Diaries by Keyword - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Johannes Ullrich

Threat Level: green

Date	Author	Title
DNSCHANGER ISP CLEANUP DNS EXTENSION GHOSTCLICK
2012-02-23	donald smith	DNS-Changer "clean DNS" extension requested
DNSCHANGER
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested
2012-02-20/a>	Rick Wanner	DNSChanger resolver shutdown deadline is March 8th
2011-11-09/a>	Russ McRee	Operation Ghost Click: FBI bags crime ring responsible for $14 million in losses
2011-08-05/a>	donald smith	New Mac Trojan: BASH/QHost.WB
ISP
2020-07-23/a>	Xavier Mertens	Simple Blocklisting with MISP & pfSense
2019-03-06/a>	Xavier Mertens	Keep an Eye on Disposable Email Addresses
2019-01-22/a>	Xavier Mertens	DNS Firewalling with MISP
2018-11-20/a>	Xavier Mertens	Querying DShield from Cortex
2018-01-10/a>	Russ McRee	GitHub InfoSec Threepeat: HELK, ptf, and VulnWhisperer
2017-03-15/a>	Xavier Mertens	Retro Hunting!
2017-01-26/a>	Xavier Mertens	IOC's: Risks of False Positive Alerts Flood Ahead
2016-07-12/a>	Xavier Mertens	Hunting for Malicious Files with MISP + OSSEC
2016-05-13/a>	Xavier Mertens	MISP - Malware Information Sharing Platform
2014-11-04/a>	Daniel Wesemann	Whois someone else?
2014-02-24/a>	Russ McRee	Explicit Trusted Proxy in HTTP/2.0 or...not so much
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested
2011-07-09/a>	Tony Carothers	Copyright Alert System - What say you?
2009-12-19/a>	Deborah Hale	Frustrations of ISP Abuse Handling
2009-09-16/a>	Raul Siles	IETF Draft for Remediation of Bots in ISP Networks
CLEANUP
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested
2011-03-21/a>	Kevin Shortt	Port 1434: Sudden Slammer Decline?
2010-11-03/a>	Kevin Liston	SQL Slammer Clean-up: Roundup and Review
2010-10-29/a>	Kevin Liston	SQL Slammer Clean-up: Contacting CERTs
2010-10-25/a>	Kevin Liston	SQL Slammer Clean-up: Switching Viewpoints
2010-10-19/a>	Kevin Liston	SQL Slammer Clean-up: Picking up the Phone
2010-10-11/a>	Kevin Liston	SQL Slammer Clean-up: Reporting Upstream
2010-10-04/a>	Kevin Liston	SQL Slammer Clean-up: How to Report
2010-10-01/a>	Kevin Liston	Cyber Security Awareness Month Activity: SQL Slammer Clean-up
DNS
2022-08-31/a>	Johannes Ullrich	Underscores and DNS: The Privacy Story
2022-08-10/a>	Johannes Ullrich	And Here They Come Again: DNS Reflection Attacks
2022-04-29/a>	Rob VandenBrink	Using Passive DNS sources for Reconnaissance and Enumeration
2021-12-17/a>	Rob VandenBrink	DR Automation - Using Public DNS APIs
2021-10-04/a>	Johannes Ullrich	Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on.
2021-09-11/a>	Guy Bruneau	Shipping to Elasticsearch Microsoft DNS Logs
2021-07-31/a>	Guy Bruneau	Unsolicited DNS Queries
2021-06-19/a>	Xavier Mertens	Easy Access to the NIST RDS Database
2021-05-30/a>	Didier Stevens	Video: Cobalt Strike & DNS - Part 1
2021-05-20/a>	Johannes Ullrich	New YouTube Video Series: Everything you ever wanted to know about DNS and more!
2021-01-25/a>	Rob VandenBrink	Fun with NMAP NSE Scripts and DOH (DNS over HTTPS)
2021-01-15/a>	Guy Bruneau	Obfuscated DNS Queries
2020-12-16/a>	Daniel Wesemann	DNS Logs in Public Clouds
2020-12-08/a>	Johannes Ullrich	December 2020 Microsoft Patch Tuesday: Exchange, Sharepoint, Dynamics and DNS Spoofing
2020-10-30/a>	Xavier Mertens	Quick Status of the CAA DNS Record Adoption
2020-08-04/a>	Johannes Ullrich	Internet Choke Points: Concentration of Authoritative Name Servers
