[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Crashed my ISP's DNS servers Ops (Please help)

Subject: Re: [cobalt-users] Crashed my ISP's DNS servers Ops (Please help)
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Sat Jan 26 02:11:56 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Date: Fri, 25 Jan 2002 21:58:25 -0800
> From: Nicolae <nicolaep@xxxxxxxxxxxxxxxxxx>



> It is a very long story and I will make it as short as possible.
> I just got a new RAQ 4r few days ago.  I hosted with others
> and decided to get my own.  I got it from serverrack.net
> 
> When I setup my server on www.serverrack.net they setup the
> domain www.enigmabiz.com as the default site.
> 
> 1. enigmanetworks.com <--- main site that sits on liquidweb.com
> hosting company
> 
> 2. enigmabiz.com <-- is parked on mydns.com being forwarded to
> enigmanetworks.com.
> This became my main site due to short url.
> 
> 3. I got a RAQ 4 at serverrack.net and got the following IPs from him:
> 65.170.79.187 and 188
> 
> 4. I moved enigmabiz.com to a new registrar and edited the dnses to
> ns1.serverrack.net and n2s.

So far so good...



> Cobalt Settings
> Control Panel --> Network
> General Settings
> Host Name: enigma-networks
> Domain Name: enigmabiz.com
> Primary DNS: 65.170.79.2
> Second DNS: 65.170.79.3
> Default Gateway: 65.170.79.1

Hmmmm.... single-homed to Sprint.  Tsk tsk.  More upstreams for
redundancy = good thing.  One upstream = bad thing.



> Interface Settings:
> IP Address: 65.170.79.187
> SubNet Mask: 255.255.255.0

Yikes!  This signals a clueless host.  Sorry, but if you have
only two IP addresses in a /24... somebody probably ain't running
VLANs.

Wanna have some fun?  Run a sniffer on your Cobalt.  See what
traffic is going to your ISP.  There's no separation between you,
them, and other "colo" customers.

Just wait until a box gets cracked and someone runs a sniffer on
the whole freaking network.  I've seen it happen too many times.



> Under Site Management I have:
> As a Virtual Site:
> enigma-networks.enigmabiz.com 65.170.79.187
> 
> 
> I read an article on Interliant.com and added the following to
> above Site Management:
> 
> ns1.enigmabiz.com 65.170.79.2
> ns2.enigmabiz.com 65.170.79.3
> Now I am not sure if I did that correct but I did follow step by step
> info based on: http://teamcobalt.interliant.com/pg_faq_setupdns.shtml
>
> Now that ns1.enigmabiz.com I just did above.  I did not know what
> would cause!  2 Hours later I got a call from the providers asking
> me what happen and why?  I had no clue.  I never setup a raq before.

Sounds like _they_ lack clue.  Networking 102: NEVER share
ethernet between customers, counting their network as a
"customer" (or two or more depending on security needs).



> I find out that I accidently re-routed all traffic from their dnses
> or Ns1 and ns2 from serverrack.net to my site www.enigmabiz.com which
> was parked on ns1.mydomain.com and ns2.mydomain.com which is the same
> as www.mydns.com and enigmabiz.com is forwarding the url to
> enigmanetworks.com

So you added ...2 and ...3 to your RaQ?



> For awhile I thought and asked the guy isn't that a security hole and
> should not be able to do that (me) crash their systems without even
> knowing.  They removed the settings I added:

Yes, you made a config mistake if you bound ...2 and ...3 to your
machine.  But you're correct... a well-run ISP would NOT have
been affected by that.  Yes, they have a huge security hole.
They need to be thwacked with a very large clue bat.

Wanna have even more fun?  Change your MAC address to match that
of their router.  You'll loose access to your box, but you can
take down their entire network with that one.

And, no, I'm not seriously suggesting such mischief.  But it's
trivial.  What's to say that it won't happen?



> ns1.enigmabiz.com
> ns2.enigmabiz.com
> 
> This is another url that I asked for help and descriptions:
> http://www.webhostingtalk.com/showthread.php?s=&threadid=33180
> 
> I removed enigmabiz.com entirely because of not being switched over.
> I removed everything that had to do with *.enigmabiz.com and replaced
> it with *.blly.com
> 
> This domain is on ns1.serverrack.net, ns2.serverrack.net and even
> had ns3.mydomain.com and ns4.mydomain.com as backup.  I eventually
> removed ns3 and ns4 and leave serverrack.net only.
> 
> I am reading forums, I am reading right now DNS and Bind book I got this
> morning and also reading PDFs from Redhat linux 7.2 manual.

