how-to block ads
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| DNS Man in the Middle?
I just ran ICSI Netalyzer.
»netalyzr.icsi.berkeley.edu/faq.html
I first did it on a virtual machine using Level 3 public DNS server. The results had minor abnormalities but nothing other than my computer clock being off by 50 seconds was at all serious. I then ran it on my host XP Pro machine where I use my ISP's DNS servers. I had already seen one very strange error tonight when doing a nslookup for my Avira's update servers and error was returned that nslookup could not find any Avira servers. So this Netalyzer test gave me these results:
Noteworthy Events
Major Abnormalities
We received unexpected and possibly dangerous results when looking up important names:
DNS lookups of popular domains: Warning
Man in the middle attack??? And giving my ISP's address as BOTH the IP address and the reverse lookup name for f-secure.com, irs.gov, trendmicro and visa? This is wierd.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
dnsfan
@akamai.com | Take googleadsrrvices.com out of the hosts file and let DNS work as it should. | |
VikingBob
join:2004-06-05
Ste Anne, MB
 ·MTS
| reply to Mele20
Note the phrase, "Content Delivery Network."
»en.wikipedia.org/wiki/Content_de···_network
Depending on your location, content from various sites is hosted at a mirror. Many AV vendors do this, as you can see from the results in your test there. The reasons why are in the Wikipedia article.
Snippet: Request routing directs client requests to the content source best able to serve the request. This may involve directing a client request to the service node that is closest to the client, or to the one with the most capacity. A variety of algorithms are used to route the request. These include Global Server Load Balancing, DNS-based request routing, Dynamic metafile generation, HTML rewriting[3], and anycasting[4]. Proximity—choosing the closest service node—is estimated using a variety of techniques including reactive probing, proactive probing, and connection monitoring.
CDNs use a variety of methods of content delivery including, but not limited to, manual asset copying, active web caches, and global hardware load balancers. | |
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to dnsfan
I don't have partner.googleadservices.com in my Hosts file on any computer. This does not happen on the computer using Level 3 DNS servers. There is something wrong with my ISP's DNS servers. | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| While it may warrant some additional checks, there may not actually be any problem with your ISPs DNS.
I looked up some of the supposedly problematic names here. And they mapped to akamai sites when using my own caching DNS server, and to different akamai sites when using my ISP's server.
It's possible that your ISP is providing IPs on its own network for some of this data mirroring, and happens to have the rDNS for those IPs pointing to its own names. You might want to try manual lookups with NSLOOKUP to see if that gives more information.
The 127.0.0.1 results seem troubling, as that would block access to those sites.
When I ran netalyzer on linux, it skipped those lookups of popular domains - I'm not sure why.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.11 | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | reply to Mele20
It all reminds me of... I would not worry about it.
A Remote Vulnerability in Firefox Extensions
Executive Summary
A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.
Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox.
Description Of Vulnerability
The Firefox web browser includes the ability for third parties to release code, known as extensions, that will run within the user's browser. Firefox also includes an upgrade mechanism, enabling the extensions to poll an Internet server, looking for updates. If an update is available, the extension will typically ask the user if they wish to upgrade, and then will download and install the new code.
An exploitable vulnerability exists in the upgrade mechanism used by Firefox. The only real way to secure the upgrade path is for those websites hosting extensions and their updates to use SSL technology. The Mozilla team have provided a free hosting service for open source extensions, which is secure out of the box, by having the code served from »https://addons.mozilla.org
For the most part, any extension which gets updates from a website that looks like »www.example.com is insecure, while an extension that gets its updates from a website that looks like »https://www.other-example.com is secure.
The vulnerability is made possible through the use of a man in the middle attack, a fairly old computer security technique. Essentially, an attacker must somehow convince your machine that he is really the update server for one or more of your extensions, and then the Firefox browser will download and install the malicious update without alerting the user to the fact that anything is wrong. While Firefox does at least prompt the user when updates are available, some commercial extensions (including those made by Google) have disabled this, and thus silently update their extensions without giving the user any say in the matter.
A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.
»paranoia.dubfire.net/2007/05/rem···fox.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
| |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Mele20
BTW you are not alone with some of the same results from other members running the "TEST"
Try these Broadband and Network Speed Tests!
»mybroadband.co.za/vb/showthread.···=2881532
DNS lookups of popular domains: Warning
3 popular names have a significant anomaly. The ownership suggested by the reverse name lookup does not match our understanding of the original name. This could be caused by an error somewhere in the domain information, or it could be that your ISP's DNS Server is acting as a DNS "Man-in-the-Middle".
Name IP Address Reverse Name/SOA
ad.doubleclick.net 127.0.0.1 SOA: A.ROOT-SERVERS.NET
pagead.googlesyndication.com 127.0.0.1 SOA: A.ROOT-SERVERS.NET
partner.googleadservices.com 127.0.0.1 SOA: A.ROOT-SERVERS.NET
73 of 74 popular names were resolved successfully. The most likely cause for failed forward lookups is a transient network issue. Show all names.
In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups.
Introducing the ICSI Netalyzr
»Introducing the ICSI Netalyzr
Posted by Netfixer:
DNS lookups of popular domains: Warning
1 popular name has a significant anomaly. The ownership suggested by the reverse name lookup does not match our understanding of the original name. This could be caused by an error somewhere in the domain information, or it could be that your ISP's DNS Server is acting as a DNS "Man-in-the-Middle".
We attempted to download HTTP content from the IP addresses that your ISP's DNS server returned to you for these names. Where the download succeeded, you can click on the IP address in the table below to download a compressed file containing an HTTP session transcript.
Note! The session content is potentially harmful to your computer when viewed in a browser, so use caution when examining it.
Name IP Address Reverse Name/SOA
pagead.googlesyndication.com 0.0.0.0 SOA: A.ROOT-SERVERS.NET
Could at least some of the funding have come from Google? I mean who (other than Google) really considers that hosts file redirection for pagead.googlesyndication.com is "potentially harmful"?
posted by SSidlov:
DNS resolver port randomization: OK
Your ISP's DNS resolver properly randomizes its local port number.
The following graph shows DNS requests on the x-axis and the detected source ports on the y-axis.
port sequence plot
DNS lookups of popular domains: Warning
You appear to be using OpenDNS as your DNS resolver. One known issue with OpenDNS is that, by default, OpenDNS acts as a Man-in-the-Middle for some servers, returning the address of one of their servers that acts as an intermediary, rather than the final result. This can both slow down searches and may break other functionality. As a result, 1 lookup appears to be anomalous.
Name IP Address Reverse Name/SOA
www.google.com 208.67.217.231 google.navigation.opendns.com
74 of 74 popular names were resolved successfully. Show all names.
In the following table reverse lookups that failed but for which a Start Of Authority (SOA) entry indicated correct name associations are shown using an "X", followed by the SOA entry. Absence of both IP address and reverse name indicates failed forward lookups.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
| |
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to nwrickert
said by nwrickert  :I looked up some of the supposedly problematic names here. And they mapped to akamai sites when using my own caching DNS server, and to different akamai sites when using my ISP's server. Yep, using IDserve the 24.25.230.10 IP shows up as an AkamziGHost server. And
_________________________________
nslookup www.trendmicro.com
Non-authoritative answer:
Name: a151.d.akamai.net
Addresses: 72.246.19.73
72.246.19.82
Aliases: www.trendmicro.com
trendmicro.georedirector.akadns.net
trendmicro.com.edgesuite.net
__________________________________
So trendmicro uses a georedirector and as VikingBob posted and you stated, it appears to be a "Content Delivery Network" as Netalyzer conjectures.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. | |
-
|