2020-07-16/a>	John Bambenek	Hunting for SigRed Exploitation
2020-07-15/a>	Johannes Ullrich	PATCH NOW - SIGRed - CVE-2020-1350 - Microsoft DNS Server Vulnerability
2019-12-29/a>	Guy Bruneau	ELK Dashboard for Pihole Logs
2019-12-07/a>	Guy Bruneau	Integrating Pi-hole Logs in ELK with Logstash
2019-11-25/a>	Xavier Mertens	My Little DoH Setup
2019-10-25/a>	Rob VandenBrink	More on DNS Archeology (with PowerShell)
2019-10-21/a>	Jim Clausing	What's up with TCP 853 (DNS over TLS)?
2019-07-17/a>	Xavier Mertens	Analyzis of DNS TXT Records
2019-07-13/a>	Guy Bruneau	Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing
2019-07-09/a>	John Bambenek	Solving the WHOIS and Privacy Problem: A Draft of Implementing WHOIS in DNS
2019-06-16/a>	Didier Stevens	Sysmon Version 10: DNS Logging
2019-03-27/a>	Xavier Mertens	Running your Own Passive DNS Service
2019-01-31/a>	Xavier Mertens	Tracking Unexpected DNS Changes
2019-01-22/a>	Xavier Mertens	DNS Firewalling with MISP
2018-09-22/a>	Didier Stevens	Suspicious DNS Requests ... Issued by a Firewall
2018-02-25/a>	Guy Bruneau	Blackhole Advertising Sites with Pi-hole
2017-12-13/a>	Xavier Mertens	Tracking Newly Registered Domains
2017-11-16/a>	Xavier Mertens	Suspicious Domains Tracking Dashboard
2017-10-20/a>	Rick Wanner	One year Anniversary of Dyn DDOS
2017-10-02/a>	Xavier Mertens	Investigating Security Incidents with Passive DNS
2017-06-14/a>	Xavier Mertens	Systemd Could Fallback to Google DNS?
2017-04-20/a>	Xavier Mertens	DNS Query Length... Because Size Does Matter
2016-10-23/a>	Johannes Ullrich	ISC Briefing: Large DDoS Attack Against Dyn
2016-07-26/a>	Johannes Ullrich	Command and Control Channels Using "AAAA" DNS Records
2016-06-12/a>	Guy Bruneau	DNS Sinkhole ISO Version 2.0
2016-04-28/a>	Rob VandenBrink	DNS and DHCP Recon using Powershell
2015-11-22/a>	Guy Bruneau	OpenDNS Research Used to Predict Threat
2015-11-08/a>	Rick Wanner	DNS Reconnaissance using nmap
2015-08-19/a>	Bojan Zdrnja	Outsourcing critical infrastructure (such as DNS)
2015-02-19/a>	Daniel Wesemann	DNS-based DDoS
2014-06-02/a>	Rick Wanner	Using nmap to scan for DDOS reflectors
2014-05-20/a>	Johannes Ullrich	Detecting Queries to "odd" DNS Servers
2014-04-30/a>	Johannes Ullrich	Be on the Lookout: Odd DNS Traffic, Possible C&C Traffic
2014-04-30/a>	Russ McRee	UltraDNS DDOS
2014-02-04/a>	Johannes Ullrich	Do you block "new" domain names?
2014-01-30/a>	Johannes Ullrich	New gTLDs appearing in the root zone
2013-12-21/a>	Guy Bruneau	Strange DNS Queries - Request for Packets
2013-11-19/a>	Jim Clausing	Updated dumpdns.pl
2013-11-04/a>	Manuel Humberto Santander Pelaez	When attackers use your DNS to check for the sites you are visiting
2013-10-21/a>	Johannes Ullrich	New tricks that may bring DNS spoofing back or: "Why you should enable DNSSEC even if it is a pain to do"
2013-10-17/a>	Adrien de Beaupre	Internet wide DNS scanning
2013-10-10/a>	Johannes Ullrich	google.com.my DNS hijack
2013-10-08/a>	Johannes Ullrich	CSAM: ANY queries used in reflective DoS attack
2013-10-02/a>	Johannes Ullrich	CSAM: Misc. DNS Logs
2013-09-26/a>	Johannes Ullrich	How do you monitor DNS?
2013-09-02/a>	Guy Bruneau	Snort IDS Sensor with Sguil New ISO Released
2013-08-14/a>	Johannes Ullrich	.GOV zones may not resolve due to DNSSEC problems.
2013-08-07/a>	Mark Hofman	DNS servers hijacked in the Netherlands
2013-07-17/a>	Johannes Ullrich	Network Solutions Outage
