The only apparent link is registration thru network solutions
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie alex.b...@frozenfeline.netwrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at 10:34 PM, Paul Ferguson fergdawgs...@gmail.com
wrote:
Sure
Hanlon's razor? Misconfiguration. Perhaps not done in malice, but I
have no idea where the poison leaked in, or why. :-)
- ferg
On Wed, Jun 19, 2013 at 10:49 PM, Alex Buie alex.b...@frozenfeline.net wrote:
Anyone have news/explanation about what's happening/happened?
On Wed, Jun 19, 2013 at
On 6/20/13, Paul Ferguson fergdawgs...@gmail.com wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka t...@cloudflare.com wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think ztomy.com smells really bad for some reason, looks like
100% advertising;
sure doesn't appear to be a
On Jun 19, 2013, at 11:23 PM, Jimmy Hess mysi...@gmail.com wrote:
On 6/20/13, Paul Ferguson fergdawgs...@gmail.com wrote:
On Wed, Jun 19, 2013 at 10:44 PM, Tom Paseka t...@cloudflare.com wrote:
On Wed, Jun 19, 2013 at 10:32 PM, Patrick W. Gilmore
I think ztomy.com smells really bad for some
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:
; DiG 9.7.3 @localhost yelp.com A
SNIP
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through
prolexic...
I guess they're considering
I have no knowledge of any DDoS -related activity involving Yelp! and
Prolexic. Even if there is one, the fact that their DNS records have
been poisoned has not direct relationship to any current DDoS (there
isn't one that I am aware of).
- ferg
On Thu, Jun 20, 2013 at 12:31 AM, Andree Toonk
.-- My secret spy satellite informs me that at 2013-06-20 12:31 AM
Andree Toonk wrote:
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:
; DiG 9.7.3 @localhost yelp.com A
SNIP
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
Interesting to
Hi,
.-- My secret spy satellite informs me that at 2013-06-20 12:38 AM Paul
Ferguson wrote:
I have no knowledge of any DDoS -related activity involving Yelp! and
Prolexic. Even if there is one, the fact that their DNS records have
been poisoned has not direct relationship to any current DDoS
I have domains that are *not* expired, which are being affected by this.
Domains are hosted via Dynect, and are resolving into this 204.11.56.0/24 range
across the globe.
Dynect management portal was down until minutes ago as well.
- Charles
On Jun 20, 2013, at 12:45 AM, David Conrad
On Jun 19, 2013, at 7:21 PM, Benson Schliesser bens...@queuefull.net wrote:
The sending peer (or their customer) has more control over cost.
I'll assume that, by sending peer, you mean the content network. If so, I
disagree. The content network has no control whatsoever over the location of
Smileyface aside, I'm disappointed to see operators simply flushing caches
and not performing at the least a dumpdb for possible future forensic
analysis.
This is what I call the Windows solution, - 'Oh, just reboot, and it'll
work'.
We're better than that.
(Aren't we?)
On Thu, Jun 20, 2013
I am not speaking officially, but the evidence so far is that this was not
DNS poisoning, but domain name hijacking. My colleagues will have more to
say later today.
On Thu, Jun 20, 2013 at 1:19 AM, John Levine jo...@iecc.com wrote:
Reaching out to DNS operators around the globe. Linkedin.com
On 20 June 2013 13:07, Bill Woodcock wo...@pch.net wrote:
On Jun 19, 2013, at 7:21 PM, Benson Schliesser bens...@queuefull.net
wrote:
The sending peer (or their customer) has more control over cost.
I'll assume that, by sending peer, you mean the content network. If so,
I disagree. The
On Jun 20, 2013, at 8:09, Martin Barry ma...@supine.com wrote:
On 20 June 2013 13:07, Bill Woodcock wo...@pch.net wrote:
On Jun 19, 2013, at 7:21 PM, Benson Schliesser bens...@queuefull.net
wrote:
The sending peer (or their customer) has more control over cost.
