[nsp-sec] (AS33626 - upstreams AS701, AS2914, AS3356, AS27524) ns1.dsredirection.com and ns2.dsredirection.com - Might be 0wned?!??!?
Brian Eckman
eckman at umn.edu
Fri May 9 10:14:03 EDT 2008
Florian Weimer wrote:
> * Brian Eckman:
>
>> This stinks really badly - but I don't have solid proof of massive
>> evilness outside of what I've presented thus far. Can anyone (Cymru,
>> perhaps?) look into it some more - I gotta get home for parent
>> duties...
>
> I think this might just be regular typosquatting. These folks don't
> want to put a zone for each domain they own into their name servers,
> so they add A and NS records at the root. I agree that it's evil, but
> it's not that kind of evilness which concerns nsp-sec, IMHO. It's
> more of a policy issue, but registries tend to look the other way.
Yep, that sure appears to be the case. I was worried because that IP address
appeared to gain a boatload of RRs all at once, but perhaps they were
migrated from another IP, or perhaps they finally got their infrastructure
in place to proceed with their master plan. (The domains I sampled weren't
created recently, so I was worried they got hijacked along with (because of)
a couple of name servers).
Anyhow, all of the domains that I sampled this morning went to "search
results". The search results that I checked appeared to ultimately lead to
Google Adwords (or whatever its called). So yeah, evil, but not nsp-sec evil.
Thanks for your help,
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list