• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

DNS and hiding a web server

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
hello every body,
i want to say that i read soooo much about the hiding the server and i still have a problem, can any one help me please
to be sure that i read enough, i will tell you some of what i can imagine, hop that you can tell me some thing, that help me to continue(where the design of the network is of three stages 1)public server 2)access node 3)protected server where it said that the public server not store any contant and can offerd as a servive by the ISP(is the public server work as proxy???))
what i understand is as follow:
the client connect let to say (www.amazon.com) so that URL is gose to the DNS to lead the client to the ip address (not of the true ip of amazon is that right if yes so how the DNS work because it must laed him to the public server and the public server check him and request a port no. and return that port no + the ip of the access node to the client in a redirection message the close the connection with the client) here the client now think that the access node is the true server and then the connection with the server is done through the access node

please i have a problem that what is stored in the DNS ???
and how it lead it to the public server at first????
note that there is many public servers and many access node, i think to continue even if one of them have an attack flood, so how the DNS know where to lead the client and there is an attack or the DNS not regard
and for multiple public server is the ip of them varied?? i think yes

that may be help little
It is recommend having more than one public server with different service providers. DNS should be offloaded to a third-party service that offers round robin load balancing with active failover functionality.
thank you in advance for any help, be sure i do my best in searching, with no enough information to help me, and i indeed need to know all that
doing any thing to me is very kind of you
best regards
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Hi s.
No offense, but you may want to consider taking classes in intranet and internet security.
It seems to me after keeping up on your threads that you are eyeballs deep into security issues and do not have a real grasp of what you are trying to accomplish.
TPU is great to get answers to questions, but it sounds to me like you are looking for a security design based on your topological and integration needs.
We have no idea what those needs really are, and it would not be a good idea to get advice from an internet forum to develop a security protocol for potentially sensitive content.
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
sorry if my questions bothering you
i don't know what you mean by TPU

any way thanks for what that site let me know and sorry again about all posts that i make now and so far
best regards
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Your posts do not bother us, s.
TPU = TechPowerUp = This forum.

I'm just trying to help you.
You may want to hire a professional security consultant to go over your needs, if that is possible.
You never said what is on your web site(s), so I assume you are looking for high-level security and attack prevention. That is not a trivial thing.
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
i have some subjects that i must understand them carefully, so i ask for help from you, because i know that you have a good expariance, not to
develop a security protocol for potentially sensitive content.
from here
i just want to have more accurate imagination
i am really sorry if that is not some thing that you accept, but i am really like the forum here
best regards
thanks for all
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Okay. Then I suggest you ask one question at a time, and keep all of your questions in a single thread, that way you will have all of your answers in one place.

So let's use this thread.
What is the public server used for?
e-Commerce? Non-private customer access? General non-sensitive company information?
We need to know what you want to let the "world" see, before we can determine how it is best to hide the rest.
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
the protected server is some thing that must be protected from (DDoS) it may be a e-commerce for example
so there is an idea that i send it here in that post that hide the ip address of that server, the exact purpose of the public server i don't know but it said that it can be offerd as a service in by the ISP
do you want from me to send you the PDF of that method
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
So you want the "protected" server to still be accessable world-wide on the internet, but you want to try to mitigate the effects of a DDOS attack on it because it needs to remain a high-availability server for those who access it?
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
If your server is targetted for a DDOS attack you can't stop the incoming packet flood.
What you can do is on your hardware firewall set a threashhold of incoming packet frequency (something based upon what you would consider normal usage).
When the threashhold is exceeded, the packets are simply dropped. This will be for all users (both legitimate and not), but it will prevent your servers from overloading in the event of a DDOS attack.
Your legitimate users will not be able to access the site at that time.
If the DDOS attack coming from a managable number of locations, you can drop those packets and allow other incoming traffic, but if it is an attack from thousands of zombie machines all over the world, your site will be down until you can re-establish a new IP for the server that gets propogated through the DNS tables on the internet.

A DNS entry is nothing more than a table that links a web address (www.whatever.com) to an IP address.
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
that is very kind of you to send all that to me, but i read a method that using overlay network and i have hard to imagine the procedure that hide the ip exactly and read about DNS so much i read that it can contain a CNAME
and i still confused to understand how is that method work
why the client not know the true ip?
if he not know the true ip so how he can reach the public->access node
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Let's me add a little here.

You have a server that you want to protect, so you put up a validation server to eliminate access to the protected server (hidden) from access or a flood attack.

I can still SYN flood your validation server so that no one can validate if I have the resources to overload the validation server.

You can't stop my flood attack, you can only protect yourself while you ride it out and try make my attacks impotent by making their target no longer valid by changing where your server resides in the internet's DNS tables.
 
  • Like
Reactions: s.

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
you mean by validation server a public server ok so what is the purpose of the access nodes then?
and the DNS table will contain the ip of the access node or the public server?
can the DNS tables contain the two?
It is recommend having more than one public server with different service providers. DNS should be offloaded to a third-party service that offers round robin load balancing with active failover functionality.
 
