Constantly Under attack, inquiring discovered huge URSS dns poison

russian dns poison attackWell it turned out it was a mobile application “classmates” produced and distribuited for free by mail.ru the reason for the unusual considereable amount of traffic on one if my ip addresses

what?

In this and this article i diescribed the unusual 404 traffic i started receiving right after having added a new ip address to my server.I went through the logfiles and i got information both on referer and file requests and i discovered that the referer was always  some subdomaini of mail.ru.

Then i picked some of the destination urls and i start searching, at this poit (i can’t recall precisely how i did) i discovered it was a mobile app called “classmates” that was trying to get data from my server the usual way mobile apps do:webservices+xml; these requests were made suspiciously without using a specific hostname, but just the IP address.

Unusual Isn’t it?

Why developers should hardcode the webservices server IP address, and why should they use an ip addres for this in place of an easy-to-manage hostname?

The answer is the simpliest: they didn’t.

So what?

Obvious: since the traffic was big but not huge, i think that just one/some russian DNS servers has been attacked and poisoned. Now, why my ip? i think it’s a typo error made by the attacker, as i gathered information about this very ip address from my provider and they told me that that ip address belongs to them since a considereable (in this terms) long time. That’s why the only possibility is a DNS poison going on still while i’m writing. Still going on because i already sent a couple of emails to them but i think they didn’t even take in consideration 🙂 … russian antispam maybe doesn’t want gmail… 😀 anyway i solved  by my side with my provider that promplty changed my address to another one.

I hope this wil be ok…

Ciao! 

(Visited 289 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.