Tag Archives: DNS

GoDaddy’s outage on September 10

godaddy.com website


GoDaddy was off-line for about six hours on Monday. Many thousands of small business websites disappeared during the outage. Today I received this mea culpa from GoDaddy’s CEO:

We owe you a big apology for the intermittent service outages we experienced on September 10 that may have impacted your website, your email and other Go Daddy services.

We let you down and we know it. We take our responsibilities — and the trust you place in us — very seriously. I cannot express how sorry I am to those of you who were inconvenienced.

The service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented a series of immediate measures to fix the problem.

At no time was any sensitive customer information, including credit card data, passwords or names and addresses, compromised.

Throughout our history, we have provided 99.999% uptime in our DNS infrastructure. This is the level of performance we expect from ourselves. Monday, we fell short of these expectations. We have learned from this event and will use it to drive improvement in our services.

It’s an honor to serve you. As always, please call us 24/7 at 480-505-8877 — anytime, for any reason.

Sincerely,
Scott Wagner
CEO
GoDaddy.com

Apparently three of GoDaddy’s DNS servers went off-line because of misconfiguration of one or more routing tables. I have no other information regarding the cause of the outage. The misconfiguration could be a result of pilot error or equipment failure.

Why six hours?

Maybe equipment failed. When routers and layer 2 switches fail, they send bad packets or frames — sometimes grossly malformed packets or frames, sometimes packets or frames with only one inverted bit. Managed routers and switches as found in data centers can suffer “soft” failures without their management software reporting the failure. In a large subnetted environment, if just one management console is mis-reporting router or switch statuses (statii?), I can imagine fault location and repair requiring hours.

I’ve had many routers and swtches fail. Most of them displayed no outward indication that they had failed. The managed ones advised the management system of the failure about 90% of the time. The rest of the time, I’ve needed to use “divide and conquer” techniques to isolate the failed network component.

Outage’s effect

I have some domains registered with GoDaddy, but neither I nor my clients use GoDaddy for website hosting, so I was unaffected by the outage.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

DOJ indicts 7 very clever Internet crooks.

illustration by Russ Bellew

This scam rewarded hard work with huge income, while it lasted.

I’m not smart enough to have dreamed up this scam: hi-jack millions of users’ clicks and redirect them to ads that pay the crooks for each click. Allegedly, over 14 million dollars of income was collected since 2007. Six of the 7 indicted people reside in Estonia, where they have been arrested by the Estonian police. The US Department of Justice (DOJ) is seeking their extradition for trial in US federal court on charges of wire fraud and computer intrusion. The seventh suspect has not yet been located.

Part of the scheme employed a piece of malware that’s named DNSChanger. These guys spent serious time fabricating this scam: they had to first set up 2 bogus DNS (Domain Name Service) servers in the U.S., create and propagate the malware, create affiliate relationships with advertisers, create bogus websites, arrange payment with advertisers, etc. Basing the bogus DNS servers in the U.S. would guarantee fast DNS lookups for hijacked American victims.

I see plenty of DNSChanger infections


Want more info?
DNSChanger Malware details from the FBI (a well-done 6-page 360KB PDF file)

Last year I wrote about one instance (of many that I see) of DNS hijacking (Malware hi-jack of DNS address). A computer whose DNS record points to a malicious DNS server is “owned” by the bad guy who installed the redirection. My first thought was that the bad guy could harvest on-line banking login credentials. These Estonians fabricated a much more elaborate scheme, which was probably harder to detect than the scam that I’d imagined.

Articles with details of this scam

Joab Jackson, in a Computerworld article titled DOJ charges seven in massive clickjacking scheme fleshes out this story and CNET’s Seven accused in $14 million click-hijacking scam article by Elinor Mills adds still more detail. According to her story, the FBI spent 2 years investigating this case after NASA discovered DNSChanger on over 100 of its computers. This led to the discovery that the infection had spread to millions of computers in over 100 countries.

Visit my website: http://russbellew.com
© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

Malware hi-jack of DNS address

A DNS hi-jack is a clever way for a bad guy to control an infected computer.

