Posted in WebSitePulse News, Tech, Tech
Today (Jan 21, 2014) between 07:00 and 09:00 UTC mainland China was hit by a wave of network issues. A large number of both Chinese and international domains were reporting connection timeouts and were completely unaccessible. The cause for this was that for some reason a large number of domains were resolving to a single IP address - 18.104.22.168. The problem was reported as resolved in most places around 08:50. Due to the DNS caching infrastructure however a lot of users will still be affected until the cached bogus records expire. Users were suggested to use alternative DNS servers like Google's 22.214.171.124. We strongly recommend if you are using a DNS caching server in China to flush it as soon as possible to avoid DNS issues
The news sources in China first blamed it on a DNS poisoning of the root and the gTLD DNS servers. This however is not the case since the networks outside mainland China were not affected at all. Our investigation showed DNS responses from authoritative name servers coming with bogus data when queried from our servers in Beijing, Shangai and Guangzhou.
For example our first notice of the issue was when we requested the A record of static.bbci.co.uk. from ns1.thdow.bbc.co.uk (126.96.36.199), which is one of the authoritative DNS serves for bbc.co.uk,
the response was
static.bbci.co.uk. 37621 IN A 188.8.131.52
instead of the correct record which is
static.bbci.co.uk. 900 IN CNAME static-bbci.bbc.net.uk.
This suggests that the response packet was modified in transit and the most likely culprit is the Golden Shield Project (also known as The Great Firewall of China). A possible reason for the misshap is that instead of blocking the 184.108.40.206 IP address all DNS queries were redirected to this IP. Ironically they actually succeeded blocking the IP by creating a massive DDOS attack from all Chinese users who were making connections to this address while trying to access different sites.
The offending IP 220.127.116.11 has an interesting story itself but I'll just put a few pointers
- It is owned by Sophidea, Inc. registered on the address 2710 Thomes Ave Suite 884, Cheyenne, WY, 82001, US. Reuters ran a special story about this address a few years ago (http://www.reuters.com/article/2011/06/28/us-usa-shell-companies-idUSTRE75R20Z20110628)
- While there is scant information regarding Sophidea, Inc I can see that they are providing hosting services to a large number of companies and the IPs from this range were frequently reported for spam
- Hosted on the same network range is ultrasurf.us which was created to provide means to bypass the China Firewall and provide anonymous Internet access. Ultrareach Corp - the company which owns UltraSurf is registered on the same postal address in Wyoming above. There was some discussion of the actual value of the services provided by UltraSurf (https://blog.torproject.org/blog/ultrasurf-definitive-review) but still their service might have something to do with the Chinese goverment wanting to restrict access to this netblock
Update Jan 22, 2014
The widespread news that a DNS poisoning attack has taken place are largely false. While there was secondary DNS cache poisoning due to this problem the initial error came from the Great Firewall of China and its regional sub-systems. First were affected the domains with low TTL which were frequently visited by Chinese internet users like Weibo and Baidu, but not all sites were affected - for example sina.com was getting correct IPs during the whole period.
An interesting fact is that after the IP for a DNS servers was set to the bogus address 18.104.22.168, which at the moment was already unreachable we were still getting bogus DNS responses from it. Here is an example from our DNS cache logs converted for better explanation
1. Query domain.com address
2. We have cached NS records ns1.domain.com and ns2.domain.com
3. Find address for ns1.domain.com
response from a.gtld-servers.net. (22.214.171.124) - this should not happen. The gtld servers should return NS records, not A
ns1.domain.com 19613 IN A 126.96.36.199
4. Find address for ns2.domain.com
response from j.gtld-servers.net. (188.8.131.52) - this should not happen. The gtld servers should return NS records, not A
ns2.domain.com 34332 IN A 184.108.40.206
5. Find address for domain.com from the above DNS server addresses (both are 220.127.116.11)
response from 18.104.22.168 - this IP was not reachable at the time. It is obviously coming from a different location pretending to be it
domain.com 36993 IN A 22.214.171.124
Another fact about the IP - it was routed via Dynamic Internet Technology Inc.(http://dit-inc.us/) which lists among its clients theepochtimes.com (banned in China) and is developing Freegate (an anti-censorship software). Their network took most of the traffic which at the time seemed like a massive DDOS attack. The estimates from some Chinese providers state that more than 200 million users were affected. This raises the question about the security of the Great Firewall. By setting similar DNS filtering rules a malicious attacker can direct the traffic of all China users to any single IP in the world effectively bringing it down in minutes. Currently China has more than 600 million internet users and for comparison the largest botnet in the world to date was estimated at around 30 million bots.
We will update this post with additional information as soon some official statement regrading the issue is made. Please let us know if you have any thoughts on this.
DNS - Domain Name System. The global DNS infrastructure serves as an Internet address book. It allows you to find the IP address needed to connect to a domain name. For example www.websitepulse.com currently resolves to the IP address 126.96.36.199. Additionally it serves information about the email servers behind an email address (MX records), the email servers that are allowed to send email from a domain (SPF records), IPv6 addresses (AAAA records) and more. See more on DNS
DNS spoofing - an attack serving bogus DNS responses to trick users to connect to a different IP address or service. Similar to DNS cache poisoning.
DNS hijacking - an attack that compromises a trusted DNS server or the packets coming from it to redirect the users to different addresses.Also called DNS redirection.
NS records - a typical DNS record containing the domain names and/or IP addresses of the DNS servers responsible for a domain
A records - a DNS record containg the IP address(es) corresponding to a domain name
Golden Shield (The Great Firewall of China) - a large censorship and surveilance project run by the goverment of China. In addition to the capability of blocking specific domains and addresess it is supposed to be able to do DNS filtering and redirecton and Man-in-the-middle attacks.
Posted in WebSitePulse News, Tech
When it comes to building your business, it is very important to have a fully functioning website or else you are going to miss out on potential clients, resulting in a loss of revenue. Thus, you need to always make sure your website is up and running properly as several different issues can cause your website from loading and working properly. These are easy corrections though, all of which you can do on your own, at home, to make sure your website is available to the world.
When you attempt to visit your website and see an error page instead of your website, you are experiencing one of two problems: your website or host isn't working or there is a problem between your computer and the host server. In order to determine the problem, there is a series of easy tests you can perform to find and correct the issue.
1. Try to reach another website. If any other website does load normally, it means your Internet connection is working properly. If not, you know the problem is with the Internet connection and you need to contact your Internet service provider. Once you figure out the Internet connection is working properly, but you continue to have a problem reaching your website, do as follows:
2. Try to visit your site's hosting company's website. Both your website and the host company website use the same server, and if the company website is not working, you will know it is a server problem. If you are able to visit the website, then the issue is with your own website or the domain name.
3. Try to visit your website from a different computer, tablet or phone. This is to make sure there isn't something wrong with your ISP. If you can visit the website, then you need to contact your ISP. If not, the problem is still either with your site or the domain.
4. Try to ping your domain. To ping your website, click "Start," "Programs," "Accessories" and "Command Prompt." Then type in the word 'ping', then a space and finally your domain name. You should receive a series of reply messages, including the bytes used, IP address information and other data. If you receive any of these - the website is working. However, if the website is not working you'll receive a 'timed out' error message. Should this occur:
5. You need to perform a traceroute command. This identifies different ways your computer connects to the domain and should point out the problem. Return to the Command Prompt, type in the word 'tracert' then a space and your domain name. A series of 19 different lines appears, displaying information regarding the website. 1 is the Internet gateway; 2 is the ISP of the original computer the website connects to; 3 is the extra network; 4 is 'Request Timed Out'; 5-9 are routers on a global gateway, depending on the country the website is based out of; 15-17 is the Net Access Corporation network in the area; 18 is the router on the network of the website, and 19 is the computer the website is hosted on. In the four lines of data there are three stars and the 'Request Timed Out" listed. If this information is displayed in any other line, then you know where the problem is. You can then find out if you need to contact one of the Net Access Corporation points or other network sites that have the request timed out.
If the ping and traceroute pointed to a fully functioning website, you have a few other options available. You need to open your Web design software and look up the connection information. This is called a few different things, depending on the software you are using, but it is where you type in your domain name, host information and other client identification data to properly connect and upload your updated website to the Internet. Look over this information and make sure it is correct. You might find the wrong domain is typed in or your host ID number does not match what the domain and host provider gave you. To double check this, log onto your domain provider's and server's website and log into your account. If anything is off make sure to correct it and update everything.
Posted in WebSitePulse News
A client side certificate is a certificate you use to establish your server to the client. This is the best way for the server to "know" exactly who is connecting to it. It works a lot like having a username and a password on your server but without having to interact with the user. This certificate is used when the client must be known without having to enter a username and password.
These certificates are quite useful as far as the security of your network. They are created on the Internet server on your computer and can be requested by the client’s computer. That way, the security of your network is a lot stronger. The client will know that all the information they have sent to your computer is secured with a digital signature provided by the host domain server.
It is very important that you know how to create the client certificate on your computer. There are several steps in this process:
1. Click on the windows "start" button and select the "settings" button. Once you are inside of this menu, select the "control panel".
2. Click twice on the "administrative tasks" icon.
3. Click twice on the Internet information service icon.
4. Right-click on the web server virtual directory and select "properties".
5. Click on the "directory security tab".
6. Click on the "edit" button. This is going to be found in the secure communications section.
7. Check the box that says "require secure channel". This will allow all of the requirements for security when the user is trying to access the directory.
8. Click on the "require client certificates" button. You will also need to check on the "enable client certificate mapping" button.
9. Click on the "edit" button.
10. Select on the "many to 1" tab.
11. Click on the "add" button. In the new window that is going to appear, enter a name for the new rule. This rule is the one encrypted so that it is secure to use. You can click on the "next" button once you have entered the name.
12. Make sure to enter the name of the organization and click on the "OK" button.
13. Click on the "accept this certificate". This needs to be done when the mapping windows appears.
14. Click on the "finish button".
15. Click on the OK button and close out the window. These are the top fifteen steps to creating client side certificates on the Internet Information Service console after which you need to test out your configuration.
There are three main steps in testing out your configuration:
1. Open up your Internet browser. This is how you will navigate inside of your Web directory which is now very secure. Check the web address to see what it looks like. It should be similar to this: https://localhost/mySecurityDirectory/mySecurePage.aspx.
2. Make sure you receive a message that says your secure certificate was validated as the certificate must communicate with the application. The application is then displayed to the user.
3. Close out the Internet browser.
All of these steps together are necessary to ensure your Internet browser is very secure for your clients. Thus, follow each one of these steps very carefully as if you miss one, then probably it will not work properly.
Posted in WebSitePulse News
Ping is a networking utility program or a tool to test if a particular host is reachable. It is a diagnostic that checks if your computer is connected to a server. Ping, a term taken from the echo location of a submarine, sends data packet to a server and if it receives a data packet back, then you have a connection. The term "ping" can refer to the time it takes for a data packet to travel round-trip. It means "get the attention of" or "check the presence of". In a computer network, a ping test is a way of sending messages from a computer to another. Aside from checking if the computer is connected to a network, ping also gives indicators of the reliability and general speed of the connection.
A ping test is a method of checking if the computer is connected to a network. It also determines the latency or delay between two computers. It is used to ensure that a host computer which your computer tries to access is operating. A ping test is run for troubleshooting to know connectivity as well as response time.
Microsoft (MS) Windows has a ping utility with it to run a ping test. It also has other utilities available for free web downloads. To do a ping test, just identify the website, remote server or computer by its IP address or name. It gives you an output confirming which connection is successful as well as the number series in milliseconds, the communication delay.
Like MS Windows, Linux and Mac OSX also provide a ping command program to run from the shell of the operating system (OS). Here is how a ping test is done in MS Windows.
1. Ping by IP address:
- Open the shell prompt or MS DOS prompt from the Start Menu
- Type: ping (ENTER)
2. Ping a Web Site:
- C:\>ping www.about.com
For Linux, open a terminal or telnet window as the equivalent to MS Windows command prompt.
For Mac OS X, click on Applications folder, Utilities then Network Utility.
When should you run a ping test? You use it when you have connection problems. You run ping in order to detect where the problem comes from. If the ping shows to be successful but you still cannot reach the target, then the problem is not with you.
Your options depend on the implementation. Here are a few:
- -? Help. This is used to display ping usage and syntax.
- -c Count. This means to send count packets then stop. Another way to stop is type [ctrl]-C. This is best for those who check their connection nature behavior from time to time.
- -f Flood. Send packets soonest. This is to test network performance.
- -l Preload. This is to send preload packets then go to normal mode. This is good for finding out the number of paces the router can handle quickly.
- -n to seek for numeric output. This is used to prevent from getting into contact with a name server.
- -p Pattern. A number of hexadecimal digits is called a pattern. It is to pad a packet end. This is applied when data-dependent problem is suspected.
- -R is option for IP's Record Route. This is to determine the route the packets shall take. The target host may give the information.
- -r is to skip routing tables. This applies when you think there is a routing problem and ping cannot find its way to the target host. This is only for hosts which can be reached directly even without routers.
- -s size of packet. Alter packet size and check large packets to have them fragmented.
- -t ping until stopped ([ctrl]-C).
- -v for verbose. This means show ICMP packets with detailed information.
- -w Timeout. This is for satellite, cellular and other networks with high latency. This means ping has a longer timeout so it identifies latency problems.
Example of the options usage is:
ping -t www.yahoo.com
Ping Results Interpretation
The output or a result of running a ping test can look like this:
1. Reply from 192.168.0.8: bytes=32 time=
- Microsoft Windows ping outputs four messages - confirmation line, size in bytes, time and Time to Live (TTL). The latter is a number from 1 to 128. It is the number of networks which the ping passed through on its way to the target. The value 128 means that the device is on the local computer without other networks in between.
2. Request timed out.
- No connection whatsoever.
3. Ping: cannot resolve mysample.com: Unknown host
- Misspelled host name.
Using ping to troubleshoot connection problems narrows down the causes of the problem in your computer from the command prompt window. This diagnostic utility gives you an understanding how computer connection works by getting used to viewing the cornerstones of regular network.
You can try to a test to ping server with one of our tools below:
Free Website Test tools by WebSitePulse
Posted in WebSitePulse News
SPF or Sender Policy Framework is a system that authenticates and identifies servers that your domain can use to send mail. The aim is to ensure that unauthorized spammers and cyber criminals do not send messages to recipients that supposedly come from your domain. With SPF in place, recipients can check the available records to determine whether the received emails really originated from an authorized mail server. Keep reading to learn more about the sender policy framework.
SPF Versus Sender ID
Contrary to popular belief, SPF and sender ID are quite different. The confusion stems from the fact that both use the same policy records syntax, validate e-mail sender addresses, and publish policy records in DNS. However, this is where the similarity ends. SPF validates two parts of the e-mail sender’s address: the MAIL FROM address and the HELO domain. You can find this information by checking the records published by domain owners. It is important to note that both the HELO domain and the MAIL FROM are part of the SMTP protocol. On the other hand, sender ID is a Microsoft protocol that validates a single field of the e-mail address header. The header to validate depends on the choice made by the Purported Responsible Address (PRA) algorithm.
How SPF works
To validate messages, the sender policy framework compares the sender’s mail servers to a list of authorized IP addresses already in the DNS record. If the comparison process does not give a positive result, the sender receives a rejection message. If the comparison is successful, the server inserts the Return-Path field in the message. The good news is that domains that use SPF are not easy to compromise. In addition, messages originating from domains that use SPF are likely to get through to recipients. This is because most e-mail filters do not block messages from SPF-protected domains.
SPF Best Practices
Some of the steps that you can us to ensure SPF best practices include:
Just like any other form of technology, it is wise to use the latest SPF implementations. For example, make sure that you are using a program that supports RFC 4408 processing limits.
- Web-Generated e-mailers
If you use web-generated e-mailers, you run the risk of your e-mail messages appearing as spam. This is because the majority of sites that send web-generated e-mails do not form the list contained in the domain owner’s SPF records. To ensure that this does not happen, set up your e-mail headers correctly. The rule of thumb is to use your domain as part of the “MAIL FROM” address. You can then add the “Reply-To” or the “Sender” header.
- Use Other E-mail Validation Technologies
Relying on one e-mail authentication protocol or technology is not a good idea. Instead, you should use other technologies to authenticate messages as well. For example, you can use technologies such as DMARC and DKIM together with SPF. This will make it harder for cyber criminals to forge your domain name and send spam messages.
Mistakes to avoid
When creating your SPF records, it is easy to make mistakes. To avoid making mistakes, start by listing all your domains if you currently have more than one domain. This prevents hackers from using domains that you have not listed in the SPF records to send spam. Secondly, only list servers that send mail to web users. There is no need to list servers that receive mail from web users. Thirdly, never list your servers more than once. This is because using multiple host names only complicates DNS lookups. Other mistakes that you need to avoid include testing any new SPF record, using the correct DNS server to publish your SPF record, and using “mx” with your domain names.
Authenticating messages that originate from domain names is very important. SPF ensures that hackers and spammers do not use your domains to send spam. In addition, it reduces the risk of authentic email messages ending up in the spam folder.