[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?

Janish, Nathan Nathan.Janish at Level3.com
Thu May 8 18:31:31 EDT 2008 

Brian,

We are contacting our downstream customer about this matter.

Regards,

Nathan Janish
Level3 Network Security
720.888.3350

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Brian Eckman
Sent: Thursday, May 08, 2008 3:49 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?

----------- nsp-security Confidential --------

Two nameservers are being used to return the IP address 208.73.212.12 for
any query. Earlier today, the RUS-CERT Passive DNS Database reportedly (a
trusted source told me) knew of only one name for that IP address. Now it
knows well over 500 (and probably over 1,000).

500 names pointing to it:
http://cert.uni-stuttgart.de/stats/dns-replication.php?query=208.73.212.12&submit=Query

Other evidence:

 > nslookup www.google.com NS1.DSREDIRECTION.COM
Server:         NS1.DSREDIRECTION.COM
Address:        204.13.160.15#53

Name:   www.google.com
Address: 208.73.212.12

 > host NS1.DSREDIRECTION.COM
NS1.DSREDIRECTION.COM has address 204.13.160.15

 > host NS2.DSREDIRECTION.COM
NS2.DSREDIRECTION.COM has address 204.13.161.15


AS      | IP               | AS Name
33626   | 204.13.160.15    | OVERSEE-DOT-NET - Oversee.net
33626   | 204.13.161.15    | OVERSEE-DOT-NET - Oversee.net
33626   | 208.73.212.12    | OVERSEE-DOT-NET - Oversee.net

PEER_AS | IP               | AS Name
701     | 204.13.161.15    | UUNET - MCI Communications Services, Inc. d/b/a
Verizon Business
2914    | 204.13.161.15    | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3356    | 204.13.161.15    | LEVEL3 Level 3 Communications
27524   | 204.13.161.15    | XEEX-COMMUNICATIONS - Xeex


Many of the domain names using ns1.dsredirection.com and
ns2.dsredirection.com as authoritative are shady looking - a number are
obvious typo-squatting, such as gmal.com (gmail), wikipeda.org (wikipedia),
and such.

This stinks really badly - but I don't have solid proof of massive evilness
outside of what I've presented thus far. Can anyone (Cymru, perhaps?) look
into it some more - I gotta get home for parent duties...

Thanks,
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list