Re: DNS poisoning block list?
From: Bit Twister (BitTwister_at_mouse-potato.com)
Date: 04/06/05
- Next message: Darko Gavrilovic: "Re: Nessus vs. Retina"
- Previous message: Jack Masters: "Re: How does one go about setting up linux to 'listen' on port 3306 for MyODBC driver traffic coming from my windoze box?"
- In reply to: Newsbox: "Re: DNS poisoning block list?"
- Next in thread: Newsbox: "Re: DNS poisoning block list?"
- Reply: Newsbox: "Re: DNS poisoning block list?"
- Reply: Newsbox: "Re: DNS poisoning block list?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 06 Apr 2005 03:31:07 -0500
On Wed, 06 Apr 2005 01:51:29 -0400, Newsbox wrote:
>
> So we have multiple Zero days, but my thought is to make their Zero days
> shorter.
But you were hinting it came from someone's list. They will not show up
on the list until it is tooo late. Even the sans report indicated
several of the posioned .coms would not allow their name to be mentioned.
And it was a week before the site ip showed up because they did not
want the blackhat to know they were on to them.
> I don't want them to snatch my snatch at all, but if it is 3
> minutes (might be more than enough for them), and if I can wait 4 minutes
> for some magic to work, then I can beat them. That's all that I need.
Guess you type your login/id kinda slow if you need a 4 minute window
at some web site. :-)
> Please tell more about your script (MUCH more!) And thanks.
You can snatch a copy of ckip.pl at
http://double_null_bucket.home.comcast.net/ I munged it up to run on
windows for friends, so you will have to change the first line to
suit your system.
> I noticed the yahoo.com anomaly myself, but didn't know how to react. It
> all came back into line after a while. Was this due to DNS poisoning, do
> you think? Was there harm done? What is your view, please?
I was guessing they were in the mist of server shuffle becase it has
been solid since, with the new/current values. I had seen other bank
login server ip move in and out depending on time of day.
I guessed a server ip toggled when the login load was high.
When my browser would not launch I would keep running the script to
see what was going on and was doing reverse lookups to see if they
were matching. I still waited until the value settled down before
logging into the site.
> What, please, are the underlying poison-unpoison mechanisms that need to
> be corrected to get out of all this? Asking from a single user's
> background.
Not much us end users can do about it. Hopefully ipv6 will keep this
from happening in the future.
> And is there any expectation in your view that a blocklist, already
> established or new, could be useful in preventing requests to mal-sites?
You have seen my zero day view on lists. You load a bunch of ip
addresses into your iptables and it is going to get dead dog slow.
I hate ad and ad tracking sites. My solution to that is to add them
to my /etc/hosts file to block them. Very small snippet follows:
127.0.0.2 aboutwebservices.com
127.0.0.2 abroadsoftware.com
127.0.0.2 absoluagency.com
127.0.0.2 acc.adintelligence.net
Host file additions will not require a iptables or network reboot to
take effect.
You need to think about you automagich system change very carefully.
The yahoo.com is a good example.
- Next message: Darko Gavrilovic: "Re: Nessus vs. Retina"
- Previous message: Jack Masters: "Re: How does one go about setting up linux to 'listen' on port 3306 for MyODBC driver traffic coming from my windoze box?"
- In reply to: Newsbox: "Re: DNS poisoning block list?"
- Next in thread: Newsbox: "Re: DNS poisoning block list?"
- Reply: Newsbox: "Re: DNS poisoning block list?"
- Reply: Newsbox: "Re: DNS poisoning block list?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
