pfSense Support Subscription

Author Topic: Help with possible security issue  (Read 1536 times)

0 Members and 1 Guest are viewing this topic.

Offline agreenfield1

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Help with possible security issue
« on: February 05, 2015, 06:03:23 pm »
I had some network problems this morning, and would like to find out what happened.  I'm not sure if I have a compromised computer, or if the problem was elsewhere.  Observations:

 - This morning, most websites weren't loading on my ipad or computer
 - https sites wouldn't load, and Google Chrome showed certificate errors: they were signed by 'lolcat'
 - Did a tracert and ping to a random site.  It resolved to 195.22.26.248 (not the 'correct' ip), which a google search suggests is a sinkhole (not clear on what this means)
 - For the tracert, the hostname for every step (except my router) was rdns.gigabell.es
 - Logged in to pfsense to check dns settings.  i had them set to 8.8.8.8 and 4.2.2.3 (Google dns and Level3)
 - I checked the box to 'Allow DNS server list to be overridden by DHCP/PPP on WAN', and everything instantly started to work correctly.

If the Google DNS or Level3 DNS servers were down/hacked I would have expected a news story or something, so I'm concerned I may have a compromised system in my network.  Any thoughts on what may have happened?  FYI, this occurred at home where I have pfsense serving as the router in a VM.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Re: Help with possible security issue
« Reply #1 on: February 05, 2015, 06:26:39 pm »
A quick, general search for 'lolcat' found:

https://forum.pfsense.org/index.php?topic=87491.0

Someone's been playing games with google and Level 3 DNS.  not necessarily hacking the servers, but arp spoofing, route injection, or something somewhere.

Do we know who or what this is yet?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11885
  • Karma: +461/-15
    • View Profile
Re: Help with possible security issue
« Reply #2 on: February 05, 2015, 08:20:05 pm »
Yeah I really expected to see some bigger news on this. Hmm.
Chris makes some good points here:
https://www.reddit.com/r/PFSENSE/comments/2u09v4/hijack_for_people_using_google_dns/

Steve

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +958/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Help with possible security issue
« Reply #3 on: February 06, 2015, 02:20:34 am »
I'd really drop any forwarding. Unbound + DNSSEC. There's also this 0x20 draft - patch for pfSense available here until 2.2.1 is out.
Do NOT PM for help!