Difference between revisions of "DBSA:2013-0005"
(Created page with "'''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Global DNS Cache Poisoning '''Writeup:''' ~~~~ '''Date:''' 2013 06 20 '''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISION...") |
m |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{DBSAHEAD | ||
| + | | TITLE=Multiple Global DNS Compromises | ||
| + | | KEYWORDS=DNS, Poison Attack, Network Operations, Servers, Domain Names | ||
| + | }} | ||
| + | |||
'''DBSA ID:''' {{PAGENAME}} | '''DBSA ID:''' {{PAGENAME}} | ||
| − | '''Regarding:''' Global DNS | + | '''Regarding:''' Multiple Global DNS Compromises |
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 21:34, 20 June 2013 (EDT) | '''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 21:34, 20 June 2013 (EDT) | ||
| Line 29: | Line 34: | ||
==Technical Details== | ==Technical Details== | ||
| − | Affected domain names may have their authoritative DNS servers set to: | + | Affected domain names may have their authoritative DNS servers (IN NS Records) set to: |
* ns1620.ztomy.com. | * ns1620.ztomy.com. | ||
* ns2620.ztomy.com. | * ns2620.ztomy.com. | ||
| Line 39: | Line 44: | ||
* usps.com | * usps.com | ||
* yelp.com | * yelp.com | ||
| + | * fidelity.com | ||
* parsonstech.com | * parsonstech.com | ||
| Line 44: | Line 50: | ||
==Mitigation/Solution== | ==Mitigation/Solution== | ||
| − | DNS Server operators are advised to purge their resolution caches and/or restart their server instances with clean caches. | + | DNS Server operators are advised to purge their resolution caches and/or restart their server instances with clean caches. Network Solutions, a .com TLD (Top Level Domain) registrar has made corrections to resolve the incident at their level. |
==References== | ==References== | ||
Latest revision as of 03:50, 29 October 2013
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Multiple Global DNS Compromises
Keywords: DNS, Poison Attack, Network Operations, Servers, Domain Names
DBSA ID: 2013-0005
Regarding: Multiple Global DNS Compromises
Writeup: Kradorex Xeron (talk) 21:34, 20 June 2013 (EDT)
Date: 2013 06 20
Last Modified: 20131029035043 by Kradorex Xeron
Who should take note: All DNS Server Operators
Classification
Priority: HIGH
Rationale: Operators must act to ensure users serviced by their servers are not directed to malicious systems.
Severity: HIGH
Rationale: The impact is global across multiple high-profile domain names.
Spread of Issue: CROSS-PLATFORM HIGH
Rationale: All systems that are Intenet-connected are affected.
Description
What is assumed as a DNS cache poisoning attack or possible incident at Network Solutions Inc has incurred a potential compromise of a possible minimum of 78,000 domain names, said domain names have had their DNS servers set to two nameservers operated by ztomy.com, which have been cited domain squatting, takeovers and other such potential malicious activities against domain names without regard to the impact of their takeovers.
Technical Details
Affected domain names may have their authoritative DNS servers (IN NS Records) set to:
- ns1620.ztomy.com.
- ns2620.ztomy.com.
And web traffic has been observed to be redirected to a server in 204.11.56.0/24
Noted domain names effected at some point (but not limited to, a number has been cited of minimum 78,000 domain names):
- linkedin.com
- usps.com
- yelp.com
- fidelity.com
- parsonstech.com
The link between these domain names is that they seem to be registered through Network Solutions
Mitigation/Solution
DNS Server operators are advised to purge their resolution caches and/or restart their server instances with clean caches. Network Solutions, a .com TLD (Top Level Domain) registrar has made corrections to resolve the incident at their level.
References
No known public resources have commented on the incident.
