Re: [gnso-thickwhoispdp-wg] DNS attack and our topic

[Susan Kawaguchi <susank@xxxxxx>]

Hi Don, 

It will be interesting to hear what really happened.  I read the article
and do not understand how dealing with a denial of service attack could
result in changing servers on specific domain name records.  In my
experience, it just wouldn't happen that way.  It may be that there was a
DDOS attack and a hacking or social engineering event at the same time.
Obviously, someone made a major mistake.

In 2008 when I was at eBay and managing PayPal domain names we sent in a
phishing report to Network Solutions and instead of removing the servers
off of the offending domain name they removed them from PayPal.com.
Stupid human error which we are all capable of without good processes in
place.  The registry lock came out of this event which would prevent any
unauthorized modifications to the thin whois record.

I cannot imagine this scenario would have been different with a thick
whois or thin whois registry.  The registrar in both cases interacts with
the registry to make modifications and if there is no double check or a
security protocol in place to prevent automatic updates then the
registrant will always run the chance of this happening.


Susan Kawaguchi
Domain Name Manager
Facebook Legal Dept.

Phone - 650 485-6064





On 6/20/13 2:28 PM, "Don Blumenthal" <dblumenthal@xxxxxxx> wrote:

>
>There has been a lot of chatter on anti abuse and security lists today
>about a major DNS hijack at Network Solutions yesterday that affected
>some significant brands. LinkedIn, USPS, CarMax, and Mazda are among
>them. This article is the first good description that I have seen.
>http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solu
>tions/
>
>If it had to occur, I wish that it had come before we finished drafting.
>One post on the hack, from someone that I respect very much, said that it
>could not have happened if .com were thick. I urged him to submit a
>comment when our document goes up.
>
>FWIW,
>
>Don
>