Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #314
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!newsfeed.fsmpi.rwth-aachen.de!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail |
|---|---|
| From | Sandman <mr@sandman.net> |
| Newsgroups | comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix |
| Subject | Re: wpad.dat attack on Linux Apache server |
| Date | Fri, 24 May 2013 21:20:29 +0200 |
| Lines | 70 |
| Message-ID | <mr-F2952F.21202924052013@News.Individual.NET> (permalink) |
| References | <mr-983E88.11221424052013@News.Individual.NET> <87vc68ra57.fsf@araminta.anjou.terraraq.org.uk> <mr-05E7DC.11442724052013@News.Individual.NET> <87ppwgr8wz.fsf@araminta.anjou.terraraq.org.uk> <mr-794073.12134024052013@News.Individual.NET> <87k3mor85j.fsf@araminta.anjou.terraraq.org.uk> <mr-17CDE1.12235424052013@News.Individual.NET> <knnhma$50u$4@dont-email.me> <mr-011092.14433624052013@News.Individual.NET> <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <519f999f$0$15903$e4fe514c@news2.news.xs4all.nl> <mr-C61E2B.18533924052013@News.Individual.NET> <kno77s$78m$2@dont-email.me> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | individual.net gwS+ku7x7HK/RDc9S77I7AztKmMPlKAadszvfdAkgpWxcktu0= |
| X-Orig-Path | mr |
| Cancel-Lock | sha1:xmxgUfvKXH/1Bgt6kcRkc3MNaeM= |
| User-Agent | MT-NewsWatcher/3.5.2 (Intel Mac OS X) |
| X-Face | $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}A<Y3TvbI2&|e"bE9zc[o<ThMgB4%*L$b1YsNl!/ <lHO$>f0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o<?]4mXkW*mT3]{Bn&VwP7(M0uYnGA!V!? {"y?BkBDW6e-.=I5 |
| X-Killfiled | yttrx, gallopinginsanity.com, Mark Kent, Maverick, Nasht.n, NRen2, MuahMan, weedhopper, PC Guy, Brian, nospam@nospam.com, Oxford, Jim Lee Jr., Mocassin Joe, zara, Chance Furlong, Robert Whelan, jt2002a@hotmail.com |
| Xref | csiph.com comp.os.linux.networking:2159 comp.os.linux.security:314 comp.infosystems.www.servers.unix:196 |
Cross-posted to 3 groups.
Show key headers only | View raw
In article <kno77s$78m$2@dont-email.me>, J G Miller <miller@yoyo.ORG> wrote: > > No, that's the thing - "stadsnat.se" is not a domain I am > > administering. It's one of my clients domains. They wouldn't wildcard > > DNS and send ALL requests to me - only web requests (so www would > > point to me). > > Did you read this article? > > <https://nodpi.ORG/2013/05/09/wpad-the-internet-explorer-security-flaw-that-ex > poses-all-microsoft-users-in-the-uk/> Not that one specifically, but I have read about the point he is making. > According to that article all Microsoft Internet Explorer users in > the UKofGB&NI are being directed by default towards a site run by a > Brazilian, which obviously is not their DNS provider. Which is due to UK citizens usually having a two part top level domain name. WPAD see's the domain "domain.co.uk" and thinks (correctly, one might add) that "domain" is a subdomain to "co" which is the local domain to the top level "uk". Which means that "wpad.co.uk" is a logical assumption for this function. This is not relevant to atlascms.se or any of swedish domains, really (we did have the pp.se domain thing for private person, but that was a decade ago). > QUOTE > > Sadly WPAD has some serious flaws. In particular, if DHCP discovery > fails… WPAD reverts to a crude search for a source of configuration > using DNS. > > In Windows, this search appears to be governed by the > > *DNS suffixes used to resolve unqualified domain names* > > (see the Advanced TCP/IP Settings dialog, right). > > > UNQUOTE > > Perhaps you appearing as wpad.yourdomain.se because of the above (and maybe > repeated combinations thereof because of your wild card setup) and so every > MSIE from your clients tries that in its crude attempts to find > the wpad proxy info? The only one of my clients that have wildcard:ed their domain to me is opennet.se, I'll have a talk to them. As far as I know, they don't have almost 5000 users on their LAN though. because even if what you postulate is a possible scenario, it would under no circumstances generate hundreds of thousands of requests - sometimes 30-40 per second from one single host. That's where the entire "misconfigured DNS" idea falls slightly apart, don't you agree? I mean, if I came here wondering about these wpad.dat requests I see now and then, then that would be a logical question. But I get about 20-30 requests per second, every second. That just can't be due to a misconfigured wildcard DNS. Or do you think I am jumping to conclusions? -- Sandman[.net]
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200
csiph-web