Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Is there a difference between ARP Spoofing and DNS Spoofing, or they are one and the same thing?
ARP (Address Resolution Protocol) Spoofing is when an attacker sends out fake replies to an ARP Request. This is done usually to impersonate a router so that an attacker can intercept traffic.
DNS (Domain Name Service) Spoofing is when an attacker replies to DNS Requests (sent to resolve the IP address of a hostname) with false IP information. This is typically used to redirect users to false websites.
ARP spoofing is when the attacker is sending out ARP messages from a non-authoritative DHCP server in order to change the IP/Gateway, or in that case the DNS servers of the victim.
Once the DNS server of the victim has been changed then the attacker can start the DNS-spoofing attack, which means that the victim's DNS requests are now redirected to a non-authoritative DNS server which may lie about the IP address of a bank.
By doing so the attack can get the victim to surf to http://www.yourbank.com, using a valid SSL-cert from the bank, but the IP of the server will be another one. That way the attacker can get access to your bank information and pretty much empty your account. WEB browsers will not complaint about wrong URL in the SSL-certificate.
Basically both methods try the same (redirecting or forwarding traffic to malicious hosts), but they work at a different level, ARP spoofing only within a LAN up to the next router. See http://en.wikipedia.org/wiki/ARP_spoofing and http://en.wikipedia.org/wiki/DNS_Spoofing
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed last year.
This post was edited and submitted for review last year and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
When I type a domain URL in the browser (or send a ping or write code that fetches a particular IP) the browser gets the associated IP address based on DNS lookup in a distributed database system - the DNS name servers.
But once the IP is obtained - how does the browser know how to go to the particular computer that this IP represents?
import urllib.request
nf = urllib.request.urlopen("http://192.168.1.2")
The operating system will compare the target IP address with its own IP address. If both addresses are part of the same network, the OS will issue an ARP request to obtain the physical address (the MAC) of the target interface.
If both IP addresses are not part of the same network, the OS will forward the traffic to the gateway responsible for the subnet that is addressed. If it has no such a route, the OS will forward the traffic to the default gateway.
From there the game starts anew.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I want to set up a reverse proxy in my home network. The idea is to route traffic to correct port number based on subdomain in the request URL.
Example: I'm setting two subdomain A records on my domain: nas.mydomain.tld and wiki.mydomain.tld. Both A records point to my dedicated IP address at home. I want a reverse proxy that routes:
nas.mydomain.tld => 192.168.2.2:5001
wiki.mydomain.tld => 192.168.2.2:8090
Can this be done in e.g. my ASUS RT-AC55U router, or can I route all traffic to my file server and have a reverse proxy there route the traffic to correct IP addresses and ports?
From what I found out, the problem lies in that the functionality I want (multiple types of content retrieved from the same IP and port) cannot be done without some kind of middle-man; a reverse proxy server that fetches the content based on the URL and relays it.
Asus router: My ASUS RT-AC55U router doesn't have a reverse proxy server, at least not with standard firmware. I haven't researched if some unofficial kind of firmware contains a reverse proxy server for doing this. So the only option is to use a NAT record to route port 80 to a specific port. The downside is that it only supports one web service on the IP address.
Web hotel: Creating a rewrite in a .htaccess file on the web hotel of a registrar, but it will only redirect and not rewrite/mask URL. Otherwise, the registrar would need a reverse-proxy server to fetch the content from the web services to relay it. I don't think my current registrar supports this, and I can understand if they don't want to do it from a security standpoint.
Apache reverse proxy server: Apache supports this using the mod_proxy module and an entry in the conf file. More info on it here: https://httpd.apache.org/docs/2.4/vhosts/examples.html#proxy
CCProxy: CCProxy is definitely the easiest solution that I've found so far. It's a simple GUI application where you can add URL's, host names/IP addresses and ports, and the application takes care of the rest. Also has a very nice graphical representation of usage/bandwidth, and a graphical log of ongoing sessions. More info here: http://www.youngzsoft.net/ccproxy/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I was to check this URL:
http://geotool.servehttp.com
Is this some sort of suspicious behavior? I can't understand.
My local hosts file (I am using Windows 7 - 64 bit) shows nothing about this domain.
I also made an online whois query on it and there I found 127.0.0.1 as its IP address!!!
What's the magic behind this?
Edited
When I point to this URL, using my browser, the localhost (WAMP server) homepage loads.
Whoever configured the DNS records for geotool.servehttp.com pointed that subdomain name to 127.0.0.1.
It is not usual to point a public hostname to a private IP address, but it is possible.
Here are the results from dig +trace geotool.servehttp.com A:
geotool.servehttp.com. 60 IN A 127.0.0.1
servehttp.com. 86400 IN NS nf3.no-ip.com.
servehttp.com. 86400 IN NS nf4.no-ip.com.
servehttp.com. 86400 IN NS nf2.no-ip.com.
servehttp.com. 86400 IN NS nf5.no-ip.com.
servehttp.com. 86400 IN NS nf1.no-ip.com.
;; Received 151 bytes from 83.222.240.75#53(83.222.240.75) in 153 ms
Four Years ago, I asked this question and now, I am posting an answer to it for any further reference.
