For my upcoming speech at DefCon on Friday of next week I was testing a server that happens to not be open on a port that you’d expect it to be. That same server also uses load balancing via DNS so it has a ton of different IP space that it points to. So I wanted to check to see if that port was open on any of the servers that were connected to it. I used wget to do this. It looked something like this:
$ wget –server-response –timeout=3 https://somesite.com/
–2009-07-21 13:58:32– https://somesite.com/
Resolving somesite.com… 1.1.1.1, 2.2.2.2, 3.3.3.3, …
Connecting to somesite.com|1.1.1.1|:443… failed: Connection timed out.
Connecting to somesite.com|2.2.2.2|:443… failed: Connection timed out.
Connecting to somesite.com|3.3.3.3|:443… failed: Connection timed out.
Connecting to somesite.com|4.4.4.4|:443… failed: Connection timed out.
Connecting to somesite.com|5.5.5.5|:443… failed: Connection timed out.
Connecting to somesite.com|6.6.6.6|:443… failed: Connection timed out.
Connecting to somesite.com|7.7.7.7|:443… failed: Connection timed out.
Connecting to somesite.com|8.8.8.8|:443… failed: Connection timed out.
Connecting to somesite.com|9.9.9.9|:443… failed: Connection timed out.
Connecting to somesite.com|10.10.10.10.|:443… failed: Connection timed out.
Connecting to somesite.com|11.11.11.11|:443… failed: Connection timed out.
Retrying.…
So you can see that if it can’t find the first IP address in your list of IPs that you provide in the DNS it’ll try the second, if that’s also unreachable then it’ll try the third and so on. This means that if you can detect that someone is using wget on you you can essentially rebind their IP address to something else, assuming you have the other IP address that you want to rebind them to listed. So you can rebind them to Google or something and have them spin forever trying to download the Internet or something else just as dumb. Or you can point them to their own internal IPs…
That means that there is a second and much more weak attack there as well. Let’s say I had a list of DNS entries like 1.1.1.1, 192.168.0.1, 1.1.1.1, 192.168.1.1, 1.1.1.1, 10.0.0.1, 1.1.1.1, …. where it alternated back and forth between my domain (1.1.1.1) and internal RFC1918 address space. If it fails the first one it’ll try the second. If there’s a closed port there, it’ll miss that one and try the third (my IP again) and so on. I don’t have an open port but that doesn’t mean I can’t see the SYN packet coming in. In this way you can create a very weak intranet port scan, that will stop scanning as soon as it hits the very first successful IP address internally. So it’s almost useless as an attack. But still - really? Why does wget of all things need to be vulnerable? What’s next? Heap spraying in lynx?!