Undetectable DoS attack with an invalid IP [closed] - security

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
in Security+ book, it has been told that DoS attack can be undetectable and an attacker can use an invalid IP address.
what did it mean by Invalid IP address? is it a zombie IP? how can we face with that?

It means spoofing. Spoofing means sending a packet with a source IP that doesn't belong to you.
It's simple, really. The attacker sends a constant stream of packets to the victim and populates ip.src with 127.0.0.1 or 74.125.39.105 or something like that. It does this to hide his identity. If he didn't, you could go to his ISP "Hey, this guy is DoS'ing me! Shut him down".
You must understand that when a packet leaves a host there are not magic rules that ensure it's correct. Most serious operating systems that support IP allow you to send whatever you want in an IP packet.

The attacker can send a packet to the target and spoof the sender IP address. This means he can use any IP address he wants. So the IP address is not really invalid, only there may not be a host connected to the IP address.

Related

How does the browser reach an IP address? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed last year.
This post was edited and submitted for review last year and failed to reopen the post:
Original close reason(s) were not resolved
Improve this question
When I type a domain URL in the browser (or send a ping or write code that fetches a particular IP) the browser gets the associated IP address based on DNS lookup in a distributed database system - the DNS name servers.
But once the IP is obtained - how does the browser know how to go to the particular computer that this IP represents?
import urllib.request
nf = urllib.request.urlopen("http://192.168.1.2")
The operating system will compare the target IP address with its own IP address. If both addresses are part of the same network, the OS will issue an ARP request to obtain the physical address (the MAC) of the target interface.
If both IP addresses are not part of the same network, the OS will forward the traffic to the gateway responsible for the subnet that is addressed. If it has no such a route, the OS will forward the traffic to the default gateway.
From there the game starts anew.

Why do some public hosts resolve to 127.0.0.1? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I was to check this URL:
http://geotool.servehttp.com
Is this some sort of suspicious behavior? I can't understand.
My local hosts file (I am using Windows 7 - 64 bit) shows nothing about this domain.
I also made an online whois query on it and there I found 127.0.0.1 as its IP address!!!
What's the magic behind this?
Edited
When I point to this URL, using my browser, the localhost (WAMP server) homepage loads.
Whoever configured the DNS records for geotool.servehttp.com pointed that subdomain name to 127.0.0.1.
It is not usual to point a public hostname to a private IP address, but it is possible.
Here are the results from dig +trace geotool.servehttp.com A:
geotool.servehttp.com. 60 IN A 127.0.0.1
servehttp.com. 86400 IN NS nf3.no-ip.com.
servehttp.com. 86400 IN NS nf4.no-ip.com.
servehttp.com. 86400 IN NS nf2.no-ip.com.
servehttp.com. 86400 IN NS nf5.no-ip.com.
servehttp.com. 86400 IN NS nf1.no-ip.com.
;; Received 151 bytes from 83.222.240.75#53(83.222.240.75) in 153 ms
Four Years ago, I asked this question and now, I am posting an answer to it for any further reference.
DNS Information
TXT Record:
AUTHORITY
servehttp.com. IN SOA nf1.no-ip.com. hostmaster.no-ip.com.
This text record tells us that the domain geotool.servehttp.com probably belongs to no-ip.com.
Visiting internet website for http://no-ip.com (which currently redirects to https://noip.com), a simple slogan tells us everything:
Create an easy to remember hostname and never lose your connection again.
Our Dynamic DNS solution makes it easy to remote access any internet connected device.
That is, a Dynamic DNS service. It helps you reach your local hosted application or network through internet by assigning a dns name to your dynamic always changing ip address.
That's it.
The question asks 'why', so I would like to share my reason.
I wrote a proxy software called vproxy, so I bought domain vproxy.cc.
In the software it runs dns health check periodically to see if the dns server is still available (otherwise it will stop sending dns requests to that server).
The health check is enabled by default, so I have to choose a domain which simply does nothing but returning a constant A record (ipv4 address).
So here comes 127.0.0.1.special.vproxy.cc, which resolves to 127.0.0.1. The domain and address are hardcoded into the software as the default dns health check settings.
Using 127.0.0.1 is simply because it's a loopback address and if someone accidently send traffic to this domain/address, he/she would be sending to local and would not cause any trouble for other people.
And the reason I'm not choosing other 127.x.y.z ips is because they are not so well known as 127.0.0.1 do. Most people don't know that 127/8 are all loopback addresses, but people do know 127.0.0.1.
And for geotool.servehttp.com, maybe the maintainer simply want the same thing as I do? Just some const address which is choosen to be 127.0.0.1.

