Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.networking > #2151
| From | Sandman <mr@sandman.net> |
|---|---|
| Newsgroups | comp.os.linux.networking, comp.os.linux.security, comp.infosystems.www.servers.unix |
| Subject | Re: wpad.dat attack on Linux Apache server |
| Date | 2013-05-24 19:02 +0200 |
| Message-ID | <mr-6FFDCD.19021324052013@News.Individual.NET> (permalink) |
| References | (9 earlier) <519f6593$0$15954$e4fe514c@news2.news.xs4all.nl> <mr-D7D3D2.15141924052013@News.Individual.NET> <8761y8qxcr.fsf@araminta.anjou.terraraq.org.uk> <mr-870DFD.16265624052013@News.Individual.NET> <87d2sgl4e2.fsf@araminta.anjou.terraraq.org.uk> |
Cross-posted to 3 groups.
In article <87d2sgl4e2.fsf@araminta.anjou.terraraq.org.uk>, Richard Kettlewell <rjk@greenend.org.uk> wrote: > > Even so, the requests I get look largely like this: > > > > 94.254.41.78 cluster.atlascms.se - [24/May/2013:16:25:24 +0200] "GET > > /wpad.dat HTTP/1.1" 200 70 "-" "Mozilla/5.0 (compatible; MSIE 10.0; > > Win32; Trident/6.0)" > > > > I.e. a request to that domain name, not to a wpad subdomain. So the > > wildcard DNS thing doesn't seem to even apply... Or am I mistaken? > > I agree; I think the wildcard was probably a red herring, and the longer > it gets since you removed it, the more certain that is (although it’s > worth remembering that not all DNS clients honor TTLs correctly). Indeed. > The request doesn’t seem consistent with the way that wpad searching is > described as working, but of course it may be that there’s more to the > implementation that the various descriptions online imply. Or this seemingly benign request is used to stage a flood attack against me or my clients. Since google can't find any more serious attacks, especially not current one (there is that one forum post), I am starting to wonder why this is. > Do you have any idea how many distinct addresses are involved? I now have a cronjob that reads the access_log file for wpad.dat requests and then add them to a blacklist and to iptables. It has been in effect for maybe two hours and the list is 4000 IP's long. 4000 seemingly normal swedish IP's from normal swedish ISP's. All bombarding me with millions of wpad.dat requests. Some IP's send 30-40 requests per second in a burst. With 4000 in two hours, I'm guessing that tomorrow morning it will be over 10000, and then using iptables becomes increasingly stupid. > Are they in fact _all_ Swedish IP addresses or are any of them from > further afield? I have made samples now and then - all have been swedish IP's according to various online ip -> location functions. > Can you tell whether any are associated with any of your > customers (e.g. if you keep logs of where they upload from, do any of > the oddly behaving clients appear there)? Even so, I don't have anywhere near to 4000 customers so this can't be due to one of my clients faulty network either. This seems like a targeted attack. > Have you recently annoyed anyone who might have sufficiently poor > judgement to launch a DDoS attack? I can think of only one person (from here on usenet) but he's from America and I doubt he has the ability to muster a botnet of Swedish-only clients. He has tried to flood me before, but only from a single IP. So no, I have to answer that I know of no one that could do this specifically against *me*. Maybe against one of my clients? Because, if they were targetting me, they would target my homepage (sandman.net) or some other, these attacks seem to either target the IP or my cluster domain name - and the cluster domain is not something used for anything but DNS redirection. -- Sandman[.net]
Back to comp.os.linux.networking | Previous | Next — Previous in thread | Next in thread | Find similar
wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:22 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 10:37 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 11:44 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:04 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:13 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 11:20 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 12:23 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 11:07 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:43 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 13:05 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 15:14 +0200
Re: wpad.dat attack on Linux Apache server Joe Beanfish <joebeanfish@nospam.duh> - 2013-05-24 13:39 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:23 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 15:13 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 16:26 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 17:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 19:02 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 18:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:12 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-24 16:47 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 18:53 +0200
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-24 17:15 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:20 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 09:54 +0200
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 10:04 +0200
Re: wpad.dat attack on Linux Apache server Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-26 10:12 +0000
Re: wpad.dat attack on Linux Apache server "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-05-24 13:50 -0400
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:10 +0100
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-24 19:15 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:33 +0200
Re: wpad.dat attack on Linux Apache server Richard Kettlewell <rjk@greenend.org.uk> - 2013-05-25 08:38 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 21:25 +0200
Re: wpad.dat attack on Linux Apache server Whiskers <catwheezel@operamail.com> - 2013-05-25 15:52 +0100
Re: wpad.dat attack on Linux Apache server Roger <invalid@invalid.invalid> - 2013-05-25 17:19 +0100
Re: wpad.dat attack on Linux Apache server J G Miller <miller@yoyo.ORG> - 2013-05-25 17:22 +0000
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-25 19:41 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 12:31 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:29 +0200
Re: wpad.dat attack on Linux Apache server Chris Davies <chris-usenet@roaima.co.uk> - 2013-05-24 23:45 +0100
Re: wpad.dat attack on Linux Apache server Sandman <mr@sandman.net> - 2013-05-24 14:49 +0200
Re: wpad.dat attack on Linux Apache server jcharth@gmail.com - 2013-05-28 12:45 -0700
csiph-web