Last edited:

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
If the defense is switched ON; Stage 1: clients C1 and C2 ask the DNS about the IP

address of server X (and server Y), respectively, not aware of the defense implementation.
The DNS return the public IP address IPXp and IPYp, for the public servers Xp and Yp,
respectively. Stage 2: After establishing TCP connection, clients C1 and C2 ask servers Xp and
Yp, respectively, for some resource. Stage 3: both Xp and Yp happened to select the accessnode
AN2 at the same time not aware of each other's choice, and then inform AN2 about IPc
and IPs, of Xs and Ys, respectively. This coincidence of selecting the same AN is to
demonstrate the AN ability of differentiating between client-server pairs. Stage 4: AN2 replies
to Xp and Yp with two distinctive port numbers to be able to differentiate between the two
clients’ connections originating at the same time from the same IP address (IPc), without
having to open the application messages. Stage 5: Xp and Yp relay, back to the clients, the
address for the selected access-node plus the corresponding port for that connection(s) (i.e.
client) in a standard HTTP redirection message. The TCP connection to the client is then
closed by the public server. Stage 7: Every client is expected to establish a TCP connection to
AN2 using the ephemerally assigned destination port. After the TCP connection is established,
the clients now ask their requested resources from the new location, while the assigned port
can be reassigned by the AN to be reused with another client-server pair. Stage 8: AN2
connects to the corresponding servers and communication is carried on. The sequence is the
same for the connection stages for every newly appearing client.

those is the steps in general
where xp and yp (is the public servers) and the AN (is the access node) and the ipc (is the ip of the client) and ips (is the ip of the protected server)
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
If you want anyone, anywhere to access your site you must have a public IP address in the DNS namespace of the internet that is tied to the URL address of the site if they are using a standard browser to access the site.
Are the people accessing the site using a browser (IE, FireFox, etc.) or will they be using a custom application to connect?
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
they are using a standard browser like (IE, FireFox, etc.)
 

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
AN2 replies
to Xp and Yp with two distinctive port numbers to be able to differentiate between the two
clients%u2019 connections originating at the same time from the same IP address

If a single location is generating an attack it should be pretty obvious.
If 100,000 zombie processes are attacking from different IP addresses this does not apply.
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
sorry but it mean that the AN can distingush the multithreding, i think it is not the main idea,
but i don't understand how the public server know the ip of the protected server
and then inform AN2 about IPc and IPs
does he mean the URL or what?
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
Access node’s DNS record should have CNAME entries equal to the number of protected
websites’ domain names. The entry format should have the access-node ID as a sub-domain
for each protected website domain name, i.e., “ANnumber.domainP.com”, this is to guarantee
compatibility with SSL, where wildcard certificates must be used by the protected web
servers. Access-node health information must be sent to the trusted public servers
periodically, or on the event of an abnormal event (i.e., access-node under sudden attack).
Public servers must accept the first TCP connections from clients. Initial request from a
client should be replied by a redirection message pointing to the selected access-node and
ephemeral port as the new location for the resource. The most suitable access-node should be
selected by the public server according to its available access-nodes’ information.
Communication with the selected access-node must be performed for the client to be
registered in the white list there. Clients’ requested resource should be
replied with an HTTP redirection message to the address;
https://AN###.domainP.com:portRand/RequestedResource/”. Response should be only to
TCP traffic, other traffic types must be filtered out utilizing ISP-based protection, many ISPs
offer this type of protection as a service . ISP protection should filter out any non-TCP
traffic from reaching the public server. SYN cookies MUST be implemented as a
countermeasure to TCP SYN flooding attacks at the public server. It is recommend having
more than one public server with different service providers. DNS should be offloaded to a
third-party service that offers round robin load balancing with active failover
functionality. The HTTP response status code 302 Found should be used to indicate that the
new location is not permanent. Also special care should be lent to the Cache-Control header
field of the redirection message to avoid its retention by caching mechanisms, (ex. Cache-
Control: max-age=0, no-store, no-cache).
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
i send that to make it more clear does the function of the access node and the public server now clear?
what you deduce who is hide the protected server is it the access node?
so why we put the public server?
 
Last edited:

Kreij

Senior Monkey Moderator
Joined
Feb 6, 2007
Messages
13,817 (2.21/day)
Location
Cheeseland (Wisconsin, USA)
Can you post a link to the information you are posting?

SYN cookies MUST be implemented as a countermeasure to TCP SYN flooding attacks at the public server.

This helps, but won't stop a flood.
Why are you so worried about a flood attack? They are sort of old school and only used to stop access to large access sites when people feel their rights have been somehow denied them (for instance the Ubisoft "always-on DRM).

I'd be more worried about an internal access breach that exposed sensitive data (think Sony).
 
Joined
Dec 13, 2007
Messages
2,758 (0.46/day)
Can you post a link to the information you are posting?

This helps, but won't stop a flood.
Why are you so worried about a flood attack? They are sort of old school and only used to stop access to large access sites when people feel their rights have been somehow denied them (for instance the Ubisoft "always-on DRM).

I'd be more worried about an internal access breach that exposed sensitive data (think Sony).

+1

I wouldn't be so worried about a flood attack, like Kreij said. That's a old school method, but mostly just to piss you off. I would worry more about internal attacks.

how can i attach a PDF?
When you go to post, click "Go to Advance", down below you will see "Manage Attachments" click and upload
 

s.

New Member
Joined
Feb 25, 2011
Messages
32 (0.01/day)
hello,
i am so shy :eek: to ask you again, but please did you see the link, the idea is in chapter3, from page 14 to page 23

if you have any imagination about that please discuss it with me if you don't annoyed with that

best regards
 
Top