I've been casually reading about this hijacking that Versign's been
doing on the DNS front (redirecting to their SiteFinder site). I decided
to see if I could do something about blocking this at my network. So I
inserted a rule in my iptables to block incoming traffic from their
sitefinder IP address. In other words, if you misspelled a domain name
(what they're counting on), you'd get a packet burst back from their
sitefinder IP, which would get dropped at the firewall.
At the browser, this produces an almost immediate timeout. I started
looking at the log entries (I had a log target before this). I noticed
that I was getting several ACK/SYN packets back from them that were
getting dropped. This got me to thinking. I don't know much about TCP/IP
session negotiation, but as I recall, when you attempt to start a TCP
session, you send a syn packet with a sequence number, and then there's
a syn/ack response with their sequence number. Something like that.
So what happens if you start a session with Verisign's sitefinder
(because of a misspelled web address) and they send a response that
drops at the firewall? Seems like I've heard this is the basis for some
DOS attacks. The server holds the connection open, waiting for a
response, which ties up its TCP/IP stack, right?
Is this the way this would work? I'm not advocating DOS attacks against
Verisign, but if this tactic innocently produces a similar effect, I
wouldn't be disappointed.
Paul
P.S. The IP for sitefinder (until they change it) is: 64.94.110.11.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:01:01 EDT