As reported by a number of different sources, Google’s primary web property in Vietnam (www.google.com.vn) had its DNS abused by an individual (or individuals) claiming affiliation with Lizard Squad.
Based on the DNS queries over the past 2 days, we noticed that the DNS infrastructure changed from the expected Google name servers (ns1.google.com, ns2.google.com) to CloudFlare (173.245.59.108, 173.245.58.166). This was identified using OpenDNS Investigate and corroborated by several other publicly available tools. Though only a brief redirection, visitors to the legitimate www[.]google[.]com[.]vn site were surreptitiously redirected to a DigitalOcean-hosted server with the following message:
A DigitalOcean IP served as the endpoint for the hijacked site and, according to MaxMind, was located in the Netherlands – at least until it was taken down.
What’s interesting is that the IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001. Prefix: 2a03:b0c0:2::/48 Prefix description: DigitalOcean Country code: NL Origin AS: 202018 Origin AS Name: DOAMS3 — DigitalOcean Amsterdam RPKI status: No ROA found First seen: 2014-08-13 Last seen: 2015-02-23 Seen by #peers: 170 We’re not sure if this was an attempt to “confuse” network analysts and legacy tools or if this was simply a case of “we don’t care what IP address we get as we’re mapping a domain name to it”. The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests.
We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server. In closing we’d also like to give kudos to CloudFlare for their diligence in coordinating the take down of this fraudulent site shortly after the redirect was detected.
By Andrew Hay, Senior Security Research Lead & Evangelist, OpenDNS
BIO: Andrew Hay is the Senior Security Research Lead & Evangelist at OpenDNS where he leads the research efforts for the company. Prior to joining OpenDNS he was the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc. Prior to that, Andrew served as a Senior Security Analyst for 451 Research’s Enterprise Security Practice (ESP) providing technology vendors, private equity firms, venture capitalists and end users with strategic advisory services – including competitive research, new product and go-to-market positioning, investment due diligence and tactical partnership, and M&A strategy. Through his work at 451 Research, Andrew was instrumental in securing tens of millions of dollars in equity investment for numerous security product vendors. Before joining The 451 Group, Andrew worked in the Information Security Office (ISO) of the University of Lethbridge, in Alberta, Canada and, prior to that, at a privately held bank in Hamilton, Bermuda; in each position, he was responsible for strategically designing, driving and executing the goals and objectives of the organization’s information security programs. Prior to that, Andrew served in various roles at Q1 Labs, including Engineering Manager, Product Manager and finally as the Program Manager responsible for the entire portfolio of third-party technology partner relationships. Andrew is frequently approached to provide expert commentary on security-industry developments, and has been featured in such publications as The Sacramento Bee, Forbes, The Washington Post, USA Today, Bloomberg Businessweek, eWeek, Ars Technica, RT, Techworm, TechTarget, Info-Security Magazine, Wired Magazine, Computer World, Dark Reading, VentureBeat, Network World, and CSO Magazine. – See more at author at opendns.
