[OTR-dev] OTR homepage DNS poisoned?
Nick Guenther
nguenthe at uwaterloo.ca
Tue Dec 8 19:41:36 EST 2015
From Bell Canada the link in the Location: header takes me through a
couple of steps of tracking sites and then away over to any of several
spam/attack sites:
http://www.mega-brokers.co/lp-millionaireclub-brown/?coc=156&subc=w1ATM3TVTC6OC04PG7B7IRCK¶mc=golf-axe-Tw049LVw¶mf=MS%20-%20New%20Publisher%20-%20INTL
http://alwaysnew.feelfree4update.com/?pcl=3LbSqxsHPv14PjCURUDXDEdm0CHvCe21dottyrEp5Qo.&subid=102855_4a8f8983d90d5aba83b274e59952f44e&v_id=JMns7DFxzqZv1_WCWflzXTSG2mj3zOFVuYw-XLU3wFE.
etc.., which seem to rotate every few minutes.
From Wind Mobile Canada, the landing page you're being given TCP RSTs
when I try to go to it, so good on Wind I guess.
It's strange that the DNS hijacking is only for some sites. Are you
sure it's targetting otr specifically? Can you maybe write a scapy
script to test thoroughly?
The landing site doesn't seem to be doing anything funny with
routing. My traceroute to from Bell:
[kousu at galleon ~]$ traceroute 195.22.126.213
traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 60 byte
packets 1 homeportal (192.168.2.1) 5.969 ms 7.243 ms 8.035 ms
2 10.11.0.241 (10.11.0.241) 408.481 ms 408.536 ms 510.627 ms
3 10.178.206.42 (10.178.206.42) 17.837 ms 19.829 ms 21.733 ms
4 10.178.206.43 (10.178.206.43) 23.634 ms 23.901 ms 25.642 ms
5 tcore3-kitchener06_bundle-ether4.net.bell.ca (64.230.113.68)
31.503 ms tcore4-kitchener06_Bundle-ether4.net.bell.ca (64.230.113.70)
36.814 ms 33.979 ms 6 tcore4-toronto21_hun1-1-0-0.net.bell.ca
(64.230.50.190) 45.551 ms 11.502 ms 24.040 ms 7
tcore4-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.19) 24.219
ms tcore3-torontoxn_HundredGigE0-12-0-0.net.bell.ca (64.230.50.11)
28.631 ms 28.861 ms 8 bx1-torontoxn_et1-0-0.net.bell.ca
(64.230.97.157) 31.141 ms 32.961 ms 33.136 ms 9
ix-5-0-1-0.tcore2.TNK-Toronto.as6453.net (63.243.172.25) 62.577 ms
62.790 ms 62.937 ms 10 if-2-2.tcore1.TNK-Toronto.as6453.net
(64.86.33.89) 36.800 ms 36.999 ms 38.806 ms 11
ae9.tor10.ip4.gtt.net (173.205.54.65) 38.981 ms 40.671 ms 42.366 ms
12 xe-0-1-0.waw11.ip4.gtt.net (141.136.109.10) 135.031 ms 128.720 ms
xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 132.269 ms 13 ip4.gtt.net
(46.33.84.122) 138.020 ms 139.968 ms 140.194 ms 14 * * * 15 * * *
16 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 159.489 ms
161.746 ms 163.115 ms 17 SDC-N003RTP01.net.hawetelekom.pl
(77.242.225.94) 161.568 ms 164.712 ms 173.525 ms 18
n16h14.sprintdatacenter.net (46.29.16.14) 137.273 ms 139.551 ms
140.869 ms 19 195.22.126.213 (195.22.126.213) 141.038 ms 145.883 ms
147.956 ms
and from Wind Mobile:
[kousu at galleon ~]$ traceroute 195.22.126.213
traceroute to 195.22.126.213 (195.22.126.213), 30 hops max, 443 byte
packets
1 * gateway (192.168.43.1) 9.156 ms 11.419 ms
2 * * *
3 * * *
4 199.7.156.196 (199.7.156.196) 1564.910 ms 1564.862 ms 1564.890 ms
5 199.7.156.197 (199.7.156.197) 1564.881 ms 1564.871 ms 1564.861 ms
