[Outages-discussion] [outages] Zoom Outage 4/16/25 15:30 EDT

Michael Sinatra michael at burnttofu.net
Wed Apr 16 20:57:38 EDT 2025 

--> outages-discussion@

On 4/16/25 14:57, Mel Beckman via Outages wrote:
> LOL!
> 
> Well, there's your "100%" and there's the Telegraph and the Daily Mail, 
> both of which reported the hacker group Dark Storm Team took credit for it:
> 
> https://www.dailymail.co.uk/news/article-14619931/zoom-outage-thousands- 
> users-report-issues.html <https://www.dailymail.co.uk/news/ 
> article-14619931/zoom-outage-thousands-users-report-issues.html>
 > > Upon what data is your 100% reliability guarantee based?

Uh, well, he works for Cloudflare and Cloudflare provides a lot of the 
backend for zoom's web presence?  :-D

As opposed to the Daily Mail, who is quoting KRON-TV in San Francisco, 
who even admits that they haven't confirmed Dark Storm's claim.

Moreover, the KRON article cites Dark Storm as using the term "DDOS," 
which a reasonable hacktivist (honestly not sure whether Dark Storm is 
in that category) would understand to be completely different from what 
happened.  Placing the domain in ICANN "serverhold" (which caused it to 
be demonstrably removed from the .us zone [I have dnstap data that shows 
the NXDOMAIN responses, as well as my own queries]) is what caused the 
outage.  Now suppose Dark Storm _did_ somehow hack the registrar or 
registry and put the domain into serverhold.  If they were clueful 
enough to do that, then they would be smart enough to correctly claim 
responsibility for what that is: a "domain hijack" not a "DDOS."

One of the things I noticed that's interesting is this:

[cadillac] ~> dig ns zoom.us @ns-387.awsdns-48.com +dnssec

; <<>> DiG 9.20.7 <<>> ns zoom.us @ns-387.awsdns-48.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25332
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zoom.us.			IN	NS

;; ANSWER SECTION:
zoom.us.		172800	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		172800	IN	NS	ns-1772.awsdns-29.co.uk.
zoom.us.		172800	IN	NS	ns-387.awsdns-48.com.
zoom.us.		172800	IN	NS	ns-888.awsdns-47.net.

Uh, what's up with 'flags: qr aa rd ad'?  The domain is not 
DNSSEC-signed, and even if it were, is there ever a case where you have 
the 'aa' and 'ad' bits set?  I don't recall that being a reasonable thing...

Probably a topic for dns-operations@, but in general, I'd be interested 
as to whether there are any insights as to the serverhold.

michael

More information about the Outages-discussion mailing list