Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 14:29:32 +0200
Lines: 36
Message-ID: <mr-B68834.14293224052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <clv37ax9nr.ln2@news.roaima.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Trace: individual.net vPHo/AkIsNCx+kHUCE42ywED0TmSmqwwa4uVT045iOf4NDJrs=
X-Orig-Path: mr
Cancel-Lock: sha1:mM7dFGyW+87uOidyBm2yhF7EhNU=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2138 comp.os.linux.security:292 comp.infosystems.www.servers.unix:175

In article <clv37ax9nr.ln2@news.roaima.co.uk>,
 Chris Davies <chris-usenet@roaima.co.uk> wrote:

> > I thought that rejecting the TCP request in iptables blocked the request 
> > from ever reaching the httpd process. Obviously it isn't blocked from 
> > the *machine*, and I apologize if you thought that was what I meant.
> 
> The TCP sequence goes like this:
> 
> 1. Remote sends SYN to Webserver
> 2. Webserver sends SYN/ACK to Remote
> 3. Remote sends ACK to Webserver
> 	--connection now established--
> 4. Remote sends "GET / HTTP/1.0 [..etc..]" to Webserver
> 5. Webserver sends ACK to Remote
> 6. Webserver sends the HTTP response to Remote
> 7. Remote sends ACK
> 8. Connection gets reused (from #4) or closed (FIN - FIN/ACK)
> 
> Often #3 and #4 are merged, and potentially #5 and #6 could be, too. Item
> #6 might be spread across several packets, in which case the Remote will
> send an ACK (#7) for each packet.
> 
> Your iptables rule matches #4, but by this stage the Webserver has already
> got a connection established from the Remote, and possibly even an Apache
> child ready to serve it.

Ok, thank you for the explanation, I had that backwards.

So, where would I start at for finding out who has done a /wpad.dat 
request and then add them to a firewall IP block list? Maybe that's the 
best route to go?


-- 
Sandman[.net]