Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Linkedin DNS Hijack - Update

Published: 2013-06-20
Last Updated: 2013-06-22 02:00:37 UTC
by Johannes Ullrich (Version: 2)
8 comment(s)

Update

It looks like this issue stemmed from a DDoS mitigation [1] gone awry or human error depending upon what source you refer to... [2] 

Orginal

LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.

The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache.

It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromissed). Your best bet to make sure you connect to the correct site is SSL. But of course, "owning" the domain may allow the attacker to create a new certificate rather quickly.

As indicated in a comment below (and some twitter messages), other sites are affected as well. Please add a comment if you find any. The fact that multiple site's NS records are affected implies that this may not be a simple compromissed registrar account.

Current, appearantly accurate, DNS replies for LinkedIn:

 

dig +short A linkedin.com
216.52.242.86

dig +short NS linkedin.com
ns4.p43.dynect.net.
ns4.linkedin.com.
ns3.p43.dynect.net.
ns1.p43.dynect.net.
ns2.p43.dynect.net.
ns1.linkedin.com.
ns3.linkedin.com.
ns5.linkedin.com.
ns6.linkedin.com.
ns2.linkedin.com.
All the NS records point to the same IP address right now: 156.154.69.23.
 
According to http://blog.escanav.com/2013/06/20/dns-hijack/, the bad IP address is 204.11.56.17.
 
For partial passive DNS cache results, see http://www.bfk.de/bfk_dnslogger.html?query=204.11.56.17#result
 
[1] https://www.networksolutions.com/blog/2013/06/important-update-for-network-solutions-customers-experiencing-website-issues/
[2] http://www.confluence-networks.com/
 
 
------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

Keywords: dns linkedin
8 comment(s)
Diary Archives