Good job. :-)



> I hate asking for help on serverrack.net again because I got a good price
> cut in price for setup and now ask them to setup the domains is too much.
> 
> I crashed their server and rerouted traffic to my site accidently they
> probably
> hate me by now.

Tell them to buy an 802.1q-enabled switch and learn how to use
the blasted thing.  There are those of us who know what we're
doing and don't have that problem.

Example:

Let's say you need two IP addresses.  Let's say that I dish out
IP space from 192.168.0.0/16.

I give you an ethernet port, and create a new, separate VLAN for
your hosting service.  Call it VLAN #42.  No other ports are in
the same VLAN, save for my router, which is in each and every
VLAN.

Traffic on the switch must stay in the same VLAN.  Result?  You
must send traffic to my router, and cannot communicate directly
with anything else.

To make it all work, I use 802.1q tagging.  Traffic from your
ethernet segment gets stamped with the number "42" before being
sent to my router... hence I can tell it apart from my other colo
customers.

Now I create ethernet subinterfaces on my router.  For
simplicity's sake, let's say that I use fastethernet0/0 on my
border router... I create fastethernet0/0.42 as a subinterface,
with the IP address of 192.168.123.65/29.  You use 192.168.123.65
as your default gateway, 192.168.123.66 through 192.168.123.70 as
hosts, and 255.255.255.248 as your subnet mask.

You may only talk with my router.  Because I run a proper ACL for
each customer, I filter traffic from you that claims to be from
outside your range.  You can't impersonate other systems.

Now let's say that you accidentally bind 216.89.137.11 or
216.89.137.1 (a couple of our DNS servers) to your RaQ.  You can
answer ARP replies for those all day long, and it won't hurt me a
bit.  My router knows that they're on a different VLAN, and you
never even see an ARP request for those IPs.

Networking 102.  This isn't meant as a sales pitch, but I suggest
that you consider a provider that knows what they're doing. ;-)



> I took movie capture of everything I have in admin section and it's located
> at:
> http://www.enigmanetworks.com/temp/  I have RAM files (10mb) I have *.avi
> file
> of 2mb (Camtasia codec) and a readme.txt.

Hmmmm.... I must take a look.



> I also wondered if anyone can help by going in there admin area and see if
> settings are all correct and make sure it's not me and might be
> serverrack.net
> and I am pulling my hair out for nothing.  Right now if you go to blly.com
> or
> www.blly.com you get a 500 error.

Doesn't resolve at all from here.

ns4.mydomain.com
ns1.serverrack.net
ns2.serverrack.net
ns3.mydomain.com

are listed as authoritative when I dig.  Either those must answer
with correct zone info, or you must reconfigure which NSen to
use.



> I've been working on this matter for about 3 days now at least 3-5 hours a
> day.
> 
> I also went and changed SOA records, TTL from 86400 seconds to 180 seconds
> and
> back to default to make dns changes take effect faster etc...

Good for short-term use, but I hope that you change it back after
done.  I don't want to start a flamewar (heck, people can't even
agree on NANOG where big names like Avi Freedman, Sean Donelan,
Randy Bush, Sean Doran, Paul Vixie, etc. hang out), but I'll make
my opinion known. :-)



> Any help is highly appreciated it and maybe I/we can do something in return.

I'll have to reread your message and analyze what's what.  I got
a bit worked up over your provider's total lack of security, and
must now go back and reread where you were headed. ;-)



> ---------------------------------------
> -- Enigma Networks & Design
> -- 888-668-8758 ext. 100
> -- nicolaep@xxxxxxxxxxxxxxxxxx
> ---------------------------------------



Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.
References:
- [cobalt-users] Crashed my ISP's DNS servers Ops (Please help)
  - From: Nicolae
Prev by Date: RE: [cobalt-users] [RaQ3] DNS primary and secondary on two RaQ3's
Next by Date: RE: [cobalt-users] [RaQ3] DNS primary and secondary on two RaQ3's
Previous by thread: Re: [cobalt-users] Crashed my ISP's DNS servers Ops (Please help)
Next by thread: Re: [cobalt-users] Crashed my ISP's DNS servers Ops (Please help)
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index