Re: This is a coordinated hacking. (Was Re: Need help in flushing DNS)

[Andrew Fried <andrew.fried () gmail com>]

Not so easy and straightforward to do.  You'll find that a lot of the
big names out there frequently tweak DNS, which will result in a
non-stop stream of "alerts".

Andy

Andrew Fried
andrew.fried () gmail com

On 6/20/13 3:57 PM, Jared Mauch wrote:
> It seems there may be a need for some sort of 'dns-health' check out there that can be done in semi-realtime.
>
> I ran a report for someone earlier today on a domain doing an xref against open resolver data searching for valid 
> responses vs invalid ones.
>
> Is this of value?  Does it need to be automated?
>
> - Jared
>
> On Jun 20, 2013, at 3:53 PM, jamie rishaw <j () arpa com> wrote:
>
> > This is most definitely a coordinated and planned attack.
> >
> > And by 'attack' I mean hijacking of domain names.
> >
> > I show as of this morning nearly fifty thousand domain names that appear
> > suspicious.
> >
> > I'm tempted to call uscentcom and/or related agencies (which agencies, who
> > the hell knows, as ICE seems to have some sort of authority over domains
> > (nearly two hundred fifty of them as I type this in COM alone and another
> > thirty-some in NET).
> >
> > Anyone credentialed (credentialed /n/., "I know you or know of you,")
> > wanting data, e-mail me off-list for some TLD goodness.
> >
> >
> >
> >
> >
> >
> > On Thu, Jun 20, 2013 at 12:29 PM, Phil Fagan <philfagan () gmail com> wrote:
> >
> > > Agree'd in these "smaller" scenario's I just wonder if in a larger scale
> > > scenario, whatever that might look like, if its necessary. Whereby many
> > > organizations who provide "services" are effected. Perhaps the result of a
> > > State led campaign ....topic for another day.
> > >
> > >
> > >
> > >
> > > On Thu, Jun 20, 2013 at 11:25 AM, Paul Ferguson <fergdawgster () gmail com
> > > > wrote:
> > >
> > > > I am betting that Netsol doesn't need any more "coordination" at the
> > > > moment -- their phones are probably ringing off-the-hook. There are
> > > > still ~400 domains still pointing to the ztomy NS:
> > > >
> > > >
> > > > ; <<>> DiG 9.7.3 <<>> @foohost parsonstech.com NS
> > > > ; (1 server found)
> > > > ;; global options: +cmd
> > > > ;; Got answer:
> > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49064
> > > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;parsonstech.com.        IN    NS
> > > >
> > > > ;; ANSWER SECTION:
> > > > parsonstech.com.    172800    IN    NS    ns2617.ztomy.com.
> > > > parsonstech.com.    172800    IN    NS    ns1617.ztomy.com.
> > > >
> > > > ;; Query time: 286 msec
> > > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > > > ;; WHEN: Thu Jun 20 19:16:25 2013
> > > > ;; MSG SIZE  rcvd: 81
> > > >
> > > > - ferg
> > > >
> > > > On Thu, Jun 20, 2013 at 10:13 AM, Phil Fagan <philfagan () gmail com>
> > > wrote:
> > > > > I should caveat.....coordinate the "recovery" of.
> > > > >
> > > > >
> > > > > On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
> > > > > <brandon () rd bbc co uk>wrote:
> > > > >
> > > > > > > Is there an organization that coordinates outages like this amongst
> > > > the
> > > > > > > industry?
> > > > > >
> > > > > > No, usually they are surprise outages though Anonymous have tried
> > > > > > coordinating a few
> > > > > >
> > > > > > brandon
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Phil Fagan
> > > > > Denver, CO
> > > > > 970-480-7618
> > > >
> > > >
> > > >
> > > > --
> > > > "Fergie", a.k.a. Paul Ferguson
> > > > fergdawgster(at)gmail.com
> > >
> > >
> > >
> > > --
> > > Phil Fagan
> > > Denver, CO
> > > 970-480-7618
> >
> >
> >
> > -- 
> > Jamie Rishaw // .com.arpa@j <- reverse it. ish.
> > [Impressive C-level Title Here], arpa / arpa labs