >>> > >>> ;; Query time: 286 msec > >>> ;; SERVER: 127.0.0.1#53(127.0.0.1) > >>> ;; WHEN: Thu Jun 20 19:16:25 2013 > >>> ;; MSG SIZE rcvd: 81 > >>> > >>> - ferg > >>> > >>> On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfa...@gmail.com> > >> wrote: > >>> > >>>> I should caveat.....coordinate the "recovery" of. > >>>> > >>>> > >>>> On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth > >>>> <bran...@rd.bbc.co.uk>wrote: > >>>> > >>>>>> Is there an organization that coordinates outages like this amongst > >>> the > >>>>>> industry? > >>>>> > >>>>> No, usually they are surprise outages though Anonymous have tried > >>>>> coordinating a few > >>>>> > >>>>> brandon > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Phil Fagan > >>>> Denver, CO > >>>> 970-480-7618 > >>> > >>> > >>> > >>> -- > >>> "Fergie", a.k.a. Paul Ferguson > >>> fergdawgster(at)gmail.com > >>> > >> > >> > >> > >> -- > >> Phil Fagan > >> Denver, CO > >> 970-480-7618 > >> > > > > > > > > -- > > Jamie Rishaw // .com.arpa@j <- reverse it. ish. > > [Impressive C-level Title Here], arpa / arpa labs > > -- Jamie Rishaw // .com.arpa@j <- reverse it. ish. [Impressive C-level Title Here], arpa / arpa labs