As reported by a number of different sources, Google’s primary web property in Vietnam (www.google.com.vn) had its DNS abused by an individual (or individuals) claiming affiliation with Lizard Squad.
Based on the DNS queries over the past 2 days, we noticed that the DNS infrastructure changed from the expected Google name servers (ns1.google.com, ns2.google.com) to CloudFlare (188.8.131.52, 184.108.40.206). This was identified using OpenDNS Investigate and corroborated by several other publicly available tools. Though only a brief redirection, visitors to the legitimate www[.]google[.]com[.]vn site were surreptitiously redirected to a DigitalOcean-hosted server with the following message:
A DigitalOcean IP served as the endpoint for the hijacked site and, according to MaxMind, was located in the Netherlands – at least until it was taken down.
What’s interesting is that the IP address in question was an IPv6 IP – 2a03:b0c0:2:d0::23a:c001.
Prefix description: DigitalOcean
Country code: NL
Origin AS: 202018
Origin AS Name: DOAMS3 — DigitalOcean Amsterdam
RPKI status: No ROA found
First seen: 2014-08-13
Last seen: 2015-02-23
Seen by #peers: 170
We’re not sure if this was an attempt to “confuse” network analysts and legacy tools or if this was simply a case of “we don’t care what IP address we get as we’re mapping a domain name to it”.
The hosting of the site in The Netherlands, when combined with the load balancing capabilities of employing CloudFlare’s infrastructure, does signal that at least some thought was put into managing the considerable amount of web traffic generated by Google-related requests.
We suspect that the use of IPv6 for malicious and fraudulent sites will become increasingly commonplace, especially as VPS providers stop giving customers the choice to select an IPv4 or IPv6 IP address for their server. In close we’d also like to give kudos to CloudFlare for their diligence in coordinated the taken down of this fraudulent site shortly after the redirect was detected.