Expanded description of DNS
Domain Name System (DNS) block diagram
Illustration: Lion Kimbro

I just finished disinfecting a Windows XP computer that had been a member of a bot-net for months. As I removed layers of malware, I discovered that the computer was making DNS requests to a pair of DNS servers that are located in the Ukraine(!), rather than to the DNS servers within the owner’s ISP (Internet Service Provider). Such a setup allowed the Ukraine administrator of the DNS servers to control what domains the infected computer may and may not visit. This infected computer could visit most websites but . . . it couldn’t download Windows updates, McAfee Antivirus updates, or visit any other anti-virus or anti-malware publishers’ sites.

I’m not sure exactly how this DNS hi-jack took place, but it probably started by the user unknowingly executing a virus “dropper” program. Somehow, one of the viruses on this computer had fooled McAfee Antivirus into thinking that everything was fine, when in fact it was months out of date and was infected from head to toe.

A DNS server is like a phone book: look up a person’s name, and find their phone number. With DNS, you look up an Internet domain (such as “russbellew.com”) and receive the domain’s IP address (such as 207.46.222.11).

This Windows PC’s DNS configuration has been hijacked.

On most home computers, the addresses of the DNS servers are supplied by the ISP (Internet Service Provider). On this infected PC, a malware provider had replaced these addresses with the addresses of DNS servers that are located in Ukraine. The addresses of the Ukraine DNS servers are 93.188.163.67 and 93.188.166.6. Here’s the whois data:

inetnum: 93.188.163.0 – 93.188.164.255

netname: PROMNET-NET
descr: Promnet Ltd.
country: UA
admin-c: OV527-RIPE
tech-c: OV527-RIPE
status: ASSIGNED PA
mnt-by: PROMNET-MNT
person: Ondrej Voloshin
address: Ekaterininskaya str., 41, 65000, Odessa, Ukraine
e-mail:
phone: +380504414402
nic-hdl: OV527-RIPE
mnt-by: PROMNET-MNT

 

The DNS addresses had been changed by a piece of malware that had changed these entries in the Windows registry:

  • hklm\system\controlset001\services\tcpip\parameters#nameserver
  • hklm\system\controlset002\services\tcpip\parameters#nameserver
  • hklm\system\controlset\services\tcpip\parameters#nameserver

The implications of a DNS hi-jack are profound: the hi-jacker could put up fake websites such as http://www.bankofamerica.com (residing on his own IP address) and redirect infected clients to this bogus website, where it could capture account numbers and passwords. Another ploy could be to put up a phony http://www.bankofamerica.com site and use iframes to embed the real http://www.bankofamerica.com within it. Then just capture packets between the infected computer and the genuine http://www.bankofamerica.com. And, of course, prevent the targeted user from visiting any sites that the hi-jacker wished to exclude.

If you missed it, read See how easy it is to launch your own infection. or just watch Symantec’s video that shows how easily a botnet master may control his/her botnet infected computers . . . across the globe.

Visit my website: http://russbellew.com

© Russ Bellew · Fort Lauderdale, Florida, USA · phone 954 873-4695

First non-Latin domain names approved by ICANN

Photo by Marco Bellucci
Egypt goes live with Arabic domain names.

Last Fall, the Internet Corporation for Assigned Names and Numbers (ICANN) authorized the use of top level domain names that use non-Latin characters, and the first Arabic character domain names went live this week. Read about it in ICANN’s blog. There’s a good video clip there that explains the importance of IDNs (Internationalized Domain Names) to billions of people.

This won’t affect most of us who are already Internet users, but it will open the Internet to masses of people who read and write only in Arabic, Farsi, and other languages with non-Latin characters. Now they’ll be able to use keyboards with local characters to access the Internet.

My guess is that some of these domains will point to existing Latin character domains.

Yes, Arabic domain names will read from right to left. If you want to view them from a US English Windows computer, you’ll need to load an Arabic font. (These fonts are available on your Windows CD-ROM or DVD.)

Visit my website: http://russbellew.com