Upon reading http://www.theregister.co.uk/2008/08...sky_black_hat/ it appears those who use network address translation may be vulnerable to DNS cache poisoning even after patching their DNS servers.
"another 15 per cent are still vulnerable to some extent because they use network address translation gear that prevents the patch from working."
Thoughts?
What tools do you use to check for DNS Cache Poisoning ? Is there any way it can be prevented and is the problem very prevalent?
View 1 Replies View RelatedWhat is your opinioun on the subject?
How could it be done?
I recently had a problem with a hacked dedicated server which was attacked by ARP Poisoning and a Remote Desktop man-in-the-middle attack from another dedicated server on the same subnet. Maybe unreasonably I expected controls in place to prevent this, better detection and better handling of this problem, lack of which have left me uneasy about the hosting.
I know using Remote Desktop with a cert would prevent the server being compromised, but my concern would then be HTTP traffic being hijacked and malware insertion, redirection to non HTTPS login pages, redirects to anywhere, etc. If ARP Poisoning occurs then even if my server is fully secure all the web addresses pointing to my server's IP are basically compromised by HTTP traffic redirection.
Before this happened I had assumed (bad idea) that there would be some kind of mac level assigning of IP addresses.
What level of protection from this type of problem should I expect from the Dedicated Server supplier on their network? Problem started after I rebooted our server, IP was grabbed and the network adaptor was disabled due to IP conflict, so machine didn't not respond to pings. I raised a ticket and was told
"when your server came up it couldn't use it's assigned IP address as for some unknown reason another device on the network is using it's IP, we're tracking down the device and we'll have your server operational in few minutes."
They re-enabled the network adaptor presumably without fully checking the situation. I assumed the situation was either an innocent misconfiguration or that the issue had been fully investigated and dealt with, I reconnected via remote desktop and a few minutes later the server was compromised (wiped event logs, Cain and Abel installed etc).
Our machine was wiped, reinstalled and no further problem arose, but they initially seemed to deny that the two issues were related. Suggesting it would have been hacked externally via IIS vulnerabilities. Then 18 days later(!) they released a message advising all users with machines on the subnet that they had shutdown a malicious machine (not ours) on the subnet and to change passwords, run malware scans etc! Whether this was the same original machine or another server compromised I don't know. However our server was running with Cain and Abel and a whole lot more for quite a while as I checked it before it was taken off line for reinstallation.
Is this a common occurrence? Do most dedicated hosting providers have proper measures to prevent this or are there any measures I can take to prevent this happening again?
I just migrate my server into IWeb, the server working great and in reasonable price but the problem is this server give me some funny problem. Anyone can help?
Basically I am in Singapore. My Website which suppose to show english content somehow become mass question mark as below. I am Sure that its not coding problem or Encoding problem since last time it can working fine (it happen only after I migrate the server from layeredtech into here)
But the content will show correctly if you open from US IP or other proxy server. I try in many computer here , some computer show error as I have. So its not computer problem as well since many computer see same error.
It will working fine again after I download and reupload the file but it will back again after 2 weeks.
Is it anything wrong with my server? or dns server setting? why only shown the problem from singapore-malaysia and indonesia side?
Some people say it because error on my DNS ISP , but I dont think so since many people in those country see the same thing. Any idea what should I do?
For everyone out there who have dedicated servers with linux kernel, do you use a kernel patch like GrSecurity for extra security and piece of mind or not and why?
I am using mostly VPS with huge resources for hosting sites because I didn't have the budget for Raid 5, Data Redundancy and managed servers. But now I just leased my first Dedicated running Centos (for better compatibility with CPanel) and I am concerned about the kernel's security issues.
I am using Grsecurity on a labrat (home server) for testing purposes but I dont know if it is the right option for a Production Live server.
I keep getting these types of accesses in a few of my servers.
