DNS Spoofing/poisoning Attack Defense

Nov 8, 2007

I'm concerned about dns spoofing

As explained here:
w w w. securesphere(dot)net/download/papers/dnsspoof.htm
I note the recommendations:

- To limit the cache and check that it's not keeping additional records.
- Not to make security systems to use/rely on DNS.
- Use cryptography like SSL, even if the problem remains the same, it increase difficulty level for the attacker (See article on Man in the Middle)

I did not on another site that the latest version of BIND for DNS should be installed.
I'm quite sure I'm being attacked in this way by a guy on the same network as my numerous commercial websites.
I'm setting a new server. I'm getting my own name server.

What steps should I take to best protect my self and my business against these attacks please?

(firewall? tips etc beside the above?) Please let me know as I want to set up and have a better than even bet I have shaken the guy.

View 2 Replies


ADVERTISEMENT

DNS Cache Poisoning

Mar 19, 2008

What tools do you use to check for DNS Cache Poisoning ? Is there any way it can be prevented and is the problem very prevalent?

View 1 Replies View Related

DNS Poisoning - Is Your Bind Up To Date

Jul 9, 2008

Vendors form alliance to fix DNS poisoning flaw

An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the internet's address system.

The vulnerability in the domain name system (DNS) - the distributed database that matches a host and domain name with the numerical address of a computer server - could give an attacker the ability to replace the addresses of popular websites with that of a malicious server, said Dan Kaminsky, director of penetration testing for security firm IOActive. Kaminsky found the flaw when he was doing non-security research on the domain name system (DNS) more than six months ago.

"It is a fundamental issue affecting the design," Kaminsky said. "Because the system is behaving exactly like it is supposed to behave, the same bug will show up in vendor after vendor after vendor. This one bug affected not just Microsoft ... not just Cisco, but everyone."

On Tuesday, a number of software and network-hardware vendors released patches for their products. On its regularly scheduled patch day, Microsoft released updates for Windows 2000, Windows XP and Windows Server 2003 to mitigate the issue, which the company ranked an important vulnerability, its second highest grade of severity. Internet Software Consortium, the group responsible for the development of the popular Berkeley Internet Name Domain (BIND) server, also released a patch, confirming that its software contained the vulnerability. Both Cisco and Juniper also acknowledged flawed systems.

Vendors have also provided the fix to certain large clients. Yahoo will be upgrading its name servers from BIND 8 to the latest version of BIND 9, the Internet Software Consortium stated during the conference call. Internet service provider Comcast has already patched its servers for the issue, according to internet infrastructure firm Nominum. Finally, the Computer Emergency Response Team (CERT) Coordination Center has contacted some other nation's response groups to inform them of the problem.

For the most part, however, internet service providers and companies each received the fix on Tuesday, said Sandy Wilbourn, vice president of engineering at Nominum. The goal: To have every major service provider and company apply their software patches in 30 days.

For that reason, don't expect immediate action, Wilbourn said.

"For key customers on our network, we have made a special effort to get them an early release to help solve this problem, and a number of them have finished deployment," he said. "But the nature of this patch is that we wanted to get the vendor side covered and then have deployment over the next 30 days. Anyone that is not patched by today or tomorrow is not doing anything wrong."

The domain-name system (DNS) has been a popular way to attack the internet in the past - it's an ill-kept secret that the DNS system is insecure. The way that many software applications, such as browsers, handle DNS requests has opened up users to attack. Microsoft has fixed a few vulnerabilities in the way Windows handles domain names - issues that could have lead to easier eavesdropping or simpler phishing attacks.

More here:[url]

View 6 Replies View Related

A Few Words About DNS Cache Poisoning

Nov 26, 2007

What is your opinioun on the subject?

How could it be done?

View 1 Replies View Related

Dedicated Server And ARP Poisoning

Nov 4, 2007

I recently had a problem with a hacked dedicated server which was attacked by ARP Poisoning and a Remote Desktop man-in-the-middle attack from another dedicated server on the same subnet. Maybe unreasonably I expected controls in place to prevent this, better detection and better handling of this problem, lack of which have left me uneasy about the hosting.

