Linkedin DNS Hijack - Update
Update
It looks like this issue stemmed from a DDoS mitigation [1] gone awry or human error depending upon what source you refer to... [2]
Orginal
LinkedIn had its DNS "hijacked". There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.
The issue has been resolved, but If LinkedIn is "down" for you, or if it points to a different site, then you should flush your DNS cache.
It does not appear that Linkedin uses DNSSEC (which may not have helped if the registrar account was compromissed). Your best bet to make sure you connect to the correct site is SSL. But of course, "owning" the domain may allow the attacker to create a new certificate rather quickly.
As indicated in a comment below (and some twitter messages), other sites are affected as well. Please add a comment if you find any. The fact that multiple site's NS records are affected implies that this may not be a simple compromissed registrar account.
Current, appearantly accurate, DNS replies for LinkedIn:
dig +short A linkedin.com 216.52.242.86 dig +short NS linkedin.com ns4.p43.dynect.net. ns4.linkedin.com. ns3.p43.dynect.net. ns1.p43.dynect.net. ns2.p43.dynect.net. ns1.linkedin.com. ns3.linkedin.com. ns5.linkedin.com. ns6.linkedin.com. ns2.linkedin.com.
Johannes B. Ullrich, Ph.D.
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Kevin
Jun 20th 2013
1 decade ago
# dig ns{1..6}.linkedin.com A +short
156.154.64.23
156.154.65.23
156.154.66.23
156.154.67.23
156.154.68.23
156.154.69.23
bill
Jun 20th 2013
1 decade ago
Nokia
Jun 20th 2013
1 decade ago
JT
Jun 20th 2013
1 decade ago
Jason
Jun 20th 2013
1 decade ago
"Note that it has already been verified that this issue was caused due to a human error and there was NO security related issue caused by the same. More details will be provided shortly."
DMFH
Jun 20th 2013
1 decade ago
Before we would be willing to accept this as a mistake, and not a "breach coverup"; I think we need to understand what kind of mistake... I don't see any way this can be explained away as a simple "fat fingering"; something is horribly designed if this can happen, outside of an incorrect list of nameserver addresses sent to the domain registrar..
What's the chance, that registrants of multiple domains made the same error?
I think this almost has to be an ISP DNS man-in-the-middle-attack-box error....
Human error downtime /is/ a kind of security issue; comparable to accidentally running a security exploit against the wrong server, or performing a Man-in-the-Middle or response rewriting against the wrong server. Loss of availability or misdirection due to mistake.
Mysid
Jun 20th 2013
1 decade ago
Indeed, apparently the domain registrar NSol (not the registrant/not an operator of Linkedin's DNS servers)
made an unkinkable major goof -- submitted an unauthorized nameserver update to the shared registry, for a minimum of several thousands of domains registered through NSol.
Mysid
Jun 22nd 2013
1 decade ago