DBSA:2013-0005
DBSA ID: 2013-0005
Regarding: Multiple Global DNS Compromises
Writeup: Kradorex Xeron (talk) 21:34, 20 June 2013 (EDT)
Date: 2013 06 20
Last Modified: 20130620210740 by Kradorex Xeron
Who should take note: All DNS Server Operators
Classification
Priority: HIGH
Rationale: Operators must act to ensure users serviced by their servers are not directed to malicious systems.
Severity: HIGH
Rationale: The impact is global across multiple high-profile domain names.
Spread of Issue: CROSS-PLATFORM HIGH
Rationale: All systems that are Intenet-connected are affected.
Description
What is assumed as a DNS cache poisoning attack or possible incident at Network Solutions Inc has incurred a potential compromise of a possible minimum of 78,000 domain names, said domain names have had their DNS servers set to two nameservers operated by ztomy.com, which have been cited domain squatting, takeovers and other such potential malicious activities against domain names without regard to the impact of their takeovers.
Technical Details
Affected domain names may have their authoritative DNS servers (IN NS Records) set to:
- ns1620.ztomy.com.
- ns2620.ztomy.com.
And web traffic has been observed to be redirected to a server in 204.11.56.0/24
Noted domain names effected at some point (but not limited to, a number has been cited of minimum 78,000 domain names):
- linkedin.com
- usps.com
- yelp.com
- fidelity.com
- parsonstech.com
The link between these domain names is that they seem to be registered through Network Solutions
Mitigation/Solution
DNS Server operators are advised to purge their resolution caches and/or restart their server instances with clean caches. Verisign, the .com TLD (Top Level Domain) operator has made corrections to resolve the incident at their level
References
No known public resources have commented on the incident.