Where In The World Is Twitter's DNS?
Twitter lost control of its DNS records on Dec. 17 for about an hour, but the effects lasted a bit longer due to DNS caching. While neither Twitter nor their registrar DynDNS, is saying much other than that the DNS records were changed at around 10pm PST, there has been ample speculation that the perpetrators got control of administrative credentials for Twitter.com.
December 18, 2009
Twitter lost control of its DNS records on Dec. 17 for about an hour, but the effects lasted a bit longer due to DNS caching. While neither Twitter nor their registrar DynDNS, is saying much other than that the DNS records were changed at around 10pm PST, there has been ample speculation that the perpetrators got control of administrative credentials for twitter.com.
According to Rod Rasmussen, president and CTO of Internet Identity, a start-up developing a DNS monitoring service, the attackers appeared to be setting up a fast flux style technique to quickly change 'A' records, which map domain names to IP addresses. For www.twitter.com and twitter.com. Internet Identity noticed the first IP address change at 10:01 PST to an IP that was owned by Internap. Thirteen minutes later, at 10:13 PST, the A record changed to an address hosted at Carolina Internet, and 10:24 the assignment was hosted at Bluehost. All three companies offer collocation and hosting services. By 11:11 PST, Twitter's A records were corrected. The attackers didn't try to alter name server records or make other changes. The attackers were able to change the A records of a number of hosts such as help.twitter.com, dev.twitter.com, blog.twitter.com, apiwiki.twitter.com to the first address hosted at Internap. A number of other hostnames under twitter.com were changed as well.
Internet Identity, which also monitors DNS information in caching name servers, found that the takeover of twitter.com's DNS started affecting Internet users around 21:57 PST and lasted until just after mid-night, indicating the attackers used short time-to-live settings. Most likely they didn't change Twitter's existing TTL. At least one host that twitter.com and www.twitter.com were changed to, Bluehost.com, is a virtual hosting provider that aggregates multiple hosts on a single server. It is unlikely that they will be able to determine if any of the hosts on that server were compromised, had the credentials stolen, or how the attackers hosted the defacement.
The lesson is that DNS is simultaneously fragile and resilient. DNS is vital to a company's presence on the Internet, yet the DNS system, which encompasses everything from the registrars like DynDNS, GoDaddy and Network Solutions, to name servers of every stripe, is very fragile. There are many, many ways to subvert DNS but the saving grace is that when a well known domain is taken over, it's not long before someone notices and take action. Of course, it would be better if the domain couldn't be hijacked in the first place.
You May Also Like