Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 14:43:36 +0200
Lines: 96
Message-ID: <mr-011092.14433624052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: individual.net mqsW8K/RlPfNEV1jSj0R2gSxk/fUUKziyS/VZfkYL/+uVdRp4=
X-Orig-Path: mr
Cancel-Lock: sha1:TMTQCh6NL1mGZ5WQnBqN1NBfmpI=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2139 comp.os.linux.security:293 comp.infosystems.www.servers.unix:176

In article <knnhma$50u$4@dont-email.me>, J G Miller <miller@yoyo.ORG> 
wrote:

> On Friday, May 24th, 2013, at 12:23:54h +0200, Sandman pondered:
> 
> > I thought that rejecting the TCP request in iptables blocked the request 
> > from ever reaching the httpd process. 
> 
> You need to re-read the very first reply from R J Kettlwell.
> 
> The sequence of events is, you have an open port 80, so
> some remote host connects on port 80 to your Apache server
> which then is waiting for data on what to do next.
> 
> Now you have suggested a rule
> 
>    iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm \
>       --string "GET /wpad.dat" -j REJECT --reject-with tcp-reset
> 
> This will reject any packets containing the string "GET /wpad.dat"
> but it will not close the already opened connection to apache
> and furthermore will not block any packets from the host which do
>  not contain the string "GET /wpad.dat".
> 
>               DONT' PANIC
> 
> A quick web search reveals that other people have had
> this problem and it is probably not a malicious attack
> but most probably misbehaving Windoze 7 clients.
> 
> Please read the discussion at
> 
>    <http://forums.freebsd.ORG/showthread.php?t=27668>
> 
> which after three pages offers a potential solution to the problem.

Yes, I have seen this thread, and they are talking about wildcard DNS 
being the culprit - I have yet to understand how this applies to me?

I mean - I *DO* use wildcard DNS for all domains that I have a DNS for. 
The DNS server is on the machine that is currently being flooded on port 
80. Ok. So the DNS is "ns1.mydomain.com" (for example).

So, for my clients - whose web pages I host on this machine, I tell 
*them* to point their subdomains (I.e. www.client.com) to the domainname 
"cluster.mydomain.com" as a CNAME record.

Now, when the visitor types in www.client.com into the web browser, 
their DNS says that that resolvs to cluster.mydomain.com - which in turn 
has an A record for an IP number. So in the end, they surf to 
cluster.mydomain.com asking for www.client.com

This works very good and has for more than a year.

Now, mydomain.com har a wildcard DNS, meaning that 
"lkjkljklj.mydomain.com" points to "cluster.mydomain.com" and then to 
the IP.

According to that thread, Internet Explorer and/or Windows makes 
assumptions about where to look for "wpad.dat", a javascript file that 
aims to provide the browser/hte OS info about proxy servers.

So, Windows/IE asks for "http://wpad.client.com:80/wpad.dat" (as far as 
I know) and that's where the problem is.

Now, to counter this:

 1. I have removed wildcard DNS on mydomain.com
    propagation may take a while though

 2. I am actively pointing wpad.mydomain.com to
    127.0.0.1, also waiting for the TTL there.

 3. I am trying to use iptables to block these accesses

The open questions seem to be several, which the forum thread doesn't 
seem to have an answer for:

 1. Why would thousands of clients per minute all over Sweden ask for 
    a wpad.dat file on *my* machine? According to the standard, they
    should be asking for it on wpad.*client.com*, not wpad.mydomain.com

 2. And why the *excessive* amount of traffic. several hundreds of IPS 
    make up thousands of requests per minute, meaning that one IP makes
    several requests often.

 3. Blocking these IP-number, would I also be blocking their normal 
    traffic to the server? Meaning, are these flooding some form of
    colleteral traffic from normal surfing?

Thanks for all your replies, guys. This is a huge problem for me right 
now...


-- 
Sandman[.net]