42-1 - 0/0/18 . 0.00 512957 0 0.0 0.00 0.15 86.127.9.63 (unavailable) GET /publisher HTTP/1.043-1 - 0/0/13 . 0.00 512955 0 0.0 0.00 0.40 86.127.9.63 (unavailable) HEAD /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.144-1 - 0/0/14 . 0.00 512960 0 0.0 0.00 0.17 86.127.9.63 (unavailable) GET /cgi-bin/phf HTTP/1.045-1 - 0/0/11 . 0.00 512954 0 0.0 0.00 0.17 86.127.9.63 (unavailable) GET /domcfg.nsf/?open HTTP/1.046-1 - 0/0/14 . 0.00 512951 0 0.0 0.00 0.29 86.127.9.63 (unavailable) GET /null.htw HTTP/1.047-1 - 0/0/12 . 0.00 512959 0 0.0 0.00 0.44 86.127.9.63 (unavailable) GET /orders/orders.txt HTTP/1.048-1 - 0/0/8 . 0.00 512960 0 0.0 0.00 0.17 86.127.9.63 (unavailable) GET /mall_log_files/order.log HTTP/1.049-1 - 0/0/5 . 0.00 512957 0 0.0 0.00 0.20 86.127.9.63 (unavailable) GET /whois_raw.cgi HTTP/1.050-1 - 0/0/2 . 0.00 512960 0 0.0 0.00 0.14 86.127.9.63 (unavailable) GET /cgi-bin/whois_raw.cgi HTTP/1.051-1 - 0/0/3 . 0.00 512954 0 0.0 0.00 0.20 86.127.9.63 (unavailable) GET /cgi-bin/ HTTP/1.052-1 - 0/0/3 . 0.00 512955 0 0.0 0.00 0.19 86.127.9.63 (unavailable) GET /cgi-bin/uptime HTTP/1.053-1 - 0/0/2 . 0.00 512955 0 0.0 0.00 0.00 86.127.9.63 (unavailable) GET /ifx/?LO=../../../etc/passwd HTTP/1.054-1 - 0/0/2 . 0.00 512954 0 0.0 0.00 0.01 86.127.9.63 (unavailable) GET /cgi-bin/webbbs.cgi HTTP/1.055-1 - 0/0/2 . 0.00 512949 0 0.0 0.00 0.02 86.127.9.63 (unavailable) GET /root HTTP/1.056-1 - 0/0/2 . 0.00 512949 0 0.0 0.00 0.08 86.127.9.63 (unavailable) GET /quikstore.cfg HTTP/1.057-1 - 0/0/3 . 0.00 512954 0 0.0 0.00 0.01 86.127.9.63 (unavailable) GET /cgi/ HTTP/1.0
The IP had been globally banned and I think cPanel has already come out with a patch for it so this topic is kind of a "by the way" for some admins.
Vendors form alliance to fix DNS poisoning flaw
An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the internet's address system.
The vulnerability in the domain name system (DNS) - the distributed database that matches a host and domain name with the numerical address of a computer server - could give an attacker the ability to replace the addresses of popular websites with that of a malicious server, said Dan Kaminsky, director of penetration testing for security firm IOActive. Kaminsky found the flaw when he was doing non-security research on the domain name system (DNS) more than six months ago.
"It is a fundamental issue affecting the design," Kaminsky said. "Because the system is behaving exactly like it is supposed to behave, the same bug will show up in vendor after vendor after vendor. This one bug affected not just Microsoft ... not just Cisco, but everyone."
On Tuesday, a number of software and network-hardware vendors released patches for their products. On its regularly scheduled patch day, Microsoft released updates for Windows 2000, Windows XP and Windows Server 2003 to mitigate the issue, which the company ranked an important vulnerability, its second highest grade of severity. Internet Software Consortium, the group responsible for the development of the popular Berkeley Internet Name Domain (BIND) server, also released a patch, confirming that its software contained the vulnerability. Both Cisco and Juniper also acknowledged flawed systems.
Vendors have also provided the fix to certain large clients. Yahoo will be upgrading its name servers from BIND 8 to the latest version of BIND 9, the Internet Software Consortium stated during the conference call. Internet service provider Comcast has already patched its servers for the issue, according to internet infrastructure firm Nominum. Finally, the Computer Emergency Response Team (CERT) Coordination Center has contacted some other nation's response groups to inform them of the problem.
For the most part, however, internet service providers and companies each received the fix on Tuesday, said Sandy Wilbourn, vice president of engineering at Nominum. The goal: To have every major service provider and company apply their software patches in 30 days.
For that reason, don't expect immediate action, Wilbourn said.
"For key customers on our network, we have made a special effort to get them an early release to help solve this problem, and a number of them have finished deployment," he said. "But the nature of this patch is that we wanted to get the vendor side covered and then have deployment over the next 30 days. Anyone that is not patched by today or tomorrow is not doing anything wrong."
The domain-name system (DNS) has been a popular way to attack the internet in the past - it's an ill-kept secret that the DNS system is insecure. The way that many software applications, such as browsers, handle DNS requests has opened up users to attack. Microsoft has fixed a few vulnerabilities in the way Windows handles domain names - issues that could have lead to easier eavesdropping or simpler phishing attacks.
More here:[url]
I use apache with CentOS VPS hosting for my blog. I only host one blog in this VPS account. I have 1.5GB RAM and I have 7, 500 page preview per day. My page loading time is 2-3 seconds (according to the pingdom tool).