I know using Remote Desktop with a cert would prevent the server being compromised, but my concern would then be HTTP traffic being hijacked and malware insertion, redirection to non HTTPS login pages, redirects to anywhere, etc. If ARP Poisoning occurs then even if my server is fully secure all the web addresses pointing to my server's IP are basically compromised by HTTP traffic redirection.

Before this happened I had assumed (bad idea) that there would be some kind of mac level assigning of IP addresses.

What level of protection from this type of problem should I expect from the Dedicated Server supplier on their network? Problem started after I rebooted our server, IP was grabbed and the network adaptor was disabled due to IP conflict, so machine didn't not respond to pings. I raised a ticket and was told

"when your server came up it couldn't use it's assigned IP address as for some unknown reason another device on the network is using it's IP, we're tracking down the device and we'll have your server operational in few minutes."

They re-enabled the network adaptor presumably without fully checking the situation. I assumed the situation was either an innocent misconfiguration or that the issue had been fully investigated and dealt with, I reconnected via remote desktop and a few minutes later the server was compromised (wiped event logs, Cain and Abel installed etc).

Our machine was wiped, reinstalled and no further problem arose, but they initially seemed to deny that the two issues were related. Suggesting it would have been hacked externally via IIS vulnerabilities. Then 18 days later(!) they released a message advising all users with machines on the subnet that they had shutdown a malicious machine (not ours) on the subnet and to change passwords, run malware scans etc! Whether this was the same original machine or another server compromised I don't know. However our server was running with Cain and Abel and a whole lot more for quite a while as I checked it before it was taken off line for reinstallation.

Is this a common occurrence? Do most dedicated hosting providers have proper measures to prevent this or are there any measures I can take to prevent this happening again?

View 4 Replies View Related

DNS & Email Spoofing

Aug 4, 2008

I got an email "failure delivery notification" but i did not sent that email. It had my email address though.

So I contacted host and got a very quick reply:

Quote:

The is caused due to the email spoofing. Someone was spoofing your email account and sending mails by adding the mail header so that the appears to have originated from the actual source. By setting SPF record correctly in the DNS zone of the domain, we can almost prevent this.

Here The SPF record was not setup correctly. Now we have made some changes in the SPF record in the DNS zone file "/var/named/domainname.com.db".

------------
v=spf1 a mx ip4:67.21.1.226 ?all -----> v=spf1 a mx ip4:67.21.1.226 ~all
------------

Now I can understand that they have quickly fixed the problem. BUT I need to learn more on what is going on here.

I can understand that email spoofing is that spammer is sending email with header that shows it is my email address (which it is not).

But I dont understand the second part that a DNS record fix it.

What does that DNS line mean,

DNS stuff is really complicated and am lost when it comes to it.

View 8 Replies View Related

When Did Email Spoofing Become Legal

Apr 16, 2008

I got a bounced back message that I never sent. I was profoundly shocked to discover (through the header info) that the message originated from dotworlds.net; a site that ostensibly is a spoof email service provider.

Should such sites be allowed to exist?

View 2 Replies View Related

Defend Against Browser Spoofing

Aug 10, 2008

How do you defend against browser spoofing? From the tutorials shown at [url]. it seems really easy to spoof a firefox useragent.

View 5 Replies View Related

Are Patched Domain Name Server (DNS) Behind N.A.T. Still Vunlerable To DNS Cache Poisoning?

Aug 7, 2008

Upon reading http://www.theregister.co.uk/2008/08...sky_black_hat/ it appears those who use network address translation may be vulnerable to DNS cache poisoning even after patching their DNS servers.

"another 15 per cent are still vulnerable to some extent because they use network address translation gear that prevents the patch from working."

Thoughts?

View 2 Replies View Related

How To Prevent Spoofing From Postfix/local Part

Apr 29, 2009

I have similar problem that explained [url]

The detail of my problem is below:

Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:

Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?

When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....

But the attackers connect directly like below:

Apr 29 17:29:59 ns1 postfix/local[2456]: 3192E357FD9: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=261, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
....
Apr 29 17:29:59 ns1 postfix/qmgr[2218]: 3192E357FD9: removed

How can the spammer connect to Postfix/local part? My mail server not open relay. i test it from internet.

View 2 Replies View Related

Stop Spammers From Spoofing My Email Domain

May 4, 2007

Is there any way to stop spammers from spoofing my address? I've had issues ever since I started this server with getting bounced spam where the "From:" field was (jibberish)@mydomain.com which was annoying but not that constant.

