Not sure of some of the underlying details of the mechanics right now. http://news.softpedia.com/news/LinkedIn-Outage-Caused-by-DDOS-Attack-on-Network-Solutions-362473.shtml
- ferg On Fri, Jun 21, 2013 at 5:22 PM, Glen Kent <glen.k...@gmail.com> wrote: > Hi, > > Do we know which DNS server started leaking the poisoned entry? > > Being new to this, i still dont understand how could a hacker gain access to > the DNS server and corrupt the entry there? Wouldnt it require special admin > rights, etc. to log in? > > Glen > > > On Thu, Jun 20, 2013 at 11:32 AM, Paul Ferguson <fergdawgs...@gmail.com> > wrote: >> >> Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I >> have no idea where the poison leaked in, or why. :-) >> >> - ferg >> >> On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie <alex.b...@frozenfeline.net> >> wrote: >> >> > Anyone have news/explanation about what's happening/happened? >> > >> > >> > On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson >> > <fergdawgs...@gmail.com>wrote: >> > >> >> Sure enough: >> >> >> >> >> >> >> >> ; <<>> DiG 9.7.3 <<>> @localhost yelp.com A >> >> ; (1 server found) >> >> ;; global options: +cmd >> >> ;; Got answer: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53267 >> >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> >> >> ;; QUESTION SECTION: >> >> ;yelp.com. IN A >> >> >> >> ;; ANSWER SECTION: >> >> yelp.com. 300 IN A 204.11.56.20 >> >> >> >> ;; Query time: 143 msec >> >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> >> ;; WHEN: Thu Jun 20 07:33:13 2013 >> >> ;; MSG SIZE rcvd: 42 >> >> >> >> >> >> >> >> >> >> >> >> NetRange: 204.11.56.0 - 204.11.59.255 >> >> CIDR: 204.11.56.0/22 >> >> OriginAS: AS40034 >> >> NetName: CONFLUENCE-NETWORKS--TX3 >> >> NetHandle: NET-204-11-56-0-1 >> >> Parent: NET-204-0-0-0-0 >> >> NetType: Direct Allocation >> >> Comment: Hosted in Austin TX. >> >> Comment: Abuse : >> >> Comment: ab...@confluence-networks.com >> >> Comment: +1-917-386-6118 >> >> RegDate: 2012-09-24 >> >> Updated: 2012-09-24 >> >> Ref: http://whois.arin.net/rest/net/NET-204-11-56-0-1 >> >> >> >> OrgName: Confluence Networks Inc >> >> OrgId: CN >> >> Address: 3rd Floor, Omar Hodge Building, Wickhams >> >> Address: Cay I, P.O. Box 362 >> >> City: Road Town >> >> StateProv: Tortola >> >> PostalCode: VG1110 >> >> Country: VG >> >> RegDate: 2011-04-07 >> >> Updated: 2011-07-05 >> >> Ref: http://whois.arin.net/rest/org/CN >> >> >> >> OrgAbuseHandle: ABUSE3065-ARIN >> >> OrgAbuseName: Abuse Admin >> >> OrgAbusePhone: +1-917-386-6118 >> >> OrgAbuseEmail: ab...@confluence-networks.com >> >> OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN >> >> >> >> OrgNOCHandle: NOCAD51-ARIN >> >> OrgNOCName: NOC Admin >> >> OrgNOCPhone: +1-415-462-7734 >> >> OrgNOCEmail: n...@confluence-networks.com >> >> OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN >> >> >> >> OrgTechHandle: TECHA29-ARIN >> >> OrgTechName: Tech Admin >> >> OrgTechPhone: +1-415-358-0858 >> >> OrgTechEmail: ipad...@confluence-networks.com >> >> OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN >> >> >> >> >> >> # >> >> # ARIN WHOIS data and services are subject to the Terms of Use >> >> # available at: https://www.arin.net/whois_tou.html >> >> # >> >> >> >> - ferg >> >> >> >> >> >> >> >> On Wed, Jun 19, 2013 at 10:30 PM, Grant Ridder >> >> <shortdudey...@gmail.com> >> >> wrote: >> >> >> >> > Yelp is evidently also affected >> >> > >> >> > On Wed, Jun 19, 2013 at 10:19 PM, John Levine <jo...@iecc.com> wrote: >> >> > >> >> >> >Reaching out to DNS operators around the globe. Linkedin.com has >> >> >> > had >> >> some >> >> >> issues with DNS >> >> >> >and would like DNS operators to flush their DNS. If you see >> >> >> www.linkedin.com resolving NS to >> >> >> >ns1617.ztomy.com or ns2617.ztomy.com then please flush your DNS. >> >> >> > >> >> >> >Any other info please reach out to me off-list. >> >> >> >> >> >> While you're at it, www.usps.com, www.fidelity.com, and other well >> >> >> known sites have had DNS poisoning problems. When I restarted my >> >> >> cache, they look OK. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> "Fergie", a.k.a. Paul Ferguson >> >> fergdawgster(at)gmail.com >> >> >> >> >> >> >> >> -- >> "Fergie", a.k.a. Paul Ferguson >> fergdawgster(at)gmail.com >> > -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com