Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.networking > #2159
| From | Sandman <mr@sandman.net> |
|---|---|
| Newsgroups | comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix |
| Subject | Re: wpad.dat attack on Linux Apache server |
| Date | 2013-05-24 21:20 +0200 |
| Message-ID | <mr-F2952F.21202924052013@News.Individual.NET> (permalink) |
| References | (11 earlier) <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <kno77s$78m$2@dont-email.me> |
Cross-posted to 3 groups.
In article <kno77s$78m$2@dont-email.me>, J G Miller <miller@yoyo.ORG> wrote: > > No, that's the thing - "stadsnat.se" is not a domain I am > > administering. It's one of my clients domains. They wouldn't wildcard > > DNS and send ALL requests to me - only web requests (so www would > > point to me). > > Did you read this article? > > <https://nodpi.ORG/2013/05/09/wpad-the-internet-explorer-security-flaw-that-ex > poses-all-microsoft-users-in-the-uk/> Not that one specifically, but I have read about the point he is making. > According to that article all Microsoft Internet Explorer users in > the UKofGB&NI are being directed by default towards a site run by a > Brazilian, which obviously is not their DNS provider. Which is due to UK citizens usually having a two part top level domain name. WPAD see's the domain "domain.co.uk" and thinks (correctly, one might add) that "domain" is a subdomain to "co" which is the local domain to the top level "uk". Which means that "wpad.co.uk" is a logical assumption for this function. This is not relevant to atlascms.se or any of swedish domains, really (we did have the pp.se domain thing for private person, but that was a decade ago). > QUOTE > > Sadly WPAD has some serious flaws. In particular, if DHCP discovery > fails… WPAD reverts to a crude search for a source of configuration > using DNS. > > In Windows, this search appears to be governed by the > > *DNS suffixes used to resolve unqualified domain names* > > (see the Advanced TCP/IP Settings dialog, right). > > > UNQUOTE > > Perhaps you appearing as wpad.yourdomain.se because of the above (and maybe > repeated combinations thereof because of your wild card setup) and so every > MSIE from your clients tries that in its crude attempts to find > the wpad proxy info? The only one of my clients that have wildcard:ed their domain to me is opennet.se, I'll have a talk to them. As far as I know, they don't have almost 5000 users on their LAN though. because even if what you postulate is a possible scenario, it would under no circumstances generate hundreds of thousands of requests - sometimes 30-40 per second from one single host. That's where the entire "misconfigured DNS" idea falls slightly apart, don't you agree? I mean, if I came here wondering about these wpad.dat requests I see now and then, then that would be a logical question. But I get about 20-30 requests per second, every second. That just can't be due to a misconfigured wildcard DNS. Or do you think I am jumping to conclusions? -- Sandman[.net]
Back to comp.os.linux.networking | Previous | Next — Previous in thread | Next in thread | Find similar
wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200
Re: wpad.dat attack on Linux Apache server jcharth@gmail.com - 2013-05-28 12:45 -0700
csiph-web