I came online this morning to check my mail and had over 1200 e-mails and all of them have "online@wellsfargo.com" as the "From:" address, but the message-ID has my domain name in it..

Quote:

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@host.mydomain.com>
Received: from nobody by host.mydomain.com with local (Exim 4.63)
(envelope-from <nobody@host.mydomain.com>)
id 1Hju9b-0002y3-TH
for lwilder1999@yahoo.com; Fri, 04 May 2007 05:32:43 -0400
To: lwilder1999@yahoo.com
Subject: Update Your Account Records
From: Wells Fargo Online <online@wellsfargo.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit

Message-Id: <E1Hju9b-0002y3-TH@host.mydomain.com>
Date: Fri, 04 May 2007 05:32:43 -0400

There's gotta be some way (make that 1204.. just got 4 more bounces) to block spammers from doing this. Could someone help a newbie out?

View 6 Replies View Related

Is This A DOS Attack?

Mar 11, 2008

Quote:




Mar 10 20:17:55 host kernel: printk: 102 messages suppressed.
Mar 10 20:17:56 host kernel: printk: 3 messages suppressed.
Mar 10 20:18:01 host kernel: printk: 98 messages suppressed.
Mar 10 20:18:35 host kernel: printk: 34 messages suppressed.
Mar 10 20:18:51 host kernel: printk: 189 messages suppressed.
Mar 10 20:18:56 host kernel: printk: 195 messages suppressed.
Mar 10 20:19:02 host kernel: printk: 249 messages suppressed.
Mar 10 20:19:06 host kernel: printk: 36 messages suppressed.
Mar 10 20:19:21 host kernel: printk: 3 messages suppressed.
Mar 10 20:19:26 host kernel: printk: 342 messages suppressed.
Mar 10 20:19:31 host kernel: printk: 509 messages suppressed.
Mar 10 20:19:47 host kernel: printk: 54 messages suppressed.
Mar 10 20:19:51 host kernel: printk: 421 messages suppressed.
Mar 10 20:19:56 host kernel: printk: 542 messages suppressed.
Mar 10 20:20:01 host kernel: printk: 785 messages suppressed.
Mar 10 20:20:16 host kernel: printk: 340 messages suppressed.
Mar 10 20:20:21 host kernel: printk: 337 messages suppressed.
Mar 10 20:20:26 host kernel: printk: 430 messages suppressed.




Or is this something else? It's been going on for about 40 minutes. I seen my load jump to 20, to 100 and back and fourth

View 6 Replies View Related

Under Attack

May 24, 2009

I'm sure that i have Trojans and Viruses on my Server but every time i contacted My Company they ask me to pay money and then they will check and scan my server

so is it any Free application which can scan and remove all bad files on my Server? i'm looking for free applications to scan the whole server

View 5 Replies View Related

SSH Attack

Jul 18, 2009

My server stop responding, I couldn't access via webmin or ssh, and DNS were not responding, so I have to ask for a reboot and now everything is fine.

Looking at the logs I found this:

Code:
Jul 18 19:23:12 server sshd[18484]: Failed password for root from 61.145.196.117 port 56817 ssh2
Jul 18 19:23:12 server sshd[18485]: Failed password for root from 61.145.196.117 port 60227 ssh2
Jul 18 19:23:13 server sshd[18488]: Failed password for root from 61.145.196.117 port 38038 ssh2
Jul 18 19:23:15 server sshd[18493]: Failed password for root from 61.145.196.117 port 49884 ssh2
Jul 18 19:24:30 server sshd[18497]: Failed password for root from 61.145.196.117 port 37929 ssh2
Jul 18 19:25:06 server sshd[18521]: Did not receive identification string from 61.145.196.117
Jul 18 19:25:09 server sshd[18508]: Did not receive identification string from 61.145.196.117
Jul 18 19:25:14 server sshd[18505]: fatal: Timeout before authentication for UNKNOWN
Jul 18 19:26:00 server sshd[18509]: Did not receive identification string from 61.145.196.117
And searching that IP on google I found it here: http://www.tcc.edu.tw/netbase/net/in...?fun=240&prd=3

And is flagged as a SSH Attack.

Any ideas why my server stopped working? and how to prevent it?

