DNS Rebind Attack, DNS Records Altered, Well Hacked I Am.
-
Re: Dns rebind attack - Encrypted DNS?
I was having a battle last evening adding rules to my Netgate SG-5100 pfSense firewall in my office for every new address that “the hacker” would use to run a dictionary attack on my mail server. I finally blocked all his addresses or he gave up, but immediately after that I lost my internet connection. I discovered that something had happened to my firewall that it would no longer NAT out or in. Using my phone I discovered that trying to reach one of my web sites from the internet side resulted in a message from my pfSense firewall that “Potential DNS Rebind attack detected.”
I have about 12 domain names assigned to my web and mail server here in my office. The DNS records are hosted at Domains priced right and I checked them to find that all the redirects I had set up were changed on every domain to:
A https 15.197.142.173 600 seconds
A https 3.33.152.147 600 seconds
And the A record to my site IP was gone. I was curious about how someone could so quickly pollute all my records from outside as I checked, and the techs at DPR confirmed, that no one had entered my account.I am still not able to create new “clean” redirects on my DNS record either – every time I set up a redirect to change http to https , those two addresses end up in the A records again.
“They” may have poisoned the DNS somehow as well.
Point is, these are both AWS Ips with suspicious certificates “Internet Widgits Pty Ltd” and even more suspect because one of the records indicates “AWS RPKI Management POC”.
Now.. Something is really screwed in all of this. No traffic is going through the router either way. I can log on to the firewall from WAN or LAN, I can use the ping and traceroute and that works. But even my WIndows 2019 IIS10 server won't serve up anything on the interanl network. My network is working fine peer to peer on files sharing but there no way out to the internet. I've been at everything I can think of ti identify what the problem is before messing too much with anything but I'm stumped. Any suggestion how to find whatever it is that's doing this?
I am not anywhere near as conversant technically as many of you pros here are but I am persistent.
-
Like I said... I'm persistent. Started going through the various services and options, menu by menu turning things on and off. Finally got to pfBlockerNG, turned it off and presto... back on-line.
Turned it back on and continued to be online.
Wha... ???
Totally wanting to push my luck I updated it and no problem.
There's an unexpected, off the wall solution for you all.
-
Seriously... I dont think you know what you are doing.
This is all nonsense to users knowing how to configure pfsense.
-
So helpful. And how competent does one need to be and why wouldn't someone like you ask a few decent question to help someone like me get to the bottom of this? I must admit it's quite a bit more of a challenge than pfSense 1.1 which is when I started using it.
How would an expert explain turning pfBlockerNG off to solve unblocking outbound traffic and then turning it back and continuing to be able to go outbound?
Have you ever had anyone attack and redirect 12 domains that you own without violating your account? How would you do that?
-
@stemapps said in DNS Rebind Attack, DNS Records Altered, Well Hacked I Am.:
Using my phone I discovered that trying to reach one of my web sites from the internet side resulted in a message from my pfSense firewall that “Potential DNS Rebind attack detected.”
Your you visiting or using the WAN IP while you are connected to a local AP ?
Just don't.
Access your site using the the same 'domain.tld' is ok, but make a host over ride for it, and give it the server's local 'LAN' IP.@stemapps said in DNS Rebind Attack, DNS Records Altered, Well Hacked I Am.:
dictionary attack on my mail server.
Rate limiting connections on a mail server will handle these kind of attacks just fine.
You'll be seeing a lot of mail logs, that's all.
On the mail server - and web server, use fail2ban, so you can enforce situations like : "if more then 3 failures on (mail) login occur, firewall (the local server firewall) the IP for xx hours / days".edit : Oh sh*t, your using M#soft servers..... don't know anything about these.
-
Thanks for the reply. I turned off my wireless and was on cellular accessing the web site from outside by TLD not IP.
My mail server is running on Windows 10. It's a third party server. Gives me a real time interface which I like plus logs.
-
Check here DNS Rebind.
-
Thank you for your help again. It's back to running quite well and blocking properly.
I do believe that because only my domain names A records were deleted and replace that it was the built in anti DNS Rebind feature that saved everything inside my network from further attack.
