James_d
join:2005-08-27
uk
| Whee, screwups all around.
Well, if anyone is a hosting provider and is using godaddy as their sole nameserver domain registrar, the message is clear: fix that ASAP. If you're a customer of a hosting provider, time to check that you have nameserver addresses from two different providers and tell your provider their business if they aren't providing you with them. And remember that you are supposed to make sure you have two nameservice providers as well - losing your provider's nameserver(s) shouldn't take you out.
Nectartech seems to have been poorly configured, not an encouraging sign. Their customers should probably reconsider their positions, since this was an avoidable outage apparently caused by a design flaw in the Nectartech system (dependence on a single name service provider, a known bad practice).
Also time to rethink use of godaddy for name service, since it seems to have abused its position. Rationale:
1. Abuse emails which must be responded to apparently sent to the domain which was shut down, making it unlikely that they would be received.
2. A godaddy rep asserted that they were aware that they had shut down a hosting data center because of the actions of a customer of the hosting center after the hosting location had dealt with their own customer.
3. Godaddy acted against the host rather than the compromised domain. Godaddy doesn't seem to have much reason to be involved in this.
4. In a subsequent call a godaddy rep stated that there was nobody from abuse around and that without someone in abuse the problem couldn't be fixed. 24/7 turn off without 24/7 turn on isn't adequate.
5. Hacked boxes in hosting locations are inevitable and it seems that godaddy is willing to kill the hosting business when that happens.
6. Godaddy apparently sent customer-specific email to an address given by someone who had previously claimed not to be its customer. That appears to be a potential vulnerability to social engineering attacks. But I don't know if this opening could have been extended beyond this particular abuse incident or not.
7. A complete failure of proportionality. A single phishing or spamming box, even if still active, is not sufficient reason to take down a hosting provider and refuse temporary service restoration.
8. Godaddy not accepting temporary verbal contract term agreements in an emergency after claiming that the calls would be recorded. Not that it mattered in this case, because the person calling wasn't able to enter into agreements with them because it wasn't their customer.
The customer screwed up pretty majorly in several ways but this is just based on the godaddy rep claims and actions. Two of the customer screwups:
A. All nameservers depending on a single provider, godadday. Godaddy shouldn't have been given the power to take both nameservers out. The data center customers should have been supplied with at least two nameservers in different domains so godaddy couldn't compromise them all.
B. Godaddy's customer wasn't the one calling godaddy. The wrong person was calling them.
Observations:
i. Godaddy had locked the domain so it wasn't possible to transfer it to get out of the mess, as some suggested. |
|
Necronomikro
join:2005-09-01
| said by James_d  :Well, if anyone is a hosting provider and is using godaddy as their sole nameserver domain registrar, the message is clear: fix that ASAP. If you're a customer of a hosting provider, time to check that you have nameserver addresses from two different providers and tell your provider their business if they aren't providing you with them. And remember that you are supposed to make sure you have two nameservice providers as well - losing your provider's nameserver(s) shouldn't take you out. ... That's nice and all, but, godaddy, the registrar, changed their NS entries to 'NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM or something like that. |
|
Die Daddy Die
@sonnet.com
| Yep, Go Daddy needs to die NOW. What they did should sign their death warrant. Even if they don't die, it is going to cost them a LOT of business, because all other hosting companies out there are going to take stuff to a registrar who knows how to operate in their customers' interests.
To any one who is clueless out there, this is NOT Nectartech's fault AT ALL.
HOWEVER, it might be good practice from now on to have your secondary DNS be a domain that is hosted at a different registrar. It MIGHT prevent things like this from having the serious effect they did:
NS1.NECTARTECH.COM (registrared at Die Crappy)
NS2.NECTARTECH.NET (registrared at Network Solutions)
Die Crappy might not have been able to take out the NS2 under that scenario. |
|
James_d
join:2005-08-27
uk | reply to Necronomikro
And that's one of the things two domains with different registrars protects you from. |
|
Die Daddy Die
@sonnet.com
| And that's one of the things two domains with different registrars protects you from.
There are almost zero protections from registrars; You may remember when panic.com had their domain stolen from them from a registrar that wasn't even theirs. You can't have a single domain with more than one registrar, so there is no way to protect from it.
Likewise, it is not clear whether having each of your nameservers be on a separate domain at separate registrars would protect you from Die Daddy. If they modify the ROOT server records for both/all of your nameservers regardless of where their domain is registered, you're still dead. Which is what Die Daddy should be as well. |
|
owebtw
@edu.tw
| reply to James_d
3. Godaddy acted against the host rather than the compromised domain. Godaddy doesn't seem to have much reason to be involved in this.
The host WAS the compromised domain. The URL was:
»69.50.229.44.ip.nectartech.com/f···ndex.php
The phising website WAS on the domain "nectartech.com"
GoDaddy maintains that the phishing site was NOT removed.
The reason all the other domains in the data center went offline was due to the fact that nectartech set the nameservers of all their customers' domains to ns1.nectartech.com and ns2.nectartech.com. The entire datacenter is relying on the single domain "nectartech.com". Any failure of that SINGLE domain would render the ENTIRE datacenter and ALL other domains in the datacenter USELESS.
That's pretty stupid of them, IMHO. |
|
James_d
join:2005-08-27
uk
| I _hope_ godaddy abuse knows the difference between the generic names assigned to servers at a hosting company and the real domain at the site, which today is reported as www.Climaxmanila.com by www.whois.sc:
1 domains found on 69.50.229.44
Showing all 1.
Website
www.Climaxmanila.com
I also hope that abuse standards at godaddy do require acting against the offending domain, not its hosting company just because the address happens to be within the range the hosting company has and assigns to its hosted customers.
If this was the case at the time of the problem, godaddy could instead have chosen to act against the customer of its which controlled the box, because Climaxmanilla.com uses godaddy for its own domain name registration and godaddy could have shut that down instead. Interestingly:
Registrant:
The Plan C Group
Registered through: GoDaddy.com
Domain Name: CLIMAXMANILA.COM
Domain servers in listed order:
NS1.CLIMAXGLOBAL.COM
NS2.CLIMAXGLOBAL.COM
For complete domain details go to:
»who.godaddy.com/whoischeck.aspx
Climaxglobal.com is also registered with godaddy, so if godaddy wanted to shut down a nameserver, it also had an option there.
So, if these were the facts at the time, a little basic research would have told godaddy abuse who it should have been shutting down, if anyone. And that someone is not nectartech.
My apologies to climaxmanilla, climaxglobal and godaddy if these were not the facts at the time of the incident. |
|
James_d
join:2005-08-27
uk
| reply to Die Daddy Die
Yes, I remember the Panix mess. If godaddy went in and modified the root record for a customer not its own the inappropriateness should be completely obvious, as would be the corrective action and appropriateness of great urgency on godaddy's part in taking that action.
In that case, it might be a crime, since I assume it does not have authorised access to the records of those not its customers, who have no agreement with it. |
|
