Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

From: Steve Lovaas <steven.lovaas () COLOSTATE EDU>
Date: Fri, 17 Nov 2006 09:14:24 -0700
From a slightly different perspective, we shouldn't expect to own all

possible content in foo.eu just because we own all content in foo.edu,
merely because the confusion is only a typo away.

This kind of problem has led some organizations to register .com, .org,
and .edu or .gov for the same domain name, just in case (so they don't
end up with a whitehouse.com porn problem). My own city's government
site is advertised as www.fcgov.com, but don't get me started  :)

If we really believe in the distinction provided by different top-level
domains, COM and ORG and NET, etc are legitimately different. I bank
with a company called Juniper, and I sometimes confuse the .COM with the
.NET when I go to check tech support for our border Juniper router. I
view this as my own problem.

Bottom line, it MAY be some sort of nascent exploit (I'll trust the SANS
ISC on that call), but we need to be careful not to assume too much. Our
own U.S. domain registrars do the same thing with unregistered name space...

If we REALLY are worried about risk caused when someone mis-types a URL,
perhaps we should be offering them links to click to get to sensitive
information rather than relying on them to type. An SSL gateway or some
other sort of front end can provide this (as long as you don't
fat-finger THAT URL).

To mitigate against the risk of going to the wrong spot, if you're
worried, then it's easy enough to block the IP space associated with the
"typo".

Steve Lovaas
Colorado State University



John C. A. Bambenek wrote:

All-

We just discovered that there is a machine in the Netherlands that is
apparently running a honeypot and is mirroring entire DNS structures for
some .edu domains.

For instance, our webserver www.csl.uiuc.edu resolves to 130.126.136.140,
but www.csl.uiuc.eu resolves to 212.79.243.140.  It mirrors every DNS name
under our domain to that IP.  After taking a look, I found about 6 others
.edu domains that are being fully mirrored after doing a quick check with
nslookup.

It appears the attempt is to grab credentials for later re-use. Take a look
to see if your domains are being mirrored and take appropriate action.

j


--
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================
Previous By Date Next
Previous By Thread Next

Current thread: