If you ask google's DNS servers the IP address of www.google.com you get this:
bast4rd@winterfell ~% dig www.google.com @8.8.4.4
ANSWER SECTION:
www.google.com. 86399 IN CNAME www.l.google.com.
www.l.google.com. 299 IN A 173.194.75.105
www.l.google.com. 299 IN A 173.194.75.99
www.l.google.com. 299 IN A 173.194.75.103
www.l.google.com. 299 IN A 173.194.75.147
www.l.google.com. 299 IN A 173.194.75.106
www.l.google.com. 299 IN A 173.194.75.104
Ethiotelcom has exactly 2 DNS servers to serve all its customers. If you ask one of them to resolve the same address you get:
What I find interesting about this is not necessarily that they are handing out poisoned DNS records, but that the IP address of the server presumably acting as the man-in-the-middle sits in a net-block they have designated as being: "Leased by Corporate Customers." To me this implies that Ethiotelecom isn't necessarily the one that is running this attack, but rather one of their "Corporate Customers," which begs the question: "What kind of a corporate customer would have the clout to make Ethiotelecom hand out poisoned DNS records?" My guess is that it's probably one of the intelligence services. Off course, for anyone who knows the very poor standards to which the country's IT workers are trained, this doesn't necessarily mean that they can, or that they are able, to do anything with this.
Slashdot Mirror
If you ask google's DNS servers the IP address of www.google.com you get this:
bast4rd@winterfell ~% dig www.google.com @8.8.4.4
ANSWER SECTION:
www.google.com. 86399 IN CNAME www.l.google.com.
www.l.google.com. 299 IN A 173.194.75.105
www.l.google.com. 299 IN A 173.194.75.99
www.l.google.com. 299 IN A 173.194.75.103
www.l.google.com. 299 IN A 173.194.75.147
www.l.google.com. 299 IN A 173.194.75.106
www.l.google.com. 299 IN A 173.194.75.104
Ethiotelcom has exactly 2 DNS servers to serve all its customers. If you ask one of them to resolve the same address you get:
bast4rd@winterfell ~% dig www.google.com @213.55.96.148
www.google.com. 400465 IN CNAME www.l.google.com.
www.l.google.com. 115 IN A 213.55.98.242
Query AfriNIC who owns that IP block and you get:
bast4rd@winterfell ~% whois -f 213.55.98.242
inetnum: 213.55.98.0 - 213.55.98.255
netname: Ethiotelecom
descr: Leased by Corporate Customers
country: ET
admin-c: ET4-AFRINIC
tech-c: ET4-AFRINIC
status: ASSIGNED PA
mnt-by: AFRINIC-HM-MNT
source: AFRINIC
parent: 213.55.64.0 - 213.55.127.255
What I find interesting about this is not necessarily that they are handing out poisoned DNS records, but that the IP address of the server presumably acting as the man-in-the-middle sits in a net-block they have designated as being: "Leased by Corporate Customers." To me this implies that Ethiotelecom isn't necessarily the one that is running this attack, but rather one of their "Corporate Customers," which begs the question: "What kind of a corporate customer would have the clout to make Ethiotelecom hand out poisoned DNS records?" My guess is that it's probably one of the intelligence services. Off course, for anyone who knows the very poor standards to which the country's IT workers are trained, this doesn't necessarily mean that they can, or that they are able, to do anything with this.
Nothing new in this. There's like 8 layers of NATing before you can get out of this place. Not to mention a transparent proxy...