I'll assume that, by sending
On Jun 19, 2013, at 23:41, Siegel, David david.sie...@level3.com wrote:
Well, with net flow Analytics, it's not really the case that we don't have a
way of evaluating the relative burdens. Every major net flow Analytics
vendor is implementing some type of distance measurement capability so
Thus spake Jason Fesler (jfes...@gigo.com) on Wed, Jun 19, 2013 at 04:55:01PM
-0700:
On a recent IPv6 providers call, there was a desire for participants
to share information with each other on what works and what breaks in
an IPv6-only environment. I offered to set that up. It was further
The tools cannot estimate burden into the peers network very well, particularly
when longest-exit routing is implement to balance the mileage burden, so each
party shares their information with each other and compares data in order to
make decisions.
It's not common, but there are a handful of
On Jun 20, 2013, at 5:37 AM, Benson Schliesser bens...@queuefull.net wrote:
Right. By sending peer I meant the network transmitting a packet,
unidirectional flow, or other aggregate of traffic into another
network. I'm not assuming anything about whether they are offering
content or something
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
ng/
Frank
-Original Message-
From: Jimmy Hess [mailto:mysi...@gmail.com]
Sent: Thursday, June 20, 2013 1:23 AM
To: Paul Ferguson
Cc: NANOG list
Is there an organization that coordinates outages like this amongst the
industry?
On Thu, Jun 20, 2013 at 9:36 AM, Frank Bulk frnk...@iname.com wrote:
Some news coverage here with pretty pictures of LinkedIn access:
http://techcrunch.com/2013/06/19/linkedin-outage-due-to-possible-dns-hijacki
I'm sure that folks in the ICANN SSAC will be talking about this
subject well in to the future once a postmortem is completed. Also,
perhaps even the DNS-OARC community.
Coordination? This is the Internet! :-)
- ferg
On Thu, Jun 20, 2013 at 8:49 AM, Phil Fagan philfa...@gmail.com wrote:
Is
Hah..knew it
On Thu, Jun 20, 2013 at 9:53 AM, Paul Ferguson fergdawgs...@gmail.comwrote:
I'm sure that folks in the ICANN SSAC will be talking about this
subject well in to the future once a postmortem is completed. Also,
perhaps even the DNS-OARC community.
Coordination? This is the
I don't think there's one recognized authority. However,
https://isc.sans.edu/ is pretty up to date.
--chip
On Thu, Jun 20, 2013 at 11:53 AM, Paul Ferguson fergdawgs...@gmail.comwrote:
I'm sure that folks in the ICANN SSAC will be talking about this
subject well in to the future once a
Is there a need for such authority or coordination center?
On Thu, Jun 20, 2013 at 9:59 AM, chip chip.g...@gmail.com wrote:
I don't think there's one recognized authority. However,
https://isc.sans.edu/ is pretty up to date.
--chip
On Thu, Jun 20, 2013 at 11:53 AM, Paul Ferguson
* philfa...@gmail.com (Phil Fagan) [Thu 20 Jun 2013, 17:50 CEST]:
Is there an organization that coordinates outages like this amongst
the industry?
No; all outages on the Internet happen independently from each other
and are not coordinated to (not) coincide in any way.
-- Niels.
http://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/
- Jared
On Jun 19, 2013, at 11:42 PM, Zaid Ali Kahn z...@zaidali.com wrote:
Reaching out to DNS operators around the globe. Linkedin.com has had some
issues with DNS and
Is there an organization that coordinates outages like this amongst the
industry?
No, usually they are surprise outages though Anonymous have tried
coordinating a few
brandon
I should caveat.coordinate the recovery of.
On Thu, Jun 20, 2013 at 11:10 AM, Brandon Butterworth
bran...@rd.bbc.co.ukwrote:
Is there an organization that coordinates outages like this amongst the
industry?
No, usually they are surprise outages though Anonymous have tried
I am betting that Netsol doesn't need any more coordination at the
moment -- their phones are probably ringing off-the-hook. There are
still ~400 domains still pointing to the ztomy NS:
; DiG 9.7.3 @foohost parsonstech.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;;
Agree'd in these smaller scenario's I just wonder if in a larger scale
scenario, whatever that might look like, if its necessary. Whereby many
organizations who provide services are effected. Perhaps the result of a
State led campaign topic for another day.
On Thu, Jun 20, 2013 at 11:25
This is most definitely a coordinated and planned attack.
And by 'attack' I mean hijacking of domain names.