DNS Information
TXT Record:
AUTHORITY
servehttp.com. IN SOA nf1.no-ip.com. hostmaster.no-ip.com.
This text record tells us that the domain geotool.servehttp.com probably belongs to no-ip.com.
Visiting internet website for http://no-ip.com (which currently redirects to https://noip.com), a simple slogan tells us everything:
Create an easy to remember hostname and never lose your connection again.
Our Dynamic DNS solution makes it easy to remote access any internet connected device.
That is, a Dynamic DNS service. It helps you reach your local hosted application or network through internet by assigning a dns name to your dynamic always changing ip address.
That's it.
The question asks 'why', so I would like to share my reason.
I wrote a proxy software called vproxy, so I bought domain vproxy.cc.
In the software it runs dns health check periodically to see if the dns server is still available (otherwise it will stop sending dns requests to that server).
The health check is enabled by default, so I have to choose a domain which simply does nothing but returning a constant A record (ipv4 address).
So here comes 127.0.0.1.special.vproxy.cc, which resolves to 127.0.0.1. The domain and address are hardcoded into the software as the default dns health check settings.
Using 127.0.0.1 is simply because it's a loopback address and if someone accidently send traffic to this domain/address, he/she would be sending to local and would not cause any trouble for other people.
And the reason I'm not choosing other 127.x.y.z ips is because they are not so well known as 127.0.0.1 do. Most people don't know that 127/8 are all loopback addresses, but people do know 127.0.0.1.
And for geotool.servehttp.com, maybe the maintainer simply want the same thing as I do? Just some const address which is choosen to be 127.0.0.1.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
in Security+ book, it has been told that DoS attack can be undetectable and an attacker can use an invalid IP address.
what did it mean by Invalid IP address? is it a zombie IP? how can we face with that?
It means spoofing. Spoofing means sending a packet with a source IP that doesn't belong to you.
It's simple, really. The attacker sends a constant stream of packets to the victim and populates ip.src with 127.0.0.1 or 74.125.39.105 or something like that. It does this to hide his identity. If he didn't, you could go to his ISP "Hey, this guy is DoS'ing me! Shut him down".
You must understand that when a packet leaves a host there are not magic rules that ensure it's correct. Most serious operating systems that support IP allow you to send whatever you want in an IP packet.
The attacker can send a packet to the target and spoof the sender IP address. This means he can use any IP address he wants. So the IP address is not really invalid, only there may not be a host connected to the IP address.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I currently need to have 2 subdomains under the same domain under SSL.
Both subdomains (www and affiliate) are on the same IIS server, under the same IP, and each one has specified a host header value (www.mydomain.com and affiliate.mydomain.com)
The first subdomain (www), which is the default, works great, with and without SSL.
The second subdomain works perfect under HTTP.
The problem is that I just purchased and installed the SSL certificate for the affiliate subdomain, and when you go to https://affiliate.mydomain.com, you get redirected to http://www.mydomain.com
I'm guessing the problem lies in the fact that I can't specify a host header value for SSL? (the dialog where I normally set the host header value doesn't have that option in the bottom part, dedicated to SSL).
What can I do about this?
Should I have each subdomain in a separate IP?
Is this not doable at all?
Thanks!
Daniel
"I'm guessing the problem lies in the
fact that I can't specify a host
header value for SSL"
You guessed right. You will need two IP addresses.
The problem is fundamental to the way HTTPS works.
Virtual hosting relies on the "Host" header introduced in HTTP/1.1. That's part of the HTTP protocol, but from the standpoint of the SSL protocol, the HTTP layer is "application data", and can't be transmitted until the SSL handshake has been completed.
However, the server certificate is presented during the handshake. The HTTP server hasn't seen the "Host" header yet, so it wouldn't know which certificate to send. Using a distinct IP address works, because that's visible at the IP layer below SSL.
Update: There's a new TLS extension that allows clients to indicate the server they intend to use during the handshake. See dlongley's answer for more information.
I am not sure what web server you are running, but in IIS 6 on windows server 2003, you can use host headers for SSL sites, thus allowing them to be on the same IP Address.
http:// www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
EDIT: This will only work if the certificate is a wildcard certificate. Otherwise, subdomain "affiliate" will try to use the same certificate as subdomain "www", and visitors will get a warning.
This probably won't help you, but hopefully it's informative.
There's an extension to the TLS protocol that some TLS clients use called Server Name Indication (SNI). This extension allows TLS clients to specify the hostname of the server they are trying to contact. So when the client connects and sends a ClientHello message within the TLS protocol, the server can decide which certificate to respond with. This makes virtual SSL/TLS servers possible on a single IP.
OpenSSL provides callback functions to allow you to read what hostname the client sent and handle fetching the appropriate certificate, but unfortunately I have no idea if this is possible with IIS.
In the particular situation you are where you need 2 subdomains of the same domain a WildCard certificate has to work... I use a wildcard cert since 3 years for dozens of sites, and no customer has reported errors
If you have something telling the cert is for "www", then your cert is not a true wildcard cert, or you are experiencing some kind of browser caching issues or you are using 2 copies of the cert and you updatet only one of them, or you forgot restarting the server, or .. I donno :)