[nsp-sec] Need help flushing DNS (view from PassiveDNS)

King, Link Link.King at neustar.biz
Thu Jun 20 11:11:16 EDT 2013 

We have a number of customers that have had the same 'issue'.  Does anyone have factual info on what happened?  The word from Network Solutions thus far has been a maintenance gone awry.

-Link


> ----------- nsp-security Confidential --------
> 
> 
> On 6/19/13 7:03 PM, Zaid Ali wrote:
>> Folks, around 5PM PT www.linkedin.com domain got hijacked at
>> Network Solutions. We have rectified the situation but need help
>> from ISP's to flush their DNS. Particularly ATT if anyone from
>> there is on this list or has a contact. Any help would be
>> appreciated.
>> 
>> Thanks, Zaid
> 
> If anyone is flushing caches, please flush NS records for both:
> linkedin.com
> licdn.com
> 
> The NS records from the Verisign COM nameservers with a 2-day TTL is
> what's most toxic.  The rest will work itself out with quick TTL
> expiration tonight.  They had lots of other records like
> mail.linkedin.com and static.licdn.com pointing to their IP
> (204.11.56.17) for a while.  There was a glob for "*.linkedin.com"
> that was catching everything in linkedin.com.
> 
> If anyone has the ability to redirect DNS (eg: BIND RPZ, Xerocole,
> Nominum), I don't see anything good served by the following
> identifiers used in this attack:
> 
>    NS    ns1617.ztomy.com.
>    NS    ns2617.ztomy.com.
> 
>    A     204.11.56.17
> 
> ... so you might want to add that to your local overrides.
> 
> Interestingly, the IP 204.11.56.17 is now pointing people back to
> one of linkedin.com's older IPs (216.52.242.80) while the correct
> address is 216.52.242.86, so you may be able to detect people still
> affected that way.
> 
> I don't know how popular "dog.com" is, but it was also hijacked.
> The domain "cri.com" and some other domains are still hijacked.
> 
> --
> Eric Ziegast
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

--
Link King
link.king at neustar.biz

More information about the nsp-security mailing list