Connection Timeout on aws when Telnet on Port 25 [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Thanks you for your time.
I have just set up a Postfix mail server which is running as MTA in one of my aws instances. I can successfully connect to the localhost through 'telnet localhost 25', and I can send emails to both external and internal email accounts when connected on localhost, however whenever I try to connect through 'telnet zwitch.it 25' or 'telnet mail.zwitch.it 25' I get a connection timeout.
I have set up all my records, including the MX record and the SPF record with the values "v=spf1 include:amazonses.com include:zwitch.it -all" and "spf2.0/pra include:amazonses.com include:zwitch.it ~all".
I really cannot find what is the problem here, if there is a firewall, or if the port is blocked, or maybe something is wrong with my postfix configuration... I would really appreciate if you could help me.
To set up my postfix mail server I followed the instructions at http://flurdy.com/docs/postfix/ where it mentions the installation of a simple postfix server.
I thank you in advance for the help.
EDIT:
Thanks to the answer below the problem was fixed. I only had to go on my aws security groups and add SMTP to the list!
It's one of three things:
1.) You need to edit your security group in AWS to allow port 25 from all external IP addresses.
2.) Your DNS entries for mail.zwitch.it do not point to the external IP address of the AWS instance.
3.) You don't have a static IP (elastic) address configured for the instance.

linux route specific machine traffic throw specific output interface [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have a linux machine Iam using as a router with multible interfaces and multible internet connection
say eth0--isp1
eth1--isp2
eth2--isp3
the gateway is eth0 throw isp1
and eth3--local1 10.0.0.x
eth4--local2 192.168.1.x
i need local1 ip 192.168.1.10 to go throw isp3, eth2
thanks
You need to use policy routing for this. You create a new routing table and use it when the source IP is 192.168.1.10.
ip route add ... table $TABLENUM # your usual routes, for the new table
...
ip route add default via $ISP3 table $TABLENUM # gateway for the new table
ip rule add from 192.168.1.10/32 lookup $TABLENUM # use the new table for this IP
ip rule add to 192.168.1.10/32 lookup $TABLENUM # make it symmetric, for clarity
Try route add 192.168.1.0 netmask 255.255.255.0 dev eth4--local, on the assumption these are locally-connected networks. If not, you will need to specify a gateway machine to route the packets through also. Truthfully your question is malformed (and probably belongs on serverfault). If you already have addresses on those networks, these routes should already exist. If you do not, your problem is likely more complicated than you think it is.

ARP Spoofing/DNS Spoofing - difference [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Is there a difference between ARP Spoofing and DNS Spoofing, or they are one and the same thing?
ARP (Address Resolution Protocol) Spoofing is when an attacker sends out fake replies to an ARP Request. This is done usually to impersonate a router so that an attacker can intercept traffic.
DNS (Domain Name Service) Spoofing is when an attacker replies to DNS Requests (sent to resolve the IP address of a hostname) with false IP information. This is typically used to redirect users to false websites.
ARP spoofing is when the attacker is sending out ARP messages from a non-authoritative DHCP server in order to change the IP/Gateway, or in that case the DNS servers of the victim.
Once the DNS server of the victim has been changed then the attacker can start the DNS-spoofing attack, which means that the victim's DNS requests are now redirected to a non-authoritative DNS server which may lie about the IP address of a bank.
By doing so the attack can get the victim to surf to http://www.yourbank.com, using a valid SSL-cert from the bank, but the IP of the server will be another one. That way the attacker can get access to your bank information and pretty much empty your account. WEB browsers will not complaint about wrong URL in the SSL-certificate.
Basically both methods try the same (redirecting or forwarding traffic to malicious hosts), but they work at a different level, ARP spoofing only within a LAN up to the next router. See http://en.wikipedia.org/wiki/ARP_spoofing and http://en.wikipedia.org/wiki/DNS_Spoofing

Resources