Im using CentOS 5.0

View 12 Replies View Related

SYN Attack

Jun 11, 2009

i found my site load slowly, the cpu load is good. I run this command
[root@host ~]# netstat -nap |grep SYN |wc -l
526

It's seem my server is having problem with SYN attack. Is there anyway to protect it ?

I'm running apache 2.

View 14 Replies View Related

Under Attack

May 12, 2009

My site currently in prolong HTTP flood attack since 2 weeks ago. The attack was never stop and for this moment i could only mitigate the attack using my own firewall (hardware).

Since my ISP is not interested to help from upstream, even provide any mitigation services, i could only doing mitigation on my own source or using proxy services alternatively as well, but i've chose to tried on my own. I've tried once on one of well-known mitigation services out there but it seems not fully satisfied me since most of legitimate traffic is blocked from their source.

What i could do now is keep staying alive as well as will not going down on whatever situation becomes worst (but if the attack change to udp attack, i couldn't help myself coz there must be high incoming bandwidth into my network). My network is totaling 10MB last time but since this attack i've been forced to subscribe for 30MB in order to keep balance on the attack.

I've blocked all access except for my country and some other neighbours. If i change policy to allow all countries, the load of firewall will become max and after that hang will hang in less than a minute. I've done load balancing of 4 servers (8GB memory each one) and it seems the condition is getting under control with slight problem of server hang (memory shortage) and very limited keep alive connection.

Now what am i thinking is to buy a router objectively to null route incoming specific IP of countries so i can change my firewall policy to allow all connections as well as to help the firewall itself release its burden halting blocked IP that currently keep hitting itself that could might impact its performance.

Which brands of router is possible doing this thing?

Do you have some other suggestions instead of buying router?

View 8 Replies View Related

SYN Attack

Apr 12, 2008

i am just having one issue in one of my highly visited website hangibar.com, its being hosted in softlayer, we are facing synattack too much in this website.

the solution which microsoft given in their website related with tcp/ip registry entry but thing is same , some where and some connections become increases too much over tcp/ip. due to that reason website become very sticky and it stop functioning the execution of sql process, during this issue i have to restart the server to establish a fresh connection.

View 3 Replies View Related

Syn Attack

Dec 9, 2008

im getting a syn attack and my vps getting overloaded what im doing is banning ip's that gets most connections

after banning server get normal but if there anyway to stop this post method

View 11 Replies View Related

DOS Attack And APF

Oct 30, 2008

My server is under dos attack (http) , I have installed APF firewall and ddos deflate. I configure them to work together.

now if any IP with more than 100 connections is black listed by dos deflate, I can see it in apf's deny_hosts.rules file.

everything seems correct, but my server still very slow.

the ip which is causing that has more than 1000 request and is blacklisted.

View 11 Replies View Related

I Am Under Attack

May 15, 2007

There are lot of perl process with 100% usage on server. When i tried to view error_log it shows following:

[root@local ~]# tail -f /var/log/httpd/error_log
=> `Lnx.txt'
Resolving gihkus.com... 208.98.48.116
Connecting to gihkus.com|208.98.48.116|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,577 (16K) [text/plain]

0K .......... ...... 100% 316.78 KB/s

05:26:03 (316.78 KB/s) - `Lnx.txt' saved [16577/16577]

When i tried to view this http://gihkus.com/Lnx.txt it seems to be attack on my server. http://gihkus.com/Lnx.txt is not hosted by us. I have disabled perl support on all domains hosted on our server but still we are under attack. There is nothing special in /tmp.

View 6 Replies View Related

Possible Attack

Jan 4, 2007

Over the past day one of my servers has seen a huge rise in incomming traffic (from normal web requests to a constant 4Mbit/s, peaking upto 80Mbit/s). My outgoing traffic has remained at its normal profile, so I am pretty sure that these are not web requests, and it does not seem to be having an adverse effect on the server (the site still runs perfectly well and quick and load is still less than 1).

However, I am unsure as to how to identify what this traffic is? Are there any easy ways to tell on a FreeBSD server what the source and type of incomming traffic is? I have tried playing with netstat, but an not getting anything useful - I would like to see which ports are involved.

