[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Lee ler762 at gmail.com
Sat Feb 23 20:00:36 UTC 2019


On 2/23/19, Bill Woodcock <woody at pch.net> wrote:
>
>
>> On Feb 23, 2019, at 9:01 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>
>> wrote:
>>
>> Very good article, very detailed, with a lot of technical precisions,
>> about the recent domain name hijackings (not using the DNS, just good
>> old hijackings at registrar or hoster).
>>
>> https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
>
> Indeed, Brian’s article is quite good.
>
> If anyone has any questions about things it didn’t cover, or wants more
> details, I can probably answer.  We’re happy to talk about what happened,
> since the vast majority of the targets aren’t in a position to be able to do
> so.

Have you made any changes in response to this bit
Woodcock said PCH’s reliance on DNSSEC almost completely blocked that
attack, but that it managed to snare email credentials for two
employees who were traveling at the time. Those employees’ mobile
devices were downloading company email via hotel wireless networks
that — as a prerequisite for using the wireless service — forced their
devices to use the hotel’s DNS servers, not PCH’s DNNSEC-enabled
systems.
“The two people who did get popped, both were traveling and were on
their iPhones, and they had to traverse through captive portals during
the hijack period,” Woodcock said. “They had to switch off our name
servers to use the captive portal, and during that time the mail
clients on their phones checked for new email. Aside from that, DNSSEC
saved us from being really, thoroughly owned.”

that you can talk about on an open list?

Thanks,
Lee



More information about the dns-operations mailing list