| Next revision | Previous revision |
| opennic:report_compromised_servers [2017-07-08T15:35:47Z] – created fusl | opennic:report_compromised_servers [2017-07-08T22:30:55Z] (current) – fusl |
|---|
| ====== How to report a compromised OpenNIC service ====== | ====== How to report a compromised OpenNIC service ====== |
| It happens to the best of us: SSH root authentication is not disabled and an insecure password is set; BIND9 or PowerDNS hasn't been updated in time to prevent the latest exploits; etc... and the next thing you know is that you landed on a very obscure website when you actually tried to visit another one. How did that possibly happen? | It happens to the best of us: SSH root authentication is not disabled and an insecure password is set; BIND9 or PowerDNS hasn't been updated in time to prevent the latest exploits; ninja hackers have otherwise exploited any of the services running on the same server; etc... and the next thing you know is that you landed on a very obscure website when you actually tried to visit another one. How did that possibly happen? |
| |
| |
| |
| It does not always happen but also the best server administrators never make any mistakes. Tier 2 server administrators can make mistakes, especially because OpenNIC is not a multi-million $$$ company but a non-profit project and none of the server administrators are actually getting paid for their time they invest in keeping up the infrastructure. At this point, it is not very far from making just a slight mistake (be it an open SSH server, a non-updated service, an incorrectly configured service, an explitable script, etc.) and it will happen faster than expected: The server is completely exploited, a backdoor is installed and sooner or later, DNS requests are being redirected to third party websites. | It does not always happen but also the best server administrators sometimes make mistakes. Tier 2 server administrators can make mistakes, especially because OpenNIC is not a multi-million $$$ company but a non-profit project and none of the server administrators are actually getting paid for their time they invest in keeping up the infrastructure. At this point, it is not very far from making just a slight mistake (be it an open SSH server, a non-updated service, an incorrectly configured service, an explitable script, etc.) and it will happen faster than expected: The server is completely exploited, a backdoor is installed and sooner or later, DNS requests are being redirected to third party websites. |
| |
| |
| |
| But hold on! This does not mean that OpenNIC Tier 2 servers are (more) insecure than other companies DNS resolvers. Let's take Google's Public DNS Resolver (8.8.8.8 and 8.8.4.4) as an example: Random companies around the world have (not only accidentally) done MITM attacks against 8.8.8.8 and 8.8.4.4 and your DNS request to the Google servers ended up faster on a non-Google network than you could have even noticed. In fact, larger, reputable companies are a magnet for such attacks, because there are countries that try to block people in those countries from accessing 8.8.8.8 and 8.8.4.4, and they make mistakes as well and accidentally export a BGP route that should only be announced to the local country, to the entire internet instead, causing headache not only for Google server administrators but also for home users. | But hold on! This does not mean that OpenNIC Tier 2 servers are (more) insecure than other companies DNS resolvers. Let's take Google's Public DNS Resolver (''8.8.8.8'' and ''8.8.4.4'') as an example: Random companies around the world have (not only accidentally) done MITM attacks against ''8.8.8.8'' and ''8.8.4.4'' and your DNS request to the Google servers ended up faster on a non-Google network than you could have even noticed. In fact, larger, reputable companies are a magnet for such attacks, because there are countries that try to block people in those countries from accessing ''8.8.8.8'' and ''8.8.4.4'', and they make mistakes as well and accidentally export a BGP route that should only be announced to the local country, to the entire internet instead, causing headache not only for Google server administrators but also for home users. |
| |
| OpenNIC is because of exactly this and other reasons considered to be more secure than large companies: | OpenNIC is because of exactly this and other reasons considered to be more secure than large companies: |
| * What domain have you tried to visit? | * What domain have you tried to visit? |
| * At what website did you instead end up? | * At what website did you instead end up? |
| | |
| | ===== Malware hosted on OpenNIC servers ==== |
| | I noticed that someone has reported that a malware is being hosted on an OpenNIC or Tier 2 server. Does this mean OpenNIC/the Tier 2 has been compromised? |
| | |
| | This usually means that a random malware has decided to use OpenNIC Tier 2 DNS resolvers as a hardcoded DNS resolver to reach their botnet controller and other things. This is not different than using for example ''8.8.8.8'', but malware detection systems have decided to whitelist ''8.8.8.8'' and ''8.8.4.4'' because Google is a large company and marking those Google Public DNS Resolvers as "malware" would probably end up in a lawsuit being filed by Google. |
| | |
| | Because we resolve a specific domain for malware software doesn't necessarily mean that the Tier 2 in question is infected with malware, it just means that a specific person has decided to hardcode the DNS resolver into their software. |
| | |
| | The most simple rule to this is: If you can't reproduce a bad behavior on a Tier 2 server, it's likely that this server is not compromised or infected with malware. |