Wednesday, January 19, 2011

How do you avoid/detect DNS hijacking? (aka latest twitter hack)

It is all over the news today that Twitter was hacked by a DNS redirection/hijacking.

My question is, what tools or techniques do you guys use to monitor your DNS/whois and detect this kind of attacks?

  • I run the Sucuri monitor (free) and it alerts me whenever the DNS/Whois is changed.

    I have been monitoring twitter, facebook and other big sites for a while and that's the alert I got:

    Sucuri nbim: twitter.com DNS modified

    Modifications: 3a4
    < twitter.com has address 128.121.146.100
    < twitter.com has address 168.143.162.52
    > twitter.com has address 66.147.242.88

    --- This alert was generated by the Sucuri Network Integrity Monitor. Log in to your dashboard at http://sucuri.net.

    But this is just a first line of defense/visibility to react faster. If you host your own DNS, you could do a FIM (file integrity monitor) to detect changes on it...

    *posting what I do in here, to do not affect other answers. Plus, for the means of full-disclosure, I wrote the sucuri monitor :)

    Jeff Atwood : while asking and answering your own question is explicitly allowed, I think you should have waited a day or two for actual responses in this case.
    From sucuri

0 comments:

Post a Comment