6 199.7.158.107 (199.7.158.107) 1619.754 ms 1611.411 ms 1609.155 ms
7 199.7.158.130 (199.7.158.130) 160.965 ms 172.696 ms 181.021 ms
8 te0-0-1-2.nr12.b029131-1.yvr01.atlas.cogentco.com (38.88.6.177)
251.004 ms 253.353 ms 253.616 ms
9 te0-0-1-3.rcr12.yvr01.atlas.cogentco.com (154.24.48.217) 207.164
ms 219.989 ms 264.788 ms
10 te0-0-0-14.ccr21.sea02.atlas.cogentco.com (154.54.83.225) 161.598
ms 151.673 ms 144.550 ms
11 be2083.ccr21.sea01.atlas.cogentco.com (154.54.0.249) 163.858 ms
be2084.ccr22.sea01.atlas.cogentco.com (154.54.0.253) 165.557 ms
177.474 ms
12 be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 188.410 ms
be2075.ccr21.sfo01.atlas.cogentco.com (154.54.0.233) 175.955 ms
be2077.ccr22.sfo01.atlas.cogentco.com (154.54.0.241) 180.306 ms
13 be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 188.078 ms
be2164.ccr21.sjc01.atlas.cogentco.com (154.54.28.34) 195.397 ms
be2165.ccr22.sjc01.atlas.cogentco.com (154.54.28.66) 194.008 ms
14 be2000.ccr21.sjc03.atlas.cogentco.com (154.54.6.106) 127.874 ms
130.911 ms 178.101 ms
15 gtt.sjc03.atlas.cogentco.com (154.54.9.14) 168.180 ms 179.834 ms
171.818 ms
16 xe-0-0-0.waw11.ip4.gtt.net (89.149.182.38) 284.123 ms 276.452 ms
279.398 ms
17 ip4.gtt.net (46.33.84.122) 307.631 ms 300.683 ms 291.059 ms
18 * * *
19 * * *
20 92-55-195-149.net.hawetelekom.pl (92.55.195.149) 293.195 ms
293.211 ms 292.000 ms
21 SDC-N003RTP01.net.hawetelekom.pl (77.242.225.94) 306.441 ms
335.056 ms 307.694 ms
22 n16h14.sprintdatacenter.net (46.29.16.14) 270.130 ms 285.611 ms
272.831 ms
23 * * *
24 195.22.126.213 (195.22.126.213) 317.531 ms 340.528 ms 364.764 ms
That landing site is in Poland:
[kousu at galleon ~]$ geoiplookup 46.29.16.14
GeoIP Country Edition: PL, Poland
GeoIP Organization Edition: Sprint Data Center Sprint S.A.
[kousu at galleon ~]$ geoiplookup 195.22.126.213
GeoIP Country Edition: PL, Poland
GeoIP Organization Edition: EuroNet s.c. Henryk Kuc, Jacek Majak
Now, ooni mentions that Greece is doing DNS hijacking to block
gambling sites: https://ooni.torproject.org/post/eeep-greek-censorship/
but this doesn't look at all like government censorship, because of the
out of country spam sites. It looks like a spammer, or like someone
*trying to look* like a spammer.
Hm. Very mysterious.
-Nick Guenther
4B Stats/CS
University of Waterloo
On Wed, 09 Dec 2015 00:57:44 +0100
Jurre van Bergen <drwhax at 2600nl.net> wrote:
> Hi,
>
> I don't see the same thing happening no can I resolve that IP via the
> dns lookup for otr.cypherpunks.ca. Must be something weird on your
> network, might be interesting to run: ooni.torproject.org and see what
> is going on.
>
> On 12/08/2015 11:54 PM, Dionysis Zindros wrote:
> > Hello,
> >
> > The OTR homepage at http://otr.cypherpunks.ca/ seems to be
> > man-in-the-middled in certain networks. I have checked through
> > various different networks with various results.
> >
> >
> > Do you have ideas as to what could be happening?
> >
> > Thank you,
> > Dionysis Zindros.
More information about the OTR-dev
mailing list