DNS (?) misbehaving

Get the latest on wired & wireless, talk network setups, get help with connectivity problems, web hosts, etc.
Post Reply
User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

DNS (?) misbehaving

Post by infinite_ » Tue Nov 03, 2009 12:38 pm

Sup.

So for the last week or so my internet browsing has been painfully interrupted by random misbehaviour of what I assumed was ISP's DNS servers. I have since changed my modem to point to another ISP's DNS servers but websites are still sometimes being resolved incorrectly.

Examples:
  • http://www.google.com.au was resolving to a page showing the default Apache welcome page -- you know, the one you see after first installing Apache? It says "Great Success! Apache is working on your cPanel and WHM server".
  • http://www.totallynsfw.com won't show me any boobies. Sometimes it resolves to Google "English", sometimes it returns a nicely done 503 error page, and sometimes it just sits there, loading and loading and loading and loading and....
  • http://www.lifehacker.com.au resolved as http://www.theregister.co.uk/music_media/ this morning.
  • http://www.neowin.net resolved as "Allure Media" web site.
  • I wanted to log a support ticket with my ISP, but their website doesn't display in Firefox. It resolves in the address bar, but that's it.
  • http://www.google.com.au just resolved to a blank white page with "hmm" plain text.
  • Was perusing http://www.codinghorror.com and random links kept coming up with a 404; refresh a few times and they would load.
    404 Error: File not found :-(

    Through the magic of digital telecommunications, your wrong credential is now winging its way to the maintainer of 18.

    I thank you. I love you too.
    Apache (Linux) Server
DNS spoofing did cross my mind, but I'm on a wired network in my own house. Settings in my modem/router are fine, and just to be sure I restored from a backed up config. Anyone got any ideas what else could be going on?
My effort to help you will never exceed your effort to explain the problem.

19bab79
Hacker in Training
Posts: 81
Joined: Wed Jan 21, 2009 2:13 pm

Re: DNS (?) misbehaving

Post by 19bab79 » Tue Nov 03, 2009 8:03 pm

do you have a virus. if it has made a bad hosts file you could be getting redirects. i was just looking at a computer that was having a redirect problem. when i browsed to the hosts file, it was fine, but when i used the run box to open it with the notepad, it had a bunch of nasty entries in it. could this be your problem?

User avatar
narada
Hacker in Training
Posts: 92
Joined: Sat Apr 25, 2009 10:05 am

Re: DNS (?) misbehaving

Post by narada » Wed Nov 04, 2009 10:43 am

Try 4.2.2.2

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Re: DNS (?) misbehaving

Post by infinite_ » Wed Nov 04, 2009 4:36 pm

19bab79 wrote:do you have a virus. if it has made a bad hosts file you could be getting redirects. i was just looking at a computer that was having a redirect problem. when i browsed to the hosts file, it was fine, but when i used the run box to open it with the notepad, it had a bunch of nasty entries in it. could this be your problem?
Good idea, I didn't even think of checking my hosts file.

Code: Select all

v0ide@hackedpackard:~$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	hackedpackard

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
It looks OK to me, but in saying that, http://www.wired.com is resolving to "Fairfax Media Advertising" at the moment; refreshed a few times and it's now going to Wired's site. I Googled "Fairfax Media Advertising" and the URL is http://www.adcentre.com.au/.

Is it possible for my modem/router to be compromised with *ware? There is a filesystem on it, so I'll guess it could be done...?
My effort to help you will never exceed your effort to explain the problem.

19bab79
Hacker in Training
Posts: 81
Joined: Wed Jan 21, 2009 2:13 pm

Re: DNS (?) misbehaving

Post by 19bab79 » Thu Nov 05, 2009 3:06 am

if your using a laptop you could try using the internet somewhere else and see if you get the same thing.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Re: DNS (?) misbehaving

Post by infinite_ » Thu Nov 05, 2009 6:59 am

Unfortunately it's a desktop.

In other news, I tried connecting to my bank's website today and Firefox popped up a warning that the SSL certificate has changed. The new certificate is valid for a248.e.akamai.net, which is not the bank. A quick Google shows that akamai.net is an "internet content delivery service" that many companies use (such as MS, Apple, etc).
It appears that by omitting www from the URL, I get the wrong sites; plug in www to the URL and the sites resolve correctly. For the sake of it, I pinged http://vodafone.com.au and http://www.vodafone.com.au, and both show the same IP. Put the IP into Firefox and it resolves to the Vodafone website.

Wtf....
My effort to help you will never exceed your effort to explain the problem.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Re: DNS (?) misbehaving

Post by infinite_ » Sun Nov 08, 2009 7:01 am

Some more on this:

http://www.slashdot.org and http://www.hackerthreads.org were returning an "Invalid URL. The requested URL "/", is invalid." error. Again, this is odd behaviour: two separate websites giving the same bullshit error?
So I closed all running network apps and opened wireshark. I then refreshed http://www.hackerthreads.org to capture the traffic in wireshark, and this is what I got:

Code: Select all

91	121.310596	192.168.3.84	144.135.8.169	TCP	57166 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=25571630 TSER=0 WS=6
92	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
93	121.327949	192.168.3.84	144.135.8.169	TCP	57166 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=25571634 TSER=2164566342
94	121.390786	192.168.3.84	144.135.8.169	HTTP	GET / HTTP/1.1 
95	121.429168	144.135.8.169	192.168.3.84	TCP	http > 57166 [ACK] Seq=1 Ack=647 Win=6460 Len=0 TSV=2164566443 TSER=25571650
96	121.432114	144.135.8.169	192.168.3.84	HTTP	HTTP/1.0 400 Bad Request  (text/html)
97	121.432129	192.168.3.84	144.135.8.169	TCP	57166 > http [ACK] Seq=647 Ack=405 Win=6912 Len=0 TSV=25571660 TSER=2164566443
92	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=192	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
92	121.327908	144.135.8.169	192.168.3.84	TCP	http > 57166 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1360 TSV=2164566342 TSER=25571630 WS=1
After a few minutes and a couple of refreshes in Firefox, http://www.hackerthreads.org loaded properly. I pinged http://www.hackerthreads.org and verified that the IP address doesn't match what's been captured in wireshark. So, who the F*** is 144.135.8.169? Wireshark says "Server: AkamaiGhost", but I wanted more info.

I did a traceroute of 144.135.8.169:

Code: Select all

v0ide@hackedpackard:~$ traceroute 144.135.8.169
traceroute to 144.135.8.169 (144.135.8.169), 30 hops max, 60 byte packets
 1  mygateway1.ar7
 2  * * *
 3  10.0.1.33 (10.0.1.33)
 4  46.2.233.220.static.exetel.com.au (220.233.2.46)
 5  37.2.233.220.static.exetel.com.au (220.233.2.37)
 6  119.225.5.245 (119.225.5.245)
 7  10.251.24.2 (10.251.24.2)
 8  GigabitEthernet1-4.ken12.Sydney.telstra.net (139.130.65.145)
 9  TenGigE0-1-0-2.chw-core2.Sydney.telstra.net (203.50.19.129)
10  TenGigabitEthernet8-1.pic2.Sydney.telstra.net (203.50.20.185)
11  akamai1.lnk.telstra.net (203.45.29.78)
12  144.135.8.169 (144.135.8.169)
Is it coincidence that this "akamai" pops up again?
Just for the sake of it, I port scanned 144.135.8.169:

Code: Select all

Host 144.135.8.169 is up (0.016s latency).
Interesting ports on 144.135.8.169:
Not shown: 992 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
500/tcp  open     isakmp
1720/tcp filtered H.323/Q.931
9000/tcp open     cslistener
9001/tcp open     tor-orport
9050/tcp open     tor-socks
And for the sake of it, I SSH'd to it:

Code: Select all

v0ide@hackedpackard:~$ ssh 144.135.8.169
Permission denied (publickey).
And just because I wanted to try it, I installed Nessus 4 and ran a scan on 144.135.8.169. The only interesting info was about the https certificate:

Code: Select all

Country: US
Organization: Akamai Technologies, Inc.
Common Name: a248.e.akamai.net

Issuer Name: 

Country: US
Organization: GTE Corporation
Organization Unit: GTE CyberTrust Solutions, Inc.
Common Name: GTE CyberTrust Global Root
Notice the Common Name is one I mentioned in a previous post when trying to connect to a completely separate website from HTd0rg or /.


So back to my main problem: why was http://www.hackerthreads.org redirected to 144.135.8.169? Is this a DNS attack? If so, why is it apparently random which sites are affected, when they're affected, and for how long they're affected? If it's not DNS, then what is it?
I'm happy to hand over the saved wireshark capture if anyone wants to look at it.
My effort to help you will never exceed your effort to explain the problem.

User avatar
Tech_Junkie
Your Senior
Posts: 871
Joined: Wed Apr 14, 2004 8:07 pm

Re: DNS (?) misbehaving

Post by Tech_Junkie » Mon Nov 09, 2009 9:03 am

I sometimes use Currports to monitor my network traffic.

For at least the last 6 months more than half of my browsing traffic seems to go through Ip's resolved to akamaitechologies.com. I have had problems recently with pages loading and have had some luck using currports to close hanging "close wait" and "last ack" ports.

My instant messaging and online game traffic don't appear to be affected.

I believe it is my ISP's cache or proxy server to "speed up" or watch and log internet traffic. When I said something to the local cable installer during a recent move he wouldn't confirm or deny it.

User avatar
Tech_Junkie
Your Senior
Posts: 871
Joined: Wed Apr 14, 2004 8:07 pm

Re: DNS (?) misbehaving

Post by Tech_Junkie » Tue Nov 10, 2009 7:34 am

I did a little research on akamai. They provide web content for legitimate companies as well as some not so reputable ones.

I did come across this http://www.akamai.com/html/technology/p ... d_dns.html.

First sentence
Akamai Enhanced DNS is an outsourced secondary Domain Name Service that dependably directs users to your Web sites.
I'm guessing they have a different definition of "dependably" than you and I.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Re: DNS (?) misbehaving

Post by infinite_ » Thu Nov 12, 2009 8:53 pm

Akamai appear to have their fingers in everyone's pie.

I've read a few threads at http://whirlpool.net.au where users are having similar troubles with several ISPs here. I logged a support ticket with my ISP and supplied all the info, so hopefully they sort their shit out.

I'll update when I have news.
My effort to help you will never exceed your effort to explain the problem.

User avatar
infinite_
Bat Country
Posts: 1353
Joined: Fri Jun 04, 2004 7:19 pm
Location: Australia

Re: DNS (?) misbehaving

Post by infinite_ » Thu Nov 12, 2009 8:58 pm

Actually, I just thought I'd check the status of my support ticket and -- hang on, where is it? Oh here it is, under the "Closed Tickets" section :\ Nice of them to let me know it's been resolved... except that it hasn't, because I'm still having these problems today! Jackasses.

Anyway, the support response is laughable, and can hardly be considered a resolution since I haven't verified the supplied solution works:
Dear Sir / Madam,

Thank you for your email.

Can you ping those websites ?

Could you please change the MTU to either 1410, 1400 or 1300 and then check. Also it's better to assign the DNS as xxx.xxx.xxx.xxx manually and check.

Regards
Clearly he didn't read my support ticket, which clearly states that I pinged the websites prior to running wireshark :S
My effort to help you will never exceed your effort to explain the problem.

Post Reply