View 6 Replies View Related

Dos Attack

Jul 15, 2007

Am Really suffering here for ddos attack ( apache - pop3 ) every week my server under attack am using APF but now am really wanna get red from it am looking for a powerfull firewall I do not know if CSF Could stop this attack like limiting receiving SYN from an ip or any other policy another thing . i have get this rules from forums but am really weak at iptables rules so can any one help my if these rules useful or not . against Dos attack:

iptables -t nat -N syn-flood
iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN
iptables -t nat -A syn-flood -j DROP
iptables -t nat -A PREROUTING -i eth0 -d (dest ip) -p tcp --syn -j syn-flood

View 7 Replies View Related

DDOS Attack

May 29, 2009

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

netstat -an | grep :80 | sort
and the result is this

tcp 0 1491 ::ffff:95.211.10.169:80 ::ffff:213.215.100.110:2263 LAST_ACK
tcp 0 1493 ::ffff:95.211.10.169:80 ::ffff:85.207.126.231:52694 LAST_ACK
tcp ....

View 14 Replies View Related

Is This A DDoS Attack?

Aug 4, 2009

I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,

Do you have any idea about this?

What should I do now?

View 8 Replies View Related

DDOS Attack Help

Mar 19, 2008

Our server is in attack since 4 days. Http port busy all the time.

When I type :

netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n| uniq -c | sort -n | tail -5

It shows :

[root@ ~]# netstat -na | grep ":80" | awk '{print $5}' | cut -d. -f1-4 | cut
-d: -f1 | sort -n| uniq -c | sort -n | tail -5
2 65.19.130.24
2 83.149.120.9
4 204.15.73.243
35 222.254.103.142
5128
[root@ ~]#

I wonder the hidden IP of 5128 ??? How to know it?

View 8 Replies View Related

Am I Under DDOS Attack?

Jun 21, 2007

The server getting slow with high I/O diskwait then normal, although load is not high.

here is the output of: netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n .................

View 6 Replies View Related

Ddos Attack On VPS

Apr 12, 2009

i had installed anti ddos or firewall,but those are useless.His attacks are such great that The server and all the vps are down now. One told me that I should check the ips and receive ips. The attacker is so skillful .describe the best method to defeat him. Be sides the attacker use diffirenet ips in each attack,I block him by iptables but no use…. His attack occupy all the ram and I have to resetart the server… Now this time his attack lead to shutting all the vps down

View 10 Replies View Related

Under Ddos Attack

Jan 6, 2009

My website is under ddos attack from some competitors. I don't know yet how big is the attack. The ips of the ddos attack come from all the world.

I have contacted a few hosting companies specialised in ddos proof hosting, unfortunatly the price is so expensive that i cannot afford it.

So i try to find another solution : my website is only aimed to the french people, so maybe is it possible to install a kind of firewall or proxy located before the server to block all the incoming IP adress not from france ? Do you know some websites who can do this and the price ?

I already try do deny the non-french ip in one htaccess file but the ddos attack saturate the server anyway.

View 11 Replies View Related

SYN Flood Attack

Jul 28, 2009

We are currently experiencing an SYN Flood attack on our primary production server and are looking for some help in resolving the issue.

Running:
Novell SUSE Linux Enterprise Server 10.2-64
SuperMicro X7DBR-E Intel Xeon QuadCore DualProc SATA [2Proc]
Processor Intel Xeon-Clovertown 5320L-QuadCore [1.86GHz]
8GB Memory
@ Softlayer DC in Texas.

Need help within the next hour or two. Please ask any necessary follow up questions and how you might go about resolving the issue (i.e. SYN Cookies, etc.)

View 5 Replies View Related

SYN Flood Attack

May 3, 2009

someone decided to attack my webserver and I can't figure out how to block it.

tcp 0 0 localhost:80 207.44.129.88:2138 SYN_RECV
tcp 0 0 localhost:80 207.44.129.88:2243 SYN_RECV
tcp 0 0 localhost:80 213.66.121.211:63372 SYN_RECV

It's literally thousands of those requests overloading apache. The server is fine, the load average is like .8. But none of the website are loading.

We're hosting with ThePlanet, and they're doing a great job at blocking a huge portion of the attack. But we're still getting hit pretty hard. I've got APF installed, and 3 or 4 anti-dos scripts.

Every once in a while a page will load for the websites, I think we've got just under 50 legit connections.

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved