Educause Security Discussion mailing list archives
Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From: "Mclaughlin, Kevin L (mclaugkl)" <mclaugkl () UCMAIL UC EDU>
Date: Fri, 17 Nov 2006 15:41:52 -0500
I'm not up on how domain registration works (is it Nationally or Internationally applied and/or regulated) but the .eu at the end is simply indicative of a European domain. Here is an excerpt I received based on some recent research: ====== "As of July 2006 more than 2 million .eu domain names were registered. It is now the third largest domain in Europe, after .de and .uk , and is the seventh largest internationally," ====== I am doubtful, but could be wrong on this, that there is international law that prohibits the use of our domain first letters/first names. Therefore they can be re-used for .eu domains. An example of this is that there are: CIA.gov, FBI.gov and then CIA.com and FBI.com domains that are official and registered. -Kevin Kevin L. McLaughlin CISM, CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. -----Original Message----- From: Steve Lovaas [mailto:steven.lovaas () COLOSTATE EDU] Sent: Friday, November 17, 2006 11:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Honeypot in Netherlands mirroring entire DNS structures for some .edu's
From a slightly different perspective, we shouldn't expect to own all
possible content in foo.eu just because we own all content in foo.edu, merely because the confusion is only a typo away. This kind of problem has led some organizations to register .com, .org, and .edu or .gov for the same domain name, just in case (so they don't end up with a whitehouse.com porn problem). My own city's government site is advertised as www.fcgov.com, but don't get me started :) If we really believe in the distinction provided by different top-level domains, COM and ORG and NET, etc are legitimately different. I bank with a company called Juniper, and I sometimes confuse the .COM with the .NET when I go to check tech support for our border Juniper router. I view this as my own problem. Bottom line, it MAY be some sort of nascent exploit (I'll trust the SANS ISC on that call), but we need to be careful not to assume too much. Our own U.S. domain registrars do the same thing with unregistered name space... If we REALLY are worried about risk caused when someone mis-types a URL, perhaps we should be offering them links to click to get to sensitive information rather than relying on them to type. An SSL gateway or some other sort of front end can provide this (as long as you don't fat-finger THAT URL). To mitigate against the risk of going to the wrong spot, if you're worried, then it's easy enough to block the IP space associated with the "typo". Steve Lovaas Colorado State University John C. A. Bambenek wrote:
All- We just discovered that there is a machine in the Netherlands that is apparently running a honeypot and is mirroring entire DNS structures
for
some .edu domains. For instance, our webserver www.csl.uiuc.edu resolves to
130.126.136.140,
but www.csl.uiuc.eu resolves to 212.79.243.140. It mirrors every DNS
name
under our domain to that IP. After taking a look, I found about 6
others
.edu domains that are being fully mirrored after doing a quick check
with
nslookup. It appears the attempt is to grab credentials for later re-use. Take a
look
to see if your domains are being mirrored and take appropriate action. j
-- ============================================================== Steven Lovaas, MSIA, CISSP Network & Security Resource Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ==============================================================
Current thread:
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Wood, Anne M (wood) (Nov 16)
- <Possible follow-ups>
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Pace, Guy (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's H. Morrow Long (Nov 16)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Chris Bennett (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Gary Flynn (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Steve Lovaas (Nov 17)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 18)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Mclaughlin, Kevin L (mclaugkl) (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's John C. A. Bambenek (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Valdis Kletnieks (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Graham Toal (Nov 20)
- Re: Honeypot in Netherlands mirroring entire DNS structures for some .edu's Alan Whinery (Nov 20)
(Thread continues...)