Posted inSecurity Technology Windows

Windows Server 2008 DNS Block Feature

Windows Server 2008 (2008 R2) introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Server.

The block feature provides a global query block list to reduce vulnerability associated with dynamic DNS updates. Dynamic update makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name.  This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. This convenience comes at a cost, however, because an authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to “hijack” a special name and divert certain types of network traffic to that user’s computer. WPAD is a commonly deployed protocol vulnerable to this type of hijacking, and by default WPAD look up is disabled by the blocking mechanism.

If you want to use WPAD with a Windows Server 2008 DNS, note the following behavior:

– If WPAD entries are configured in DNS before the DNS server is upgraded to Windows Server 2008, no action is required.

August 3, 2010
Posted inSecurity

DoS Attack Mitigation

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by amount.

CentOS: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.

netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:

Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.

July 29, 2010
Posted inSecurity

SMBs, individuals being targeted by telephone DoS

If your phone starts ringing of the hook, there is a chance cybercriminals are draining your bank or online trading account at the exact same moment, the FBI warned Monday.

Online vandals increasingly are leveraging telephone-based denial-of-service (DoS) attacks to tie up the phone lines of unsuspecting individuals as they simultaneously plunder bank accounts, the FBI said in an advisory. The perpetrators use automated dialing programs to deliver constant phone calls to a target’s number.

“Turns out the calls are simply a diversionary tactic: While the lines are tied up, the criminals — masquerading as the victims themselves — are raiding the victims’ bank accounts or other money management accounts,” the FBI said.

The victims are individuals and small businesses that handed over their account usernames and passwords to criminals weeks or months earlier, the FBI said. In some cases, they unknowingly responded to a phishing email or their machines became infected with malware, which allowed criminals to obtain the credentials.

When the phone calls start is when the theft happens, according to the FBI. The criminals bombard victims with telephone calls so their financial institution cannot reach them to verify the transactions. When the victims answer, they may hear an advertisement, in some cases promoting telephone sex, or simply dead air.

June 23, 2010