Internet vulnerability: surviving a DNS attack.

[EYES WIDE OPEN]

Mod-edit:

The following thread was split off from this post and this post of the Mitchell Coombes: Does he really have access to insider info? thread.

This thread discusses a possible denial of service attack on the Internet's root name (DNS) servers, which would make the web pretty much useless for most ordinary purposes, while the attack was occurring, unless you found a way to adapt.

My personal hunches: using an alternative DNS provider is the best defense, but perhaps more importantly:

this smells to me like another possible false flag operation (with Internet hackers blamed, instead of terrorists), intended to open the door for more visible suppression of Internet freedoms.

Beware.

-- Paul.

===

Posted by Quantum Logic (here)

...

The forces at work here are moving on multiple fronts now, and when this begins, most if not all of you will be overwhelmed by it all. So here are some more clues as to the great many fronts that are being advanced at this very moment-

http://news.yahoo.com/fbi-could-down...ortBy%3Dlatest

Also look at the date of publication of this report on the original incident-

http://www.fbi.gov/news/stories/2011...malware_110911

11/9/11? Sound strange? Hold that thought for a moment...

Here is the PDF technical paper from the working group assembled to attempt to fix this issue. Please read it carefully to understand what the real situation is-

Attachment 13928

I suggest you follow ALL of the links contained while tracking the article back to the source. In a nutshell, very soon DNS will no longer function properly, which means if you do not know the numerical IP address for any site you wish to visit- you may find yourself without the internet. This will be made worse if this next planned event succeeds-

http://pastebin.com/NKbnh8q8

It is open source instructions for causing a self-initiated Blackhole loop that will take all of the DNS servers down. Once the net is down, communication will be greatly stifled, and far more destructive events will ensue since our ability to track them will be gone.

...

Is there an easy way of finding the IP Address of a website in case this happens?

[Bryn ap Gwilym]

Posted by EYES WIDE OPEN (here)
Is there an easy way of finding the IP Address of a website in case this happens?

Hi,
Yes there is by using the nslookup command.
Example
nslookup projectavalon.net
# will give you the address you are looking for. The below address is for this site. #
67.212.160.12

Linux and Unix nslookup command
http://www.computerhope.com/unix/unslooku.htm

Using NSlookup.exe
http://support.microsoft.com/kb/200525

Or just surf the internet with GNU Emacs

The web is just a small portion of the Internet & is not the Internet.

[hohoemi]

hi,

in regard to nslookup: from what i understand it's just another way to query a DNS (domain name server) to get the IP address.
this won't solve the problem of the global blackout since the DNS will be down.

see wikipedia:

nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

however, if you are talking about circumverting the DNSChanger problem, it could work

[Alan]

Posted by hohoemi (here)
hi,

in regard to nslookup: from what i understand it's just another way to query a DNS (domain name server) to get the IP address.
this won't solve the problem of the global blackout since the DNS will be down.

see wikipedia:

nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

however, if you are talking about circumverting the DNSChanger problem, it could work

I think the idea is, use nslookup NOW to get the IP addresses and save them off somewhere. This way if/when the DNS servers go down you can use the IP address instead of the domain name.

[Bryn ap Gwilym]

Posted by hohoemi (here)
hi,

in regard to nslookup: from what i understand it's just another way to query a DNS (domain name server) to get the IP address.
this won't solve the problem of the global blackout since the DNS will be down.

see wikipedia:

nslookup is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

however, if you are talking about circumverting the DNSChanger problem, it could work

Hi,
Ie I know.
I was answering the question which was asked nothing more or nothing less..

Is there an easy way of finding the IP Address of a website in case this happens?

[Quantum Logic]

Alamojo and Bryn are correct. Get the numerical IP's NOW while you can. Otherwise you may be out of luck. Especially the March 31 Anon attack- they are using a reflective approach that will grow faster than we will be able to react. I hope someone finds a way to stop this, but since the DCWG can't even do it, it looks to be widespread.

[hohoemi]

@ bryn ap gwilym
i probably misunderstood the question because of something i was wondering myself:
how do you get an ip adress once the DNS is down?
in any case, thanks for the nslookup command! it's a good thing to know

@ alamojo:
yes, that would be an idea, however i don't think it would work for dynamic pages such as this forum - you could save the IP address of the main page or any currently existing post, but how do you follow the link to the next page of a thread etc.?

also, nslookup can't find projectavalon.net/forum4 or the IP of a specific thread... what's up with that?
and some of the IP addresses it finds don't seem to work, such as 80.87.129.146 for the david icke homepage (re-resolving it makes it mail . davidicke . com , while i looked up www . davidicke . com)
i hope it's just my bad influence on computers

[mountain_jim]

searching for domain IP lists now might save some time...

Besides nslookup, running ping <domain name> from command prompt returns the IP

ping projectavalon.net
returns 67.212.160.12

This one is related to SOPA, but does have some useful ones (more there but I was having trouble copying them)

https://docs.google.com/document/d/1...1E/edit?pli=1#

# SOPA emergency list (a.k.a sites that got free advertisement from sopa)

# Social media
reddit.com 72.247.244.88
digg.com 64.191.203.30
imgur.com 173.231.140.219
hotmail.com 65.55.72.135
theonion.com 97.107.137.164
hush.com 65.39.178.43
gamespot.com 216.239.113.172
ign.com 69.10.25.46
cracked.com 98.124.248.77
sidereel.com 144.198.29.112
stackoverflow.com 64.34.119.12

# Social networking
facebook.com 69.171.224.11
twitter.com 199.59.149.230
tumblr.com 174.121.194.34


# Search engine / Link sites:

google.com 74.125.157.99
yahoo.com 98.137.149.56
bing.com 65.55.175.254
torrentz.eu 46.19.137.189
torrentbutler.eu 209.44.99.122
filestube.com 149.13.65.52


# Streaming sites

youtube.com 74.125.65.91

# Shopping
amazon.com 72.21.211.176
newegg.com 216.52.208.187
frys.com 209.31.22.39

[EYES WIDE OPEN]

Thanks for this. Is there one for Macs?

[EYES WIDE OPEN]

Perhaps we can start a list of I P addresses for our fