Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's

["Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

I'm not up on how domain registration works (is it Nationally or
Internationally applied and/or regulated) but the .eu at the end is
simply indicative of a European domain.  Here is an excerpt I received
based on some recent research:
======
"As of July 2006 more than 2 million .eu domain names were registered.
It is now the third largest domain in Europe, after .de and .uk , and is
the seventh largest internationally,"
======
I am doubtful, but could be wrong on this, that there is international
law that prohibits the use of our domain first letters/first names.
Therefore they can be re-used for .eu domains.  An example of this is
that there are: CIA.gov, FBI.gov and then CIA.com and FBI.com  domains
that are official and registered.

-Kevin


Kevin L. McLaughlin
CISM, CISSP, PMP, ITIL Master Certified
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
mclaugkl () ucmail uc edu
 
 
 
 
CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.
 

-----Original Message-----
From: Steve Lovaas [mailto:steven.lovaas () COLOSTATE EDU] 
Sent: Friday, November 17, 2006 11:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS
structures for some .edu's

> From a slightly different perspective, we shouldn't expect to own all
possible content in foo.eu just because we own all content in foo.edu,
merely because the confusion is only a typo away.

This kind of problem has led some organizations to register .com, .org,
and .edu or .gov for the same domain name, just in case (so they don't
end up with a whitehouse.com porn problem). My own city's government
site is advertised as www.fcgov.com, but don't get me started  :)

If we really believe in the distinction provided by different top-level
domains, COM and ORG and NET, etc are legitimately different. I bank
with a company called Juniper, and I sometimes confuse the .COM with the
.NET when I go to check tech support for our border Juniper router. I
view this as my own problem.

Bottom line, it MAY be some sort of nascent exploit (I'll trust the SANS
ISC on that call), but we need to be careful not to assume too much. Our
own U.S. domain registrars do the same thing with unregistered name
space...

If we REALLY are worried about risk caused when someone mis-types a URL,
perhaps we should be offering them links to click to get to sensitive
information rather than relying on them to type. An SSL gateway or some
other sort of front end can provide this (as long as you don't
fat-finger THAT URL).

To mitigate against the risk of going to the wrong spot, if you're
worried, then it's easy enough to block the IP space associated with the
"typo".

Steve Lovaas
Colorado State University



John C. A. Bambenek wrote:
> All-
>
> We just discovered that there is a machine in the Netherlands that is
> apparently running a honeypot and is mirroring entire DNS structures
for
> some .edu domains.
>
> For instance, our webserver www.csl.uiuc.edu resolves to
130.126.136.140,
> but www.csl.uiuc.eu resolves to 212.79.243.140.  It mirrors every DNS
name
> under our domain to that IP.  After taking a look, I found about 6
others
> .edu domains that are being fully mirrored after doing a quick check
with
> nslookup.
>
> It appears the attempt is to grab credentials for later re-use. Take a
look
> to see if your domains are being mirrored and take appropriate action.
>
> j

-- 
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================