The popular business-focused social network LinkedIn was unavailable for several hours over the 19th and 20th of June because of a DNS redirection incident which lead to users of the service being directed to IPs in the range managed by Confluence Networks, an Internet services company registered in the British Virgin Islands. It’s unclear at the time of writing whether the incident is due to a malicious attack on LinkedIn’s DNS servers or a misconfiguration on the part of LinkedIn’s DNS providers.

The DNS redirection, also known as DNS hijacking, puts users of LinkedIn at risk of having private data made available to third parties. In the normal course of events, LinkedIn users would connect to the service using SSL encryption. That would make it very difficult for a third party to intercept the data in any meaningful form, but, because the Confluence Network servers don’t implement SSL, and LinkedIn’s session cookies are not set to reject non-encrypted connections, it’s possible that connections made during the outage sent session cookie data in the clear to those servers. That data may have included login credentials and passwords if users logged-in during the attack.

While Confluence Networks does appear to be a legitimate provider of various network services, including co-location, they are listed on Jart Armin’s HostExploit service as one of the Top 10 Bad Hosts, having hosted phishing servers and spam servers.

Users of LinkedIn should change their login credentials immediately to be confident that their accounts are not accessible by malicious third parties.

DNS redirection or hijacking has three major causes. Firstly, malicious third parties can hack DNS servers and cause them to provide incorrect routing information to applications, often to malicious servers which then infect the client machines, or to phishing sites that aim to collect login credentials. Secondly, many ISPs hijack DNS requests that don’t match records in their database, directing users to sites that display advertising. The third cause, which appears to have been the case in this incident, is a mistake on the part of the network technicians at the LinkedIn’s registrar or DNS services which allowed incorrect DNS records to be put in place. More should be released about this incident in the coming weeks for sure.

This security incident follows shortly after the recent breach in which millions of LinkedIn’s unsalted and weakly hashed passwords were leaked, forcing an across-the-board password reset. These incidents are particularly embarrassing because LinkedIn has always marketed itself as a secure network, an essential feature for many business users who share sensitive information.

The redirection was first reported by co-founder Ben Berg.

LinkedIn have released a short statement via Twitter:

Our site is now recovering for some members. We determined it was a DNS issue, we’re continuing to work on it. Thanks for your patience.

— LinkedIn (@LinkedIn) June 20, 2013

Until more evidence is available as to the cause of the DNS hijacking, it’s not fair to point fingers, however, a properly managed registrar and DNS-hosting provider should have procedures in place to prevent incidents like this from occurring. At DNS Made Easy we are currently developing tools that will identify the correct individuals as soon as a registrar makes a mistake or as soon as DNS services are moved away from approved IP addresses.


Also published on Medium.