Cisco Blogs


Cisco Blog > Security

Network Solutions Customer Site Compromises and DDoS

Network Solutions is a domain name registrar that manages over 6.6 million domains. As of July 16, 2013, the Network Solutions website is under a Distributed Denial of Service (DDoS) attack. Recently, Network Solutions has been a target for attackers; in a previous outage, domain name servers were redirected away from their proper IP addresses. This was reported to be a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack. It is possible that the DDoS attacks are related.

According to isitdownrightnow.com, the Network Solutions site has been having issues for at least the last 24 hours.

response_time

Response time in ms (GMT -8:00)

Read More »

Tags: , , , , , ,

‘Hijacking’ of DNS Records from Network Solutions

UPDATE: This blog post is related to the redirection of domain name servers that occurred back in June 2013.  This post is NOT related to the ongoing activity occuring July 16, 2013.  Cisco TRAC is currently analyzing the ongoing issues with Network Solutions’ hosted domain names and has more information available here.

Multiple organizations with domain names registered under Network Solutions suffered problems with their domain names today, as their DNS nameservers were replaced with nameservers at ztomy.com. The nameservers at ztomy.com were configured to reply to DNS requests for the affected domains with IP addresses in the range 204.11.56.0/24. Cisco observed a large number of requests directed at these confluence-network IP addresses. Nearly 5000 domains may have been affected based on passive DNS data for those IPs.

Traffic hits to 204.11.56.0/24

Traffic hits to 204.11.56.0/24

Read More »

Tags: ,

Foundational Network Traffic Collection and Analysis Setup

This introductory post explains how one of Cisco’s security research groups established a network data collection capability for large amounts of network traffic. This capability was necessary to support research into selected aspects of the Domain Name Service (DNS), but it can be adapted for other purposes.

DNS exploitation is frequently the means by which malicious actors seek to disrupt the normal operation of networks. This can include DNS Cache Poisoning, DNS Amplification Attacks and many others. A quick search at cisco.com/security yields a lot of content published, indicating both the criticality and exposures associated with DNS.

Our research required the ability to collect DNS data and extract DNS attributes for various analytical purposes. For this post, I’ll focus on collection capabilities regarding DNS data. Read More »

Tags: , , , ,

March Madness May Equal to Malware Madness

basketball1Are you excited about March Madness? Turn on a TV and it will be hard to avoid the games, the news, the commentaries, and the jokes about it. If you eavesdrop in any restaurant, bar, or office conversation, I can assure you that you will hear something about it. Even U.S. President Barack Obama filled out a March Madness bracket. Productivity in many offices drops significantly as employees search and watch videos to see how their bracket picks are progressing. At Cisco, we have an open policy and employees can watch and search the scores of their favorite teams. Watch this video posted by CNN where Kip Compton, Cisco’s Video Collaboration Group CTO, talks about March Madness.

During the last couple of years, the industry saw a spike in web malware during the March Madness season. SQL injection attacks, iframe injections, JavaScript, and Java malware were some of the most prevalent. A few months ago, I provided details about some of today’s cyber-criminal tools— exploit kits—and some of the weapons of choice like Blackhole, RedKit, Styx, CrimeBoss, and Cool.

A few things to keep in mind:

  • Legitimate business sites may have vulnerabilities that allow a hostile site to deliver malware.
  • In most drive-by downloads, the victim is willing to dismissively click pop-ups and warnings as they navigate to the desired content. In this case, users may just click on pop-ups or ads to watch videos about their favorite team.
  • Most drive-by downloads can be prevented by keeping software up to date. Read More »

Tags: , , , , , , , ,

Chronology of a DDoS: SpamHaus

Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus.org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack. The DDoS attacks have also had less severe but measurable consequences for the Composite Block List (CBL) as well as Project Honey Pot.

The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.

According to the New York Times, Sven Olaf Kamphuis is acting as a “spokesman for the attackers.” Kamphuis is allegedly associated with hosting provider “the CyberBunker,” which is housed in an old, five-story NATO bunker located in the Netherlands. CyberBunker has a reputation for “bulletproof hosting,” not only because of the physically fortified infrastructure, but also for their permissive terms of use, stating “Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine.” Kamphuis is also allegedly affiliated with the StopHaus group, which publicly claimed responsibility for the BGP hijack attack via Twitter.  Read More »

Tags: , , , , , , ,