LZZR

DNS attack or Easter DOS attack as they call it

Today I nearly fainted (of course I meant to say farted as I’am not a sissy young girl, at least not anymore ) but anyway seeing a crappy landing page instead of my beloved lzzr.com was a bit of something.
Here is how our Host described it:

Major DNS DOS attack
April 8th, 2007 at 1:29 am PST
Severity: High Resolved: Yes
We are currently experiencing intermittent DNS outages on all of our nameservers, this is causing problems with sites and email functioning properly.
We think it might be the DNS load balancers we’ve recently installed but haven’t determined that for sure yet. More information will be posted as we have it.
Our apologies for the inconvenience this causes.
UPDATE (2007-04-08 03:20 PDT): It appears we are the victims of an Easter DOS attack against our nameservers, we have an admin at the datacenter and our network expert onhand to deal with it. Hopefully things will be back to normal shortly.
UPDATE (2007-04-08 04:54 PDT): We seem to have isolated and resolved the DoS attack for the moment. All of our DNS servers have been resolving domains correctly and without pause for the past 20 minutes now so it appears that this nasty episode is behind us. We’ll be mopping up and fixing servers that might’ve crashed or otherwise gone wonky in the interim. Again, our sincerest apologies for all the downtime.

Fortunately it happened to be a rather banal DNS injection attack or in words of our host Easter DOS attack although I can’t see any Easter and neither there is any DOS in it but outages they certainly are.
It seems we are dealing with DNS Hijack (also known as DNS Spoofing) here and at a bigger scale too. Yesterday already I’ve noticed the same kind of thing visiting agloco.com - a lame clone of Spedia of 90-ies (don’t ask me what I’ve been doing there). Instead of their homepage I’ve been redirected to searchportal.information.com - another lame PPC Traffic Monetisation system. The same place the current DNS attack redirects to, some other sites had been affected too. It seems we are dealing with a widespread phenomenae and multiple DNS servers had been poisoned. For those unfamiliar woth the concept I may suggest reading this article - it’s just one of many sources describing how DNS attack and DNS poisoning actually works.
As DNS affected belong to large hosting companies it leads me to believe that data poisoning took place at a rather high level and affected a huge number of websites. I can’t help admiring the skill of the attacker and the scale of the event itself, just imagine the amount of traffic the attacker manage to gather is we definetly know that all websites hosted with our host had been affected i. e. all of their daily traffic landed on the attacker’s PPC landing page! At the same time I feel I need to share some important info I managed to gather in course of the attack (I don’t think I am grassing anyone up - it is merely self-defence).

1. Not all DNS Zones had been affected as I could see the site properly via TOR proxy network
2. only .com sites were affected - my .co.uk sites just didn’t resolve at all
3. the attacker redirected to an information.com landing page using id 19911 - it does not nesessarily mean that the culprit is the owner of 19911 account as it is also possible that the attack meant to compromise the account 19911 (I allow this possibility since it would be stupid to think that revenue raised this way will ever be honoured by advertisers)

In any case I believe more details will come up soon but so far id 19911 at information.com is the only identifiable trace and also information.com is the only place to complain about it. The sad thing is that thre is nothing a webmaster can do about this kind of attack as it happens at a DNS level which isn’t under our control.
IMPORTANT!!!! - ATTENTION!!! - RED ALERT!!!
Although at a first glance not much damage had been done apart from a section of traffic diverted to a lousy information.com landing page and making some money for the id 19911 in fact it is not so harmless. The attacker seems to gather your cookies as well. What it actually means is when passing traffic through your domain it requests cookies stored by your browser for this domain and now the attacker must have a pretty good library of usernames and passwords for services set up at the affected domains. Although passwords are usually MD5 hashed if you use some dictionary passwords like daddy or pussy for example you are doomed as to having an MD5 hash to guess such passwords with brute force or dictionary attack would be a piece o’cake. It means you SECURITY HAD BEEN SERIOUSLY COMPROMISED and your user names and passwords are in danger.
What to do:
If you’ve seen information.com landing page instead of your own site or any other site where you have an account - URGENTLY CHANGE YOUR PASSWORD and better your username as well (better safe than sorry). You should also recommend your users who visited your website during the attack and landed at the information.com website to do the same as well!
You should also be aware that some email correspondence to/from your affected domains might have ended in wrong hands! Although there is nothing you can do post factum about it - it’s better to doublecheck if there was any sensitive information that might have been delivered to the culprit.
PS an some refused to believe that SEDD is reality

tags: dns, dos, easter, sedd, alert, attack, danger, hack, hijack, password, poisoning, red alert, security, spoofing

Bookmark to:

Posted by LZZR under SEDD |