DBSA:2013-0005

From Digibase Knowledge Base
Jump to: navigation, search

DBSA ID: 2013-0005

Regarding: Multiple Global DNS Compromises

Writeup: Kradorex Xeron (talk) 21:34, 20 June 2013 (EDT)

Date: 2013 06 20

Last Modified: 20130620213508 by Kradorex Xeron

Who should take note: All DNS Server Operators

Classification

Priority: HIGH

Rationale: Operators must act to ensure users serviced by their servers are not directed to malicious systems.

Severity: HIGH

Rationale: The impact is global across multiple high-profile domain names.

Spread of Issue: CROSS-PLATFORM HIGH

Rationale: All systems that are Intenet-connected are affected.

Description

What is assumed as a DNS cache poisoning attack or possible incident at Network Solutions Inc has incurred a potential compromise of a possible minimum of 78,000 domain names, said domain names have had their DNS servers set to two nameservers operated by ztomy.com, which have been cited domain squatting, takeovers and other such potential malicious activities against domain names without regard to the impact of their takeovers.

Technical Details

Affected domain names may have their authoritative DNS servers set to:

  • ns1620.ztomy.com.
  • ns2620.ztomy.com.

And web traffic has been observed to be redirected to a server in 204.11.56.0/24

Noted domain names effected at some point (but not limited to, a number has been cited of minimum 78,000 domain names):

  • linkedin.com
  • usps.com
  • yelp.com
  • parsonstech.com

The link between these domain names is that they seem to be registered through Network Solutions

Mitigation/Solution

DNS Server operators are advised to purge their resolution caches and/or restart their server instances with clean caches.

References

No known public resources have commented on the incident.