I want to know what is the best performance (faster web page loading) W3 Total cache option for VPS hosting blog. Currently I use Disk to enhance for page cache and database cache for disk.
I'm concerned about dns spoofing
As explained here:
w w w. securesphere(dot)net/download/papers/dnsspoof.htm
I note the recommendations:
- To limit the cache and check that it's not keeping additional records.
- Not to make security systems to use/rely on DNS.
- Use cryptography like SSL, even if the problem remains the same, it increase difficulty level for the attacker (See article on Man in the Middle)
I did not on another site that the latest version of BIND for DNS should be installed.
I'm quite sure I'm being attacked in this way by a guy on the same network as my numerous commercial websites.
I'm setting a new server. I'm getting my own name server.
What steps should I take to best protect my self and my business against these attacks please?
(firewall? tips etc beside the above?) Please let me know as I want to set up and have a better than even bet I have shaken the guy.
I have reseller account from small web service company.
they are great and better than the famous company.
but I have one problem. I have personal blog, some time I don't see the new comment, also my visitor see the comment before 4 days ago only.
and there is vb forum, some times new member can't login and only you see the old topic, and some times you see everything ok and up to date.
me and all my visitor have the same problem and that can't be from internet service provider because they are from several country.
I had such problem before 4 years and it was because server Cache.
I didn't name the company because they are great and I don't want to blame them before I know certainly what cause the problem.
My RAM is 2G.
The cache memory of my server is eating, After 2 weeks, the cache memory is below 1G, then the server crashed.
After I reboot the machine, the cache memory back to normal. But it starts to eating again.
I have attached the graph.
I am using lighttpd, php, mysql
it took me one year to develop the disk cache tool which can dramatically boost your host and save your harddisk. it is like supercache,but more cheap and better speed.
check picture to see what it can do.
i will offer free download to test the tool by first 10 people. if u host huge traffic website, do not hesitate to try it. i already test it for half a year. it is time to publish it. pm me or post here to get free download.
i open to any opinion about the tool.
When I hit my server's domain it redirects me to one of the hosted sites' domain with a 302 redirect. It used to return the default plesk server page. How can I cancel the redirect?
View 2 Replies View RelatedI have moved my domain out of hostgator like a month ago..
[url]
The whois shows my new nameservers and IP
Why is my page being redirected to hostgator suspended page.
My domain is not even registered with them
the domain is nuzil.com
any reviews about that.
the NOCONA and IRWINDALE are old cpu,
i find the main difference of them is L2 cache (1MA2M),
i want to ask what service need more L2 cache?
for example:a lot of db usage? or httpd? or?
We have a lot of unused domains that we'd like to setup domain parking for.
To keep it simple, we'd like to just change the namesevers to ns1.domainparking.com and ns2.domainparking.com (not real nameservers!) and the domains would then automatically show a simple web page.
We use cpanel servers and are wondering how easy this is to do? I've seem mention of wildcard dns? Is that the answer?
i have about 8 different domains i'd like to point to a nameserver (ns1./ns2.mydomain.com) on Win2k3 server, but i can't get them resolved through my nameserver without creating a manual forward lookup entry for each *parked* domain separatly..
Does anyone know how to resolve "parked" domains automatically on Win2k3 DNS??
I just can't find any answer for this, everything i've found required manual creation of lookup entries..
anyone?
I have a vps with dedicated ip's for my domain names.
I read that in order for mails coming from my server not be picked up as spam, i need to add reverse ip entries.
Now i have already added the glue nameserver records on my godaddy control panel,
ns1.mydomain.com -> 10.20.30.40
ns2.mydomain.com -> 10.20.30.41
But do i need to speak to the datacenter to add the reverse dns entries for my domain on their nameservers? What about if i host my nameservers offsite, but then have my webserver/mailserver etc inside the datacenter? Would i need to request the datacenter where the nameservers are hosted to add the reverse ip entries for the domain, and then the request the same from the datacenter for my web/mail servers to add the reverse entries?
Is it really required?
I've been having some DNS problems with one of my domains for quite some time now. The domain does not always resolve - some go days without being able to access the site.
I ran a simple BASH script to show what I mean. I replaced my domain with "mysite.net" and the IP with "xx.xx.xxx.xxx".
# for i in `seq 1 15`; do host mysite.net; done
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
Host mysite.net not found: 2(SERVFAIL)
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
Host mysite.net not found: 2(SERVFAIL)
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
Host mysite.net not found: 2(SERVFAIL)
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
mysite.net has address xx.xx.xxx.xxx
mysite.net mail is handled by 0 mysite.net.
Has anyone experienced a similar problem? I have gone over the DNS records countless times and see no problems. The site is hosted on my own dedicated server.
I guess I have finally seen the adverse effects of raising the conntrack table max too high.