I show as of this morning nearly fifty thousand domain names that appear
suspicious.
I'm tempted to call uscentcom and/or related agencies (which agencies, who
the hell knows, as ICE
It seems there may be a need for some sort of 'dns-health' check out there that
can be done in semi-realtime.
I ran a report for someone earlier today on a domain doing an xref against open
resolver data searching for valid responses vs invalid ones.
Is this of value? Does it need to be
I'm rechecking realtime ns1620/2620 DNS right now and, looking at the
output, I see an odd number of domains (that have changed) with a listed
nameserver of localhost..
Is this some sort of tactic I'm unaware of?
On Thu, Jun 20, 2013 at 2:57 PM, Jared Mauch ja...@puck.nether.net wrote:
It
The tools cannot estimate burden into the peers network very well,
particularly when longest-exit routing is implement to balance the
mileage burden, so each party shares their information with each other
and compares data in order to make decisions.
It's not common, but there are a handful
Poisoning a domain's NS records with localhost will most certainly DOS the
domain, yes.
I have not yet seen the source of this; if anyone has a clue where the
updates are coming from please post the info.
Is there anything about ztomy.com that has been seen that's supicious as in
they might be
It's not poisoning. They somehow were able to modify the NS records; one
would presume, at the registrar/s.
As far as the logic of the DNS, it is functioning as designed (What's up,
Vix!) - There's another aspect of this that caused this situation.
Any Alexa or similar people on this list (Goog
Not so easy and straightforward to do. You'll find that a lot of the
big names out there frequently tweak DNS, which will result in a
non-stop stream of alerts.
Andy
Andrew Fried
andrew.fr...@gmail.com
On 6/20/13 3:57 PM, Jared Mauch wrote:
It seems there may be a need for some sort of
Wait, wait.
whois doesnt jive with dns.
.. Conspiracy Theory Hat On :
- Did someone gain access to the COM dispersion zone, or parts thereof?
- Did someone figure out how to [ insert theory here ] ?
I'm looking at domains that were solidly pointing at ztomy at 2:30AM (that
are 'recovered' to
* wo...@pch.net (Bill Woodcock) [Thu 20 Jun 2013, 16:59 CEST]:
On Jun 20, 2013, at 5:37 AM, Benson Schliesser bens...@queuefull.net wrote:
Right. By sending peer I meant the network transmitting a
packet, unidirectional flow, or other aggregate of traffic into
another network. I'm not
On 6/20/13, jamie rishaw j...@arpa.com wrote:
It's not poisoning. They somehow were able to modify the NS records; one
would presume, at the registrar/s.
https://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/
--
-JH
On 6/20/2013 1:46 PM, Jimmy Hess wrote:
On 6/20/13, jamie rishaw j...@arpa.com wrote:
It's not poisoning. They somehow were able to modify the NS records; one
would presume, at the registrar/s.
Wild speculation:
netsol says this is a human error incurred during DDOS mitigation.
ztomy.com is a wild-card DNS provider that seems to use prolexic.
Now imagine someone at netsol or its DDOS service providers
fat-fingered their DDOS-averting routing in such a way that netsol
DNS traffic arrived
Hello everyone, I'm new here.
+1 to this theory. I've been watching what's happening since 3am Eastern,
because a domain of mine (of the many at NetSol) was a victim of this event.
-Gabor
-Original Message-
From: Carsten Bormann [mailto:c...@tzi.org]
Sent: Thursday, June 20, 2013 5:11
On Thu, 20 Jun 2013 14:08:18 -0700, Jeff Shultz said:
small number of Network Solutions customers
They must be staffed with physicists, astronomers, or economists I
don't know anyone else that would consider nearly fifty thousand (from
a previous post by Phil Fagan) to be a small number.
On Thu, 20 Jun 2013 22:39:56 +0200, Niels Bakker said:
You're mistaken if you think that CDNs have equal number of packets
going in and out.
