Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #293
| From | Sandman <mr@sandman.net> |
|---|---|
| Newsgroups | comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix |
| Subject | Re: wpad.dat attack on Linux Apache server |
| Date | 2013-05-24 14:43 +0200 |
| Message-ID | <mr-011092.14433624052013@News.Individual.NET> (permalink) |
| References | (3 earlier) <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> |
Cross-posted to 3 groups.
In article <knnhma$50u$4@dont-email.me>, J G Miller <miller@yoyo.ORG>
wrote:
> On Friday, May 24th, 2013, at 12:23:54h +0200, Sandman pondered:
>
> > I thought that rejecting the TCP request in iptables blocked the request
> > from ever reaching the httpd process.
>
> You need to re-read the very first reply from R J Kettlwell.
>
> The sequence of events is, you have an open port 80, so
> some remote host connects on port 80 to your Apache server
> which then is waiting for data on what to do next.
>
> Now you have suggested a rule
>
> iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm \
> --string "GET /wpad.dat" -j REJECT --reject-with tcp-reset
>
> This will reject any packets containing the string "GET /wpad.dat"
> but it will not close the already opened connection to apache
> and furthermore will not block any packets from the host which do
> not contain the string "GET /wpad.dat".
>
> DONT' PANIC
>
> A quick web search reveals that other people have had
> this problem and it is probably not a malicious attack
> but most probably misbehaving Windoze 7 clients.
>
> Please read the discussion at
>
> <http://forums.freebsd.ORG/showthread.php?t=27668>
>
> which after three pages offers a potential solution to the problem.
Yes, I have seen this thread, and they are talking about wildcard DNS
being the culprit - I have yet to understand how this applies to me?
I mean - I *DO* use wildcard DNS for all domains that I have a DNS for.
The DNS server is on the machine that is currently being flooded on port
80. Ok. So the DNS is "ns1.mydomain.com" (for example).
So, for my clients - whose web pages I host on this machine, I tell
*them* to point their subdomains (I.e. www.client.com) to the domainname
"cluster.mydomain.com" as a CNAME record.
Now, when the visitor types in www.client.com into the web browser,
their DNS says that that resolvs to cluster.mydomain.com - which in turn
has an A record for an IP number. So in the end, they surf to
cluster.mydomain.com asking for www.client.com
This works very good and has for more than a year.
Now, mydomain.com har a wildcard DNS, meaning that
"lkjkljklj.mydomain.com" points to "cluster.mydomain.com" and then to
the IP.
According to that thread, Internet Explorer and/or Windows makes
assumptions about where to look for "wpad.dat", a javascript file that
aims to provide the browser/hte OS info about proxy servers.
So, Windows/IE asks for "http://wpad.client.com:80/wpad.dat" (as far as
I know) and that's where the problem is.
Now, to counter this:
1. I have removed wildcard DNS on mydomain.com
propagation may take a while though
2. I am actively pointing wpad.mydomain.com to
127.0.0.1, also waiting for the TTL there.
3. I am trying to use iptables to block these accesses
The open questions seem to be several, which the forum thread doesn't
seem to have an answer for:
1. Why would thousands of clients per minute all over Sweden ask for
a wpad.dat file on *my* machine? According to the standard, they
should be asking for it on wpad.*client.com*, not wpad.mydomain.com
2. And why the *excessive* amount of traffic. several hundreds of IPS
make up thousands of requests per minute, meaning that one IP makes
several requests often.
3. Blocking these IP-number, would I also be blocking their normal
traffic to the server? Meaning, are these flooding some form of
colleteral traffic from normal surfing?
Thanks for all your replies, guys. This is a huge problem for me right
now...
--
Sandman[.net]
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200
csiph-web