2013-07-12/a>	Johannes Ullrich	DNS resolution is failing for Microsofts Teredo server (teredo.ipv6.microsoft.com)
2013-07-10/a>	Johannes Ullrich	.NL Registrar Compromisse
2013-06-22/a>	Guy Bruneau	.biz DNSSEC DNSKEY is Invalid
2013-06-20/a>	Johannes Ullrich	Linkedin DNS Hijack
2013-06-05/a>	Richard Porter	BIND 9 Update fixing CVE-2013-3919
2012-12-14/a>	Johannes Ullrich	The "D-root" DNS server (terp.umd.edu) is changing its IP address in January http://seclists.org/nanog/2012/Dec/330
2012-12-06/a>	Daniel Wesemann	Comodo DNS hiccup on usertrust.com
2012-08-16/a>	Johannes Ullrich	A Poor Man's DNS Anomaly Detection Script
2012-07-24/a>	Richard Porter	Report of spike in DNS Queries gd21.net
2012-07-21/a>	Rick Wanner	TippingPoint DNS Version Request increase
2012-07-21/a>	Rick Wanner	OpenDNS is looking for a few good malware people!
2012-05-21/a>	Kevin Shortt	DNS ANY Request Cannon - Need More Packets
2012-05-16/a>	Johannes Ullrich	Got Packets? Odd duplicate DNS replies from 10.x IP Addresses
2012-03-30/a>	Daniel Wesemann	Tomorrow, the world will end
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested
2012-02-20/a>	Rick Wanner	DNSChanger resolver shutdown deadline is March 8th
2012-02-09/a>	Richard Porter	DNS Ghost Domains, How I loath you so!
2012-01-21/a>	Guy Bruneau	DNS Sinkhole Scripts Fixes/Update
2012-01-18/a>	Johannes Ullrich	Use of Mixed Case DNS Queries
2012-01-13/a>	Guy Bruneau	Strange DNS Queries - Request Packets/Logs
2011-12-13/a>	Johannes Ullrich	Possible Widespread DNS Attack (info wanted)
2011-12-05/a>	Stephen Hall	ISC describe DNS crash bug analysis
2011-11-28/a>	Tom Liston	A Puzzlement...
2011-11-16/a>	Jason Lam	Potential 0-day on Bind 9
2011-11-11/a>	Rick Wanner	What's up with fbi.gov DNS?
2011-11-11/a>	Johannes Ullrich	Details About the fbi.gov DNSSEC Configuration Issue.
2011-11-09/a>	Russ McRee	Operation Ghost Click: FBI bags crime ring responsible for $14 million in losses
2011-10-15/a>	Guy Bruneau	DNS Sinkhole Parser Script Update
2011-10-10/a>	Tom Liston	What's In A Name?
2011-09-09/a>	Guy Bruneau	IPv6 and DNS Sinkhole
2011-09-04/a>	Lorna Hutcheson	Several Sites Defaced
2011-08-17/a>	Rob VandenBrink	When Good Patches go Bad - a DNS tale that didn't start out that way
2011-08-05/a>	Johannes Ullrich	Microsoft Patch Tuesday Advance Notification: 13 Bulletins coming http://www.microsoft.com/technet/security/Bulletin/MS11-aug.mspx
2011-08-05/a>	donald smith	New Mac Trojan: BASH/QHost.WB
2011-07-05/a>	Raul Siles	Two DoS remotely exploitable vulnerabilities affect BIND 9: http://www.isc.org/advisories/bind Updgrade to 9.8.0-P4.
2011-06-28/a>	Johannes Ullrich	DNSSEC Tips
2011-06-03/a>	Guy Bruneau	New Poll: How are you dealing with Malicious Domains?
2011-05-09/a>	Johannes Ullrich	Patch for BIND 9.8.0 DoS Vulnerability
2011-04-14/a>	Johannes Ullrich	dshield.org now DNSSEC signed via .org
2011-04-05/a>	Mark Hofman	DNS.be DDOS
2011-01-26/a>	Bojan Zdrnja	Google Chrome and (weird) DNS requests
2010-11-25/a>	Bojan Zdrnja	Secunia's DNS/domain hijacked?
2010-11-13/a>	Guy Bruneau	Register.com DNS Issues
2010-11-04/a>	Johannes Ullrich	DNSSEC Progress for .com and .net
2010-10-03/a>	Adrien de Beaupre	H went down.
2010-09-25/a>	Rick Wanner	Guest Diary: Andrew Hunt - Visualizing the Hosting Patterns of Modern Cybercriminals
2010-08-07/a>	Stephen Hall	DnsMadeEasy under a "quite large and unique" ddos.
2010-07-29/a>	Rob VandenBrink	NoScript 2.0 released
2010-06-19/a>	Guy Bruneau	DNS Sinkhole ISO Available for Download
