[dns-operations] AT&T DNS Cache Poisoning?

Tim Huffman tim at bobbroadband.com
Sat Oct 27 04:23:20 UTC 2012


Any ideas what I can do to help my customer? This is the first time we've ever had something like this...

Tim Huffman
Director of Engineering
Business Only Broadband
777 Oakmont Lane, Suite 2000, Westmont, IL 60559
Direct: 630.590.6012 | Main: 630.590.6000 | Fax: 630.986.2496 
thuffman at bobbroadband.com  |  http://www.bobbroadband.com/
Cell:  630.340.1925 | Toll-Free Customer Support:  877.262.4553
  Follow Us on LinkedIn  |    Follow Us on Twitter
 please consider the environment prior to printing


-----Original Message-----
From: Phil Pennock [mailto:dnsop+phil at spodhuis.org] 
Sent: Friday, October 26, 2012 11:14 PM
To: Tim Huffman
Cc: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] AT&T DNS Cache Poisoning?

On 2012-10-27 at 03:36 +0000, Tim Huffman wrote:
> We are the primary DNS servers for the ben.edu domain. We seem to be 
> having an issue with an AT&T server that is responding with incorrect 
> A records for www.ben.edu and ben.edu.

Definitely looks like a cache-poisoning attack.

Further, compare and contrast:
  curl -vH "Host: www.ben.edu" http://208.91.197.132/

  ua="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)"
  curl -vH "Host: www.ben.edu" -H "User-Agent: $ua" http://208.91.197.132/

There's some JavaScript fetching images via fwdservice.com ... looks like it might be Google click-fraud?

-Phil


More information about the dns-operations mailing list