1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

DNS and hiding a web server

Discussion in 'Networking & Security' started by s., Jun 8, 2011.

  1. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    hello every body,
    i want to say that i read soooo much about the hiding the server and i still have a problem, can any one help me please
    to be sure that i read enough, i will tell you some of what i can imagine, hop that you can tell me some thing, that help me to continue(where the design of the network is of three stages 1)public server 2)access node 3)protected server where it said that the public server not store any contant and can offerd as a servive by the ISP(is the public server work as proxy???))
    what i understand is as follow:
    the client connect let to say (www.amazon.com) so that URL is gose to the DNS to lead the client to the ip address (not of the true ip of amazon is that right if yes so how the DNS work because it must laed him to the public server and the public server check him and request a port no. and return that port no + the ip of the access node to the client in a redirection message the close the connection with the client) here the client now think that the access node is the true server and then the connection with the server is done through the access node

    please i have a problem that what is stored in the DNS ???
    and how it lead it to the public server at first????
    note that there is many public servers and many access node, i think to continue even if one of them have an attack flood, so how the DNS know where to lead the client and there is an attack or the DNS not regard
    and for multiple public server is the ip of them varied?? i think yes

    that may be help little
    It is recommend having more than one public server with different service providers. DNS should be offloaded to a third-party service that offers round robin load balancing with active failover functionality.
    thank you in advance for any help, be sure i do my best in searching, with no enough information to help me, and i indeed need to know all that
    doing any thing to me is very kind of you
    best regards
  2. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Hi s.
    No offense, but you may want to consider taking classes in intranet and internet security.
    It seems to me after keeping up on your threads that you are eyeballs deep into security issues and do not have a real grasp of what you are trying to accomplish.
    TPU is great to get answers to questions, but it sounds to me like you are looking for a security design based on your topological and integration needs.
    We have no idea what those needs really are, and it would not be a good idea to get advice from an internet forum to develop a security protocol for potentially sensitive content.
  3. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    sorry if my questions bothering you
    i don't know what you mean by TPU

    any way thanks for what that site let me know and sorry again about all posts that i make now and so far
    best regards
  4. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Your posts do not bother us, s.
    TPU = TechPowerUp = This forum.

    I'm just trying to help you.
    You may want to hire a professional security consultant to go over your needs, if that is possible.
    You never said what is on your web site(s), so I assume you are looking for high-level security and attack prevention. That is not a trivial thing.
  5. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    i have some subjects that i must understand them carefully, so i ask for help from you, because i know that you have a good expariance, not to
    from here
    i just want to have more accurate imagination
    i am really sorry if that is not some thing that you accept, but i am really like the forum here
    best regards
    thanks for all
  6. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Okay. Then I suggest you ask one question at a time, and keep all of your questions in a single thread, that way you will have all of your answers in one place.

    So let's use this thread.
    What is the public server used for?
    e-Commerce? Non-private customer access? General non-sensitive company information?
    We need to know what you want to let the "world" see, before we can determine how it is best to hide the rest.
  7. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    the protected server is some thing that must be protected from (DDoS) it may be a e-commerce for example
    so there is an idea that i send it here in that post that hide the ip address of that server, the exact purpose of the public server i don't know but it said that it can be offerd as a service in by the ISP
    do you want from me to send you the PDF of that method
  8. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    So you want the "protected" server to still be accessable world-wide on the internet, but you want to try to mitigate the effects of a DDOS attack on it because it needs to remain a high-availability server for those who access it?
  9. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    yes thats right
  10. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    If your server is targetted for a DDOS attack you can't stop the incoming packet flood.
    What you can do is on your hardware firewall set a threashhold of incoming packet frequency (something based upon what you would consider normal usage).
    When the threashhold is exceeded, the packets are simply dropped. This will be for all users (both legitimate and not), but it will prevent your servers from overloading in the event of a DDOS attack.
    Your legitimate users will not be able to access the site at that time.
    If the DDOS attack coming from a managable number of locations, you can drop those packets and allow other incoming traffic, but if it is an attack from thousands of zombie machines all over the world, your site will be down until you can re-establish a new IP for the server that gets propogated through the DNS tables on the internet.

    A DNS entry is nothing more than a table that links a web address (www.whatever.com) to an IP address.
  11. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    that is very kind of you to send all that to me, but i read a method that using overlay network and i have hard to imagine the procedure that hide the ip exactly and read about DNS so much i read that it can contain a CNAME
    and i still confused to understand how is that method work
    why the client not know the true ip?
    if he not know the true ip so how he can reach the public->access node
  12. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Let's me add a little here.

    You have a server that you want to protect, so you put up a validation server to eliminate access to the protected server (hidden) from access or a flood attack.

    I can still SYN flood your validation server so that no one can validate if I have the resources to overload the validation server.