May 15 09:13:52 cp4 kernel: [6430723.486626] dst cache overflow
May 15 09:13:52 cp4 kernel: [6430723.622616] dst cache overflow
May 15 09:13:56 cp4 kernel: [6430727.562862] dst cache overflow
May 15 09:13:56 cp4 kernel: [6430727.698868] dst cache overflow
May 15 09:13:56 cp4 kernel: [6430727.844221] dst cache overflow
May 15 09:13:56 cp4 kernel: [6430727.991276] dst cache overflow
May 15 09:13:56 cp4 kernel: [6430728.131962] dst cache overflow
I got tons of these during an attack today. I have googled around for a lil while and not have been able to find any useful info on raising this cache level up. Would anyone here know how to do this?
I see no sysctl settings or anything of that nature for it.
I'm running shared hosting and would like to keep the amount kept in cache down so that there is always more memory free... how would i go about doing that?
are these values good?
echo 20 > /proc/sys/vm/dirty_background_ratio
echo 60 > /proc/sys/vm/dirty_ratio
I seem to have the opposite problem of what most people complain about... I'm using some custom-built PHP scripts, the output of which is not getting cached. I want the output cached, because it doesn't change often.
If it's relevant, I'm using ob_start() to serve up a GZIP-compressed page.
I start off with a header("Cache-Control: maxage=3600, must-revalidate"). Yes, it's first, and yes, it's showing up properly in the browser.
However, requesting the page again returns an HTTP 200, not the 304 I'm expecting. It's pulling down the whole page again. It's not changing in between requests, and I'm simply visiting the URL again, not hitting Refresh. (Although it really shouldn't matter.)
[url]
has an article on mysql query cache.
It notes that in the mysql config file, having
query-cache-type = 1
sets the mysql query cache.
In mysql I note that
SHOW VARIABLES LIKE '%query_cache%';
outputs
+-------------------+---------+
| Variable_name | Value |
+-------------------+---------+
| have_query_cache | YES |
which indicates that cache is set, but...
find . -name "my.cnf"
./usr/local/cpanel/whostmgr/my.cnf
./etc/my.cnf
shows only these
set-variable = max_connections=500
safe-show-database
So where has query cache been set?
At the server level?
If so, am I able to set the query_cache_size and if so, which path?
Anyone have any comments on their mysql optimization on a VPS?
I made changes in httpd.conf to redirect website to another website; after 15min I removed redirect but until now when client request website they are redirecting.
I'm sure I remove redirect.
we are locating in UAE, UAE has transparent proxy for all Internet connections so I think the problem in proxy cache, How i can confirm it? then can I avoid it ?
also when I put dot "." at the end of link site working without redirect otherwise it's not working.
what does this mean? its been flooding /var/log/messages
Jun 28 08:12:50 host named[7649]: client 209.86.63.238#9427: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 209.86.63.230#42462: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 200.23.242.203#37863: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 212.93.151.237#8080: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 212.202.215.18#35119: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 212.93.151.237#40106: query (cache) 'root.domain.tld/A/IN' denied
Jun 28 08:12:50 host named[7649]: client 209.86.63.231#51272: query (cache) 'root.domain.tld/A/IN' denied
I'm assuming a corporate proxy cache is what they have set up. I have a client and every time I send them changes to a temporary page I'm hosting for review they can't see it.
They can hit refresh over and over but never see the new updates unless I change the name of the folder its in.
This is very annoying and it only happens with them and one other corporate client i have. They check on multiple computers and it will never refresh and load the new changes. I think this is their network cache that their IT dept. set up.
How can I get around this? I tried an htaccess trick I looked up for expiring files but it didnt work.
These files are on a shared hosting of mine on an Apache server.
root@host# free
total used free shared buffers cached
Mem: 4016936 2598976 1417960 0 138424 1558652
-/+ buffers/cache: 901900 3115036
Swap: 5275640 0 5275640
Eventually, the cache reaches 2600000 and i would like to keep the cache smaller so that the free RAM is always steady around 500k for when a lot of traffic comes through.
is there a way to clear the old cache out faster?
How do I setup a RamDisk or a tmpfs mount? I want to setup cache_dir in memory.
My current settings:
extension="eaccelerator.so"
eaccelerator.shm_size="128"
eaccelerator.cache_dir="/tmp/eac"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="7200"
eaccelerator.shm_prune_period="3600"
eaccelerator.shm_only="1"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
eaccelerator.keys="shm_only"
eaccelerator.sessions="shm_only"
eaccelerator.content="shm_only"
Which would you choose:
Core2Duo E2180, 1MB Cache
P4 3.0Ghz, 2MB Cache