[nsp-sec] Need help flushing DNS (view from PassiveDNS)
Eric Ziegast
ziegast at isc.org
Thu Jun 20 06:05:09 EDT 2013
On 6/19/13 7:03 PM, Zaid Ali wrote:
> Folks, around 5PM PT www.linkedin.com domain got hijacked at
> Network Solutions. We have rectified the situation but need help
> from ISP's to flush their DNS. Particularly ATT if anyone from
> there is on this list or has a contact. Any help would be
> appreciated.
>
> Thanks, Zaid
If anyone is flushing caches, please flush NS records for both:
linkedin.com
licdn.com
The NS records from the Verisign COM nameservers with a 2-day TTL is
what's most toxic. The rest will work itself out with quick TTL
expiration tonight. They had lots of other records like
mail.linkedin.com and static.licdn.com pointing to their IP
(204.11.56.17) for a while. There was a glob for "*.linkedin.com"
that was catching everything in linkedin.com.
If anyone has the ability to redirect DNS (eg: BIND RPZ, Xerocole,
Nominum), I don't see anything good served by the following
identifiers used in this attack:
NS ns1617.ztomy.com.
NS ns2617.ztomy.com.
A 204.11.56.17
... so you might want to add that to your local overrides.
Interestingly, the IP 204.11.56.17 is now pointing people back to
one of linkedin.com's older IPs (216.52.242.80) while the correct
address is 216.52.242.86, so you may be able to detect people still
affected that way.
I don't know how popular "dog.com" is, but it was also hijacked.
The domain "cri.com" and some other domains are still hijacked.
--
Eric Ziegast
More information about the nsp-security
mailing list