    You can't stop my flood attack, you can only protect yourself while you ride it out and try make my attacks impotent by making their target no longer valid by changing where your server resides in the internet's DNS tables.
    s. says thanks.
  13. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    you mean by validation server a public server ok so what is the purpose of the access nodes then?
    and the DNS table will contain the ip of the access node or the public server?
    can the DNS tables contain the two?
    It is recommend having more than one public server with different service providers. DNS should be offloaded to a third-party service that offers round robin load balancing with active failover functionality.
    Last edited: Jun 8, 2011
  14. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    If the defense is switched ON; Stage 1: clients C1 and C2 ask the DNS about the IP

    address of server X (and server Y), respectively, not aware of the defense implementation.
    The DNS return the public IP address IPXp and IPYp, for the public servers Xp and Yp,
    respectively. Stage 2: After establishing TCP connection, clients C1 and C2 ask servers Xp and
    Yp, respectively, for some resource. Stage 3: both Xp and Yp happened to select the accessnode
    AN2 at the same time not aware of each other's choice, and then inform AN2 about IPc
    and IPs, of Xs and Ys, respectively. This coincidence of selecting the same AN is to
    demonstrate the AN ability of differentiating between client-server pairs. Stage 4: AN2 replies
    to Xp and Yp with two distinctive port numbers to be able to differentiate between the two
    clients’ connections originating at the same time from the same IP address (IPc), without
    having to open the application messages. Stage 5: Xp and Yp relay, back to the clients, the
    address for the selected access-node plus the corresponding port for that connection(s) (i.e.
    client) in a standard HTTP redirection message. The TCP connection to the client is then
    closed by the public server. Stage 7: Every client is expected to establish a TCP connection to
    AN2 using the ephemerally assigned destination port. After the TCP connection is established,
    the clients now ask their requested resources from the new location, while the assigned port
    can be reassigned by the AN to be reused with another client-server pair. Stage 8: AN2
    connects to the corresponding servers and communication is carried on. The sequence is the
    same for the connection stages for every newly appearing client.

    those is the steps in general
    where xp and yp (is the public servers) and the AN (is the access node) and the ipc (is the ip of the client) and ips (is the ip of the protected server)
  15. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    If you want anyone, anywhere to access your site you must have a public IP address in the DNS namespace of the internet that is tied to the URL address of the site if they are using a standard browser to access the site.
    Are the people accessing the site using a browser (IE, FireFox, etc.) or will they be using a custom application to connect?
  16. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    they are using a standard browser like (IE, FireFox, etc.)
  17. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    If a single location is generating an attack it should be pretty obvious.
    If 100,000 zombie processes are attacking from different IP addresses this does not apply.
  18. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    sorry but it mean that the AN can distingush the multithreding, i think it is not the main idea,
    but i don't understand how the public server know the ip of the protected server
    does he mean the URL or what?
  19. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    Access node’s DNS record should have CNAME entries equal to the number of protected
    websites’ domain names. The entry format should have the access-node ID as a sub-domain
    for each protected website domain name, i.e., “ANnumber.domainP.com”, this is to guarantee
    compatibility with SSL, where wildcard certificates must be used by the protected web
    servers. Access-node health information must be sent to the trusted public servers
    periodically, or on the event of an abnormal event (i.e., access-node under sudden attack).
    Public servers must accept the first TCP connections from clients. Initial request from a
    client should be replied by a redirection message pointing to the selected access-node and
    ephemeral port as the new location for the resource. The most suitable access-node should be
    selected by the public server according to its available access-nodes’ information.
    Communication with the selected access-node must be performed for the client to be
    registered in the white list there. Clients’ requested resource should be
    replied with an HTTP redirection message to the address;
    https://AN###.domainP.com:portRand/RequestedResource/”. Response should be only to
    TCP traffic, other traffic types must be filtered out utilizing ISP-based protection, many ISPs
    offer this type of protection as a service . ISP protection should filter out any non-TCP
    traffic from reaching the public server. SYN cookies MUST be implemented as a
    countermeasure to TCP SYN flooding attacks at the public server. It is recommend having
    more than one public server with different service providers. DNS should be offloaded to a
    third-party service that offers round robin load balancing with active failover
    functionality. The HTTP response status code 302 Found should be used to indicate that the
    new location is not permanent. Also special care should be lent to the Cache-Control header
    field of the redirection message to avoid its retention by caching mechanisms, (ex. Cache-
    Control: max-age=0, no-store, no-cache).
  20. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    i send that to make it more clear does the function of the access node and the public server now clear?
    what you deduce who is hide the protected server is it the access node?
    so why we put the public server?
    Last edited: Jun 8, 2011
  21. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.12/day)
    Thanks Received:
    5,615
    Location:
    Cheeseland (Wisconsin, USA)
    Can you post a link to the information you are posting?

    This helps, but won't stop a flood.
    Why are you so worried about a flood attack? They are sort of old school and only used to stop access to large access sites when people feel their rights have been somehow denied them (for instance the Ubisoft "always-on DRM).

    I'd be more worried about an internal access breach that exposed sensitive data (think Sony).
  22. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    how can i attach a PDF?
  23. CrackerJack

    CrackerJack

    Joined:
    Dec 13, 2007
    Messages:
    2,702 (1.12/day)
    Thanks Received:
    447
    Location:
    East TN
    +1

    I wouldn't be so worried about a flood attack, like Kreij said. That's a old school method, but mostly just to piss you off. I would worry more about internal attacks.

    When you go to post, click "Go to Advance", down below you will see "Manage Attachments" click and upload
  24. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
  25. s. New Member

    Joined:
    Feb 25, 2011
    Messages:
    32 (0.03/day)
    Thanks Received:
    0
    hello,
    i am so shy :eek: to ask you again, but please did you see the link, the idea is in chapter3, from page 14 to page 23

    if you have any imagination about that please discuss it with me if you don't annoyed with that

    best regards

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page