Path: csiph.com!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sandman Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix Subject: Re: wpad.dat attack on Linux Apache server Date: Fri, 24 May 2013 16:23:13 +0200 Lines: 34 Message-ID: References: <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net eSTLoVyyx1mWr2AKFnCWywNjmkPCgaG19ke85ejFEPN9LGIYk= X-Orig-Path: mr Cancel-Lock: sha1:lJvZ/wjxNi+6/5hhn4hhVlabqi8= User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X) X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}Af0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o, Joe Beanfish wrote: > >> Well, you shouldn't have done that. > > > > Fair enough, but I still don't know how that messed this up. I just > > can't wrap my head around it. > > Wildcard DNS is asking for issues unless you fully understand all the > ramifications. Best not to use it unless you really really need it and > fully understand it. Fair enough. > You have no entry for "wpad" so your wildcard is used. Yes, that's how wildcards works - but not only do I not understand why thousands of hosts from all over the swedish internet would start to request wpad.* on my server, some of the up to thirty times per second - per host! I am also not hosting any of their domains, so why would would they ever come to me to ask for this? > Get people off your server by creating a wpad entry in your dns that > points to a nonexistent host or a host you want to handle that > discovery traffic, even if only to reject it. I did that yesterday, didn't change a single thing... :( -- Sandman[.net]