[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?
Brian Eckman
eckman at umn.edu
Thu May 8 17:49:00 EDT 2008
Two nameservers are being used to return the IP address 208.73.212.12 for
any query. Earlier today, the RUS-CERT Passive DNS Database reportedly (a
trusted source told me) knew of only one name for that IP address. Now it
knows well over 500 (and probably over 1,000).
500 names pointing to it:
http://cert.uni-stuttgart.de/stats/dns-replication.php?query=208.73.212.12&submit=Query
Other evidence:
> nslookup www.google.com NS1.DSREDIRECTION.COM
Server: NS1.DSREDIRECTION.COM
Address: 204.13.160.15#53
Name: www.google.com
Address: 208.73.212.12
> host NS1.DSREDIRECTION.COM
NS1.DSREDIRECTION.COM has address 204.13.160.15
> host NS2.DSREDIRECTION.COM
NS2.DSREDIRECTION.COM has address 204.13.161.15
AS | IP | AS Name
33626 | 204.13.160.15 | OVERSEE-DOT-NET - Oversee.net
33626 | 204.13.161.15 | OVERSEE-DOT-NET - Oversee.net
33626 | 208.73.212.12 | OVERSEE-DOT-NET - Oversee.net
PEER_AS | IP | AS Name
701 | 204.13.161.15 | UUNET - MCI Communications Services, Inc. d/b/a
Verizon Business
2914 | 204.13.161.15 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356 | 204.13.161.15 | LEVEL3 Level 3 Communications
27524 | 204.13.161.15 | XEEX-COMMUNICATIONS - Xeex
Many of the domain names using ns1.dsredirection.com and
ns2.dsredirection.com as authoritative are shady looking - a number are
obvious typo-squatting, such as gmal.com (gmail), wikipeda.org (wikipedia),
and such.
This stinks really badly - but I don't have solid proof of massive evilness
outside of what I've presented thus far. Can anyone (Cymru, perhaps?) look
into it some more - I gotta get home for parent duties...
Thanks,
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list