Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!us.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Sandman <mr@sandman.net>
Newsgroups: comp.os.linux.networking,comp.os.linux.security,comp.infosystems.www.servers.unix
Subject: Re: wpad.dat attack on Linux Apache server
Date: Fri, 24 May 2013 15:14:19 +0200
Lines: 53
Message-ID: <mr-D7D3D2.15141924052013@News.Individual.NET>
References: <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Trace: individual.net UsWjA1rKD5kZIPPFHjw3QQWgzry+PgPSH+8CYeW6EF6uNGVDE=
X-Orig-Path: mr
Cancel-Lock: sha1:DwZPEvH0famwz3ct/P+EiqR3/IY=
User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X)
X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5
X-Killfiled: yttrx, gallopinginsanity.com, Mark Kent, Maverick, NRen2, weedhopper, PC Guy, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, Chance Furlong, XX, Uncle Max, Joe Pain, Redjak, isquat@gmail.com, Robert Whelan, jt2002a@hotmail.com
Xref: csiph.com comp.os.linux.networking:2143 comp.os.linux.security:297 comp.infosystems.www.servers.unix:180

In article <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl>,
 Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> wrote:

> >Yes, I have seen this thread, and they are talking about wildcard DNS 
> >being the culprit - I have yet to understand how this applies to me?
> 
> All systems shipped these days are configured to search for a
> automatic proxy configuration from "http://wpad/wpad.dat"

All? I thought it was Windows thing. 

> Because of your use of wildcard DNS *everyone* who starts their
> webbrowser will find wpad.their.domain then look for it on
> your webserver.

Why? I mean - when they go to wpad.their.domain, why would they end up 
with the IP of my server, or the CNAME of cluster.mydomain.com

That's the part I just can't understand.

> Your ip filtering rules block your customers; it also makes their
> web experience interesting (it will take some time before the system
> figures out that there is no wpad.dat and will then connect to
> the internet directly)

But the people surfing to my web server wouldn't be asking my server, 
any more than microsoft.com, for information about their own networks 
proxy settings, surely? 

> >I mean - I *DO* use wildcard DNS for all domains that I have a DNS for. 
> >The DNS server is on the machine that is currently being flooded on port 
> >80. Ok. So the DNS is "ns1.mydomain.com" (for example).
> 
> Well, you shouldn't have done that.

Fair enough, but I still don't know how that messed this up. I just 
can't wrap my head around it.

> > 1. Why would thousands of clients per minute all over Sweden ask for 
> >    a wpad.dat file on *my* machine? According to the standard, they
> >    should be asking for it on wpad.*client.com*, not wpad.mydomain.com
> 
> But you're serving their domains too, right?

No. Only my own domains. Their IT managers have set up their subdomains 
(i.e. www.) to point to cluster.mydomain.com which points to my IP





-- 
Sandman[.net]