Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Linkedin DNS Hijack - Update InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Linkedin DNS Hijack - Update

Published: 2013-06-20
Last Updated: 2013-06-22 02:00:37 UTC
by Johannes Ullrich (Version: 2)
8 comment(s)


It looks like this issue stemmed from a DDoS mitigation [1] gone awry or human error depending upon what source you refer to... [2] 


LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.

The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache.

It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromissed). Your best bet to make sure you connect to the correct site is SSL. But of course, "owning" the domain may allow the attacker to create a new certificate rather quickly.

As indicated in a comment below (and some twitter messages), other sites are affected as well. Please add a comment if you find any. The fact that multiple site's NS records are affected implies that this may not be a simple compromissed registrar account.

Current, appearantly accurate, DNS replies for LinkedIn:


dig +short A

dig +short NS
All the NS records point to the same IP address right now:
According to, the bad IP address is
For partial passive DNS cache results, see
Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Keywords: dns linkedin
8 comment(s)
Diary Archives