Jun 11

debian.org domainsquatted ? (1)

Category: debianObey Arthur Liu @ 4:56 pm

debian.org domain squatted

I was like “wtf?!”. Debian.org replaced by a link farm ?

debian.org being actually domainsquatted is highly unlikely, so I started searching how this could happen.

First, a little explanation of the setup :

  • I’m on a bullet train on my laptop, up-to-date Debian Lenny, 2.6.24
  • My laptop is connected to a 3G+ (HSDPA in the US) PDA phone with a USB cable
  • The phone appears to the computer as a network interface thanks to the usb-rndis-lite kernel module
  • The phone does NAT routing between my computer (192.168.0.100), himself (192.168.0.1) and a restricted network from my phone operator
  • The only host visible on this restricted network is a HTTP only proxy server that checks the user agent (Nokia is OK, Firefox means GO AWAY)
  • I connect through this proxy to a dedicated host through a OpenVPN tunnel masquerading as HTTP with a Nokia user agent
  • The dedicated host at the other side has special iptables rules to redirect requests coming from my mobile phone operator netblock on port 80 to the regular OpenVPN port.
  • The dedicated host does NAT for my computer to the real Internet.
  • The total latency varies from 120ms to 30 secs and the bandwidth from 2mbps to 8kbps depending on the coverage
  • The only DNS server on my laptop is set in resolv.conf to 192.168.5.1, the remote OpenVPN endpoint, the dedicated server
  • The dedicated server runs Bind and provides recursive resolution

Now there are some peculiarities to the situation :

  • It happens exactely once a week on the train from my home in Paris to the campus in Grenoble
  • It doesn’t happen the other way around or at any other time for that matter

Some hints :

  • My hostname at home is aeris.home.eu
  • My hostname on campus is aeris.liuo.res.rhb
  • I almost never shut down my computer, only hibernate
  • Jonathan Roes

Now for the challenge : how could this happen ?

11 Responses to “debian.org domainsquatted ? (1)”

  1. aeth says:
    June 11th, 2008 at 6:38 pm

    isp MITM/injected ads most likely

  2. Marius Gedminas says:
    June 11th, 2008 at 8:27 pm

    DNS cache poisoning?

    No idea, but it would be interesting to see what http://www.debian.org resolves to when you see this. The real one is 194.109.137.218.

  3. Obey Arthur Liu says:
    June 11th, 2008 at 9:07 pm

    to aeth:
    Can’t be, the whole path from my computer to the gateway on a dedicated server is under my control and encrypted. :)

    to Marius Gedminas:
    The result on my laptop was 216.8.177.23 and of course it stayed due to caching. Now how did that happen ? There was no attack involved.

  4. toupeira says:
    June 11th, 2008 at 10:12 pm

    home.eu and every subdomain below that resolves to 216.8.177.23, with NS records pointing to fastpark.net. the TTL seems to count down every second. connecting to that IP with the host header set to “www.debian.org” gives that page you found.

    Hmm… I still don’t get it ;)

  5. Obey Arthur Liu says:
    June 11th, 2008 at 10:17 pm

    to toupeira:
    That’s right :) but there’s no explanation yet of how it factors in.

  6. cstamas says:
    June 12th, 2008 at 5:40 am

    See this:

    % dnsqr any debian.org.aeris.home.eu
    255 debian.org.aeris.home.eu:
    138 bytes, 1+1+2+2 records, response, noerror
    query: 255 debian.org.aeris.home.eu
    answer: debian.org.aeris.home.eu 3591 A 216.8.177.23
    authority: home.eu 19963 NS ns2.fastpark.net
    authority: home.eu 19963 NS ns1.fastpark.net
    additional: ns1.fastpark.net 125233 A 206.130.11.197
    additional: ns2.fastpark.net 125233 A 216.8.177.29

    remove the “search” statements from you resolv.conf

  7. Riku Voipio says:
    June 12th, 2008 at 8:18 am

    For some reason the lookup for debian.org fails, so the resolver falls back to trying “debian.org.home.eu”. This is because the default “search” rule for resolv.conf(5) is to pick up the domain part of hostname, which is “aeris.home.eu”.

  8. Jean says:
    June 12th, 2008 at 12:03 pm

    Offtopic:

    so you come down to Grenoble? Drop me a mail so we can have a beer at the O’Callaghan (or wherever) someday, or if you ever want to go climbing :) (you have access to the private ‘e-mail’ field of this post, right?)

    Offtopic bis: Do you intend to check out the Hacker Space Fest near Paris next week? http://www.hackerspace.net/

  9. Jonathan Roes says:
    June 12th, 2008 at 10:53 pm

    Seriously? What do I have to do with any of this?

  10. Obey Arthur Liu says:
    June 12th, 2008 at 11:00 pm

    To Jonathan Roes:
    Hopefully the new netconf will realize that I’m not at home and drop the .home.eu suffix search :)

  11. cstamas says:
    June 13th, 2008 at 6:12 am

    lol :)

Leave a Reply