Day 8 - Global Incident Awareness

Published: 2008-10-08
Last Updated: 2008-10-14 15:08:31 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today, we will discuss "Global Incident Awareness". I will split this topic into two parts: First of all, if you are part of an organization with offices in multiple countries, what resources do you use to understand how to deal with incidents in various areas of the world, and are there any particular tricks you use to communicate and stay in touch? Secondly, what tools / websites do you use to stay in touch with the world around you. This includes incidents outsides of cyber space that may affect your network operations (earth quakes, political unrest ...).

As before, please use our contact page to submit your suggestions. I will update this page a couple times today as submissions are received.


Reader Liam wrote in with the following recommendations for a global organisation:

One of the first tasks that we had performed was to conduct a global skills assessment for each country in the areas of computer forensics, malware analysis, incident response, etc.  This information was used to define a core group of subject matter expert contacts from each region that participate in regular mock incident exercises and training scenarios focusing on sharing best practice ideas allowing us to move away from teams working in silos where there is no effective process of data capture and sharing of best practice or the opportunity to learn from mistakes in a blame-free environment.

For global communications we are using an incident paging service for instant global communication relating to incident notification.  Early on in the mock incident exercises, we discovered that using a crisis line proved difficult for many of the team members in regions that do not have access to dial international numbers from their home or mobile.  It was also noted that the level of participation on the calls was somewhat limited due to possible language barriers and cultural differences.  We were successfully able to address these issues by using web conferencing from WebEx which was already used by the company for conducting regular web meetings.

Using web conferencing communication quickly removed the difficulties with conducting the phone calls and provided a few other benefits such as:

  • The website which is accessible from any internet connection provides a chat option that makes it easier to communicate with each other preventing background noise, dropped calls, poor connections and possible language barriers.
  • The limited participation on the phone calls was greatly reduced when using the chat option as participants were more open to contributing.
  • The ability to share/view the desktop of the impacted regions made it much easier to understand what the details of the incident were.
  • The chat option provided a simple archive/transcript of events and ideas that can be used for follow up and during the lessons learned phase.
  • sessions can be set up in a matter of minutes and allow you to view who has joined the conference, preventing the confusion that can occur with a telephone crisis call with trying to conduct a periodic role call to see if certain individuals have joined.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: Awareness2008
0 comment(s)

Domaincontrol (GoDaddy) Nameservers DNS Poisoning

Published: 2008-10-08
Last Updated: 2008-10-08 18:01:29 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

 Update: The DNS servers in question no longer send the fake authority records. Thanks GoDaddy for fixing this so fast.


Some name servers hosted by Godaddy deliver somewhat odd results, similar from what you would expect to see as a result of a DNS hijacking attack. Any query to and returns the same IP address ( and additional information making these two domain servers authoritative for .com or .org respectively.

I added an example "dig" output below.

Please note, that a DNS resolver should ignore the additional information, as it is "out of bailiwick". But we have a report that this actually caused a DNS server to be poisoned (still trying to figure out why). At this point, the poisoning doesn't look malicious. The IP address will lead you to the default GoDaddy "Parked Domain" page. It is possible that GoDaddy made itself "authoritative" for .com / .org to more easily redirect users to these parked pages. is registered to "Wild West Domains, Inc.". The servers are hosted in GoDaddy IP space.

Example dig output:


; <<>> DiG 9.4.2-P1 <<>>
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17600
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;            IN    A

;; ANSWER SECTION:        3600    IN    A

com.            3600    IN    NS
com.            3600    IN    NS

;; Query time: 50 msec
;; WHEN: Wed Oct  8 11:26:49 2008
;; MSG SIZE  rcvd: 99

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: dns godaddy hijacking
0 comment(s)


Diary Archives