[dns-operations] AT&T DNS Cache Poisoning?
Phil Pennock
dnsop+phil at spodhuis.org
Sat Oct 27 04:14:01 UTC 2012
On 2012-10-27 at 03:36 +0000, Tim Huffman wrote:
> We are the primary DNS servers for the ben.edu domain. We seem to be
> having an issue with an AT&T server that is responding with incorrect
> A records for www.ben.edu and ben.edu.
Definitely looks like a cache-poisoning attack.
Further, compare and contrast:
curl -vH "Host: www.ben.edu" http://208.91.197.132/
ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"
curl -vH "Host: www.ben.edu" -H "User-Agent: $ua" http://208.91.197.132/
There's some JavaScript fetching images via fwdservice.com ... looks
like it might be Google click-fraud?
-Phil
More information about the dns-operations
mailing list