Cisco Blogs


Cisco Blog > Security

Syrian Electronic Army Cracks ShareThis.com GoDaddy Account

ShareThis provides a mechanism for web surfers to share content online through a customizable widget.  According to the information on their website, ShareThis interacts with “more than 94% of U.S. Internet users across more than 2 million publisher sites and 120+ social media channels.” On the evening of August 21, 2013, ShareThis reported that their website was experiencing “technical difficulties.” They posted a follow-up tweet the morning of August 22 declaring that the service was functioning properly.  What ShareThis did not disclose however, was that their GoDaddy domain account was compromised by the Syrian Electronic Army.

ShareThis goes down Aug 21ShareThis regains control Aug 22

Read More »

Tags: ,

DNS Compromise Distributing Malware

DNS records are an attractive target for distributors of malware. By compromising the DNS servers for legitimate domains, attackers are able to redirect visitors to trusted domains to malicious servers under attacker control. DNS requests are served from dedicated servers that may service many thousands of domains. Compromising these servers allows attackers to take over domains as a wholesale attack, serving malware from any domain that uses the DNS service.
Read More »

Tags: , ,

Error Correction Using Response Policy Zones: Eliminating the Problem of Bitsquatting

A memory error is a condition that occurs any time one or more bits being read from memory have changed state from what was previously written.  By even the most conservative of estimates Internet devices experience more than 600,000 memory errors per day.  Cosmic radiation, operating a device outside its recommended environmental conditions, and defects in manufacturing can all cause a “1” in memory to become a “0” or vice-versa.  Most of these bit errors are harmless, but occasionally the bit error occurs inside a domain name or URL, and this can affect where Internet traffic is directed.  The term “bitsquatting”, which refers to the practice of registering a domain name one binary digit different than another, is a term coined after a similar term, “cybersquatting” --the practice of registering an unofficial domain which could be confused for a legitimate one.

For example, the fully qualified domain name “www.cisco.com” could by changing only a single binary digit become the bitsquat domain name “wwwncisco.com”.  In this example, the dot separating the second and third level domain names has experienced a bit error, and changed to become the letter “n”.

Binary representation of a dot versus the character "n"

Binary representation of a dot versus the character “n”

Read More »

Tags: , , ,

Network Solutions Customer Site Compromises and DDoS

July 17, 2013 at 10:03 am PST

Network Solutions is a domain name registrar that manages over 6.6 million domains. As of July 16, 2013, the Network Solutions website is under a Distributed Denial of Service (DDoS) attack. Recently, Network Solutions has been a target for attackers; in a previous outage, domain name servers were redirected away from their proper IP addresses. This was reported to be a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack. It is possible that the DDoS attacks are related.

According to isitdownrightnow.com, the Network Solutions site has been having issues for at least the last 24 hours.

response_time

Response time in ms (GMT -8:00)

Read More »

Tags: , , , , , ,

‘Hijacking’ of DNS Records from Network Solutions

UPDATE: This blog post is related to the redirection of domain name servers that occurred back in June 2013.  This post is NOT related to the ongoing activity occuring July 16, 2013.  Cisco TRAC is currently analyzing the ongoing issues with Network Solutions’ hosted domain names and has more information available here.

Multiple organizations with domain names registered under Network Solutions suffered problems with their domain names today, as their DNS nameservers were replaced with nameservers at ztomy.com. The nameservers at ztomy.com were configured to reply to DNS requests for the affected domains with IP addresses in the range 204.11.56.0/24. Cisco observed a large number of requests directed at these confluence-network IP addresses. Nearly 5000 domains may have been affected based on passive DNS data for those IPs.

Traffic hits to 204.11.56.0/24

Traffic hits to 204.11.56.0/24

Read More »

Tags: ,