2010-05-12/a>	Johannes Ullrich	.de TLD Outage
2010-05-04/a>	Rick Wanner	DNSSEC...not a bang but a whimper?
2010-02-26/a>	Rick Wanner	New version of dnsmap
2010-01-19/a>	Jim Clausing	49Gbps DDoS, IPv4 exhaustion, and DNSSEC, oh my!
2010-01-12/a>	Johannes Ullrich	Baidu defaced - Domain Registrar Tampering
2010-01-11/a>	Johannes Ullrich	the (large) domain registrar "eNom" appears to have problems with its DNS servers according to some user reports.
2010-01-10/a>	Guy Bruneau	Easy DNS BIND Sinkhole Setup
2009-12-15/a>	Johannes Ullrich	Important BIND name server updates - DNSSEC
2009-11-25/a>	Jim Clausing	Updates to my GREM Gold scripts and a new script
2009-11-24/a>	John Bambenek	BIND Security Advisory (DNSSEC only)
2009-11-02/a>	Daniel Wesemann	IDN ccTLDs
2009-10-29/a>	Kyle Haugsness	Cyber Security Awareness Month - Day 29 - dns port 53
2009-07-29/a>	Bojan Zdrnja	BIND 9 DoS attacks in the wild
2009-04-26/a>	Johannes Ullrich	Odd DNS Resolution for Google via OpenDNS
2009-03-21/a>	Stephen Hall	Updates to ISC BIND
2009-01-31/a>	Swa Frantzen	DNS DDoS - let's use a long term solution
2009-01-18/a>	Daniel Wesemann	DNS queries for "."
2009-01-08/a>	Kyle Haugsness	BIND OpenSSL follow-up
2009-01-07/a>	William Salusky	BIND 9.x security patch - resolves potentially new DNS poisoning vector
2008-12-04/a>	Bojan Zdrnja	Rogue DHCP servers
2008-11-25/a>	Andre Ludwig	OS X Dns Changers part three
2008-11-25/a>	Andre Ludwig	Tmobile G1 handsets having DNS problems?
2008-10-17/a>	Patrick Nolan	Day 17 - Containing a DNS Hijacking
2008-10-08/a>	Johannes Ullrich	Domaincontrol (GoDaddy) Nameservers DNS Poisoning
2008-08-14/a>	Johannes Ullrich	DNSSEC for DShield.org
2008-08-05/a>	Daniel Wesemann	Watching those DNS logs
2008-08-02/a>	Swa Frantzen	BIND: -P2 patches are released
2008-07-25/a>	Swa Frantzen	DNS bug - observations
2008-07-24/a>	Kyle Haugsness	DNS cache poisoning vulnerability details confirmed
2008-07-22/a>	Swa Frantzen	Dan Kaminsky's DNS bug: revealed? - Patch!
2008-07-09/a>	Marcus Sachs	DNS Vulnerability Found by a GSEC Student Three Years Ago!
2008-07-08/a>	Johannes Ullrich	Mulitple Vendors DNS Spoofing Vulnerability
2008-05-19/a>	Maarten Van Horenbeeck	Route filtering and its impact on the DNS fabric
2008-04-30/a>	Bojan Zdrnja	(Minor) evolution in Mac DNS changer malware
2008-03-23/a>	Johannes Ullrich	Finding hidden gems (easter eggs) in your logs (packet challenge!)
EXTENSION
2022-06-22/a>	Xavier Mertens	Malicious PowerShell Targeting Cryptocurrency Browser Extensions
2021-02-04/a>	Bojan Zdrnja	Abusing Google Chrome extension syncing for data exfiltration and C&C
2021-01-22/a>	Xavier Mertens	Another File Extension to Block in your MTA: .jnlp
2017-10-27/a>	Renato Marinho	"Catch-All" Google Chrome Malicious Extension Steals All Posted Data
2017-10-24/a>	Xavier Mertens	Stop relying on file extensions
2017-09-06/a>	Adrien de Beaupre	Modern Web Application Penetration Testing , Hash Length Extension Attacks
2017-08-29/a>	Renato Marinho	Second Google Chrome Extension Banker Malware in Two Weeks
2017-08-15/a>	Renato Marinho	(Banker(GoogleChromeExtension)).targeting("Brazil")
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested
2011-08-14/a>	Guy Bruneau	FireCAT 2.0 Released
GHOSTCLICK
2012-02-23/a>	donald smith	DNS-Changer "clean DNS" extension requested

DNSCHANGER ISP CLEANUP DNS EXTENSION GHOSTCLICK

DNSCHANGER

ISP

CLEANUP

DNS

EXTENSION

GHOSTCLICK