And even if the number of packets match, there's the whole 1500 bytes
of data, 64 bytes of ACK thing to factor in...
pgp0aUntNCndk.pgp
Description: PGP
On Jun 20, 2013, at 10:39 PM, Niels Bakker niels=na...@bakker.net wrote:
* wo...@pch.net (Bill Woodcock) [Thu 20 Jun 2013, 16:59 CEST]:
On Jun 20, 2013, at 5:37 AM, Benson Schliesser bens...@queuefull.net wrote:
Right. By sending peer I meant the network transmitting a packet,
On 20 June 2013 14:28, valdis.kletni...@vt.edu wrote:
On Thu, 20 Jun 2013 14:08:18 -0700, Jeff Shultz said:
small number of Network Solutions customers
They must be staffed with physicists, astronomers, or economists I
don't know anyone else that would consider nearly fifty thousand
So it's okay to screw over nearly fifty thousand customer domains because
there are 140M .com's?
luckily, none of the rest of us make mistakes
I don't think he was saying that at all. Just stating that from a pure numbers
standpoint 50k/140mil is a small percentage.
OTOH, I agree to your point - Network Solutions definitely downplayed this in
their release. Curiously so.
Sent from my iPhone
On Jun 20, 2013, at 5:42 PM, RijilV
On Thu, Jun 20, 2013 at 2:49 PM, Randy Bush ra...@psg.com wrote:
So it's okay to screw over nearly fifty thousand customer domains
because
there are 140M .com's?
luckily, none of the rest of us make mistakes
Ages ago I responded on a Cisco list where the topic was biggest screwup
you've
On Thu, 2013-06-20 at 14:42 -0700, RijilV wrote:
On 20 June 2013 14:28, valdis.kletni...@vt.edu wrote:
On Thu, 20 Jun 2013 14:08:18 -0700, Jeff Shultz said:
small number of Network Solutions customers
They must be staffed with physicists, astronomers, or economists I
don't
* o...@delong.com (Owen DeLong) [Thu 20 Jun 2013, 23:38 CEST]:
On Jun 20, 2013, at 10:39 PM, Niels Bakker niels=na...@bakker.net wrote:
* wo...@pch.net (Bill Woodcock) [Thu 20 Jun 2013, 16:59 CEST]:
On Jun 20, 2013, at 5:37 AM, Benson Schliesser
bens...@queuefull.net wrote:
Right. By sending
netsol screwed up. they screwed up bigtime. they are shoveling kitty
litter over it as fast as they can, and they have a professional kitty
litter, aka pr, department.
but none of this is surprising.
and dnssec did not save us. is there anything which could have?
randy
At the DNS Servers or service provider level, one can (and I often do) have
redundant providers.
At the registrar level? ...
Not with our current infrastructure, as far as I know how.
The Internet: Discovering new SPOF since 1969!
George William Herbert
Sent from my iPhone
On Jun 20,
at what point is the Internet a piece of infrastructure whereby we
actually need a way to watch this thing holistically as it is one system
and not just a bunch of inter-jointed systems? Who's job is it to do
nothing but ensure that the state of DNS and other services is running as
it
Perhaps last-mile operators should
A) advertise each of their metropolitan regional systems as a separate AS
B) establish an interconnection point in each region where they will accept
traffic destined for their in-region customers without charging any fee
This leaves the operational model of
No.
The ztomy nameservers appeared in this morning's master .COM zonefile as
/authoritative/ for the number of domains I mentioned.
It is a clear change from just a couple of days ago, when the listed
nameservers were nowhere to be seen.
I have solid data to back this up, straight from Verisign
On Jun 20, 2013, at 5:47 PM, Robert M. Enger na...@enger.us wrote:
Perhaps last-mile operators should
A) advertise each of their metropolitan regional systems as a separate AS
B) establish an interconnection point in each region where they will accept
traffic destined for their in-region
I, for one, would not be in favor of an authoritarian rule over DNS, or
any other Internet system, to ensure that the state of [the] service[s]
is running as it should. I suppose one could view such an authoritarian
rule over (sub) systems to be a good thing, as in there is someone to
complain to
On Jun 20, 2013 5:31 PM, Randy Bush ra...@psg.com wrote:
and dnssec did not save us. is there anything which could have?
Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
seen reported, had the zones been signed, validating recursive resolvers
(comcast, google, much of
On 6/20/13, Randy Bush ra...@psg.com wrote:
netsol screwed up. they screwed up bigtime. they are shoveling kitty
litter over it as fast as they can, and they have a professional kitty
litter, aka pr, department.
but none of this is surprising.
and dnssec did not save us. is there anything
On Thu, Jun 20, 2013 at 8:41 PM, Timothy Morizot tmori...@gmail.com wrote:
On Jun 20, 2013 5:31 PM, Randy Bush ra...@psg.com wrote:
and dnssec did not save us. is there anything which could have?
Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've
seen reported, had
On Jun 20, 2013 7:30 PM, Rubens Kuhl rube...@gmail.com wrote:
In this case of registrar compromise, DS record could have been changed
alongside NS records, so DNSSEC would only have been a early warning,
because uncoordinated DS change disrupts service. As soon as previous
timeouts played out,
Are there any tools out there that we could give to our end users to help
diagnose network problems? We get a lot of the Internet is slow support
calls and it would be helpful if we had something that would run on the end
user's computer and help characterize the problem. We have central
It's only cutting off your nose to spite your face if you look at the
internet BU in a vacuum. The issue comes when they can get far more money
from their existing product line, than what they get being a dumb bandwidth
pipe to their customers.
They don't want reasonable or even unreasonable
Maybe someone could enlighten my ignorance on this issue.
Why is there a variable charge for bandwidth anyways?
In a very simplistic setup, if I have a router that costs $X and I run a $5
CAT6 cable to someone elses router which cost them $Y, plus a bit of
maintenance time to set up the
On Jun 20, 2013, at 9:10 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote:
Why is there a variable charge for bandwidth anyways?
In a very simplistic setup, if I have a router that costs $X and I run a $5
CAT6 cable to someone elses router which cost them $Y, plus a bit of
maintenance time
On 6/20/2013 10:26 PM, Jared Mauch wrote:
Many things aren't as obvious as you state above. Take for example routing
table growth. There's going to be a big boom in selling routers (or turning
off full routes) when folks devices melt at 512k routes in the coming years.
Indeed. We're
At 07:28 21/06/2013 +0900, Randy Bush wrote:
netsol screwed up. they screwed up bigtime. they are shoveling kitty
litter over it as fast as they can, and they have a professional kitty
litter, aka pr, department.
They are too busy adding new revenue:
At 17:12 20/06/2013 -0500, Richard Golodner wrote:
I think you are reading it the wrong way. Mr.Kletnieks never said it
was okay. He just stated that the numbers were trivial when compared to
the rest of potential customers being affected.
Be cool, Richard Golodner
sarcasm
and
On Fri, Jun 21, 2013 at 12:26:01AM +0200, Niels Bakker wrote:
[snip]
Also, if you don't have data, best to keep your opinion to yourself,
because you might well be wrong.
The deuce you say! Replacing uninformed conjecture and conspiracy
theories with actual data? Next thing you know there
at what point is the Internet a piece of infrastructure whereby we
actually need a way to watch this thing holistically as it is one system and
not just a bunch of inter-jointed systems? Who's job is it to do nothing but
ensure that the state of DNS and other services is running as it
On Thu, 20 Jun 2013, Jeff Kell wrote:
On 6/20/2013 10:26 PM, Jared Mauch wrote:
Many things aren't as obvious as you state above. Take for example routing
table growth. There's going to be a big boom in selling routers (or turning
off full routes) when folks devices melt at 512k routes in
I think ICANN would have to add a delay in where a request was sent out to
make sure everyone was on the same page and then what happens the couple
thousand (more) times a day that someone isn't updated or is
misconfigured?
I think Netsol should be fined. Maybe even a class action suite filed
On Thu, 20 Jun 2013 20:25:24 -0700, Hal Murray said:
How would you check/verify that the communication path from the monitoring
agency to the right people in your NOC was working correctly?
Remember to consider the possible impact of a false-positive report over
an unauthenticated channel.
On 20/06/13 17:45, Jeffrey Ollie wrote:
Are there any tools out there that we could give to our end users to help
diagnose network problems? We get a lot of the Internet is slow support
calls and it would be helpful if we had something that would run on the end
user's computer and help
I personally like ICSI Netalyzr for identifying gross issues.
http://netalyzr.icsi.berkeley.edu/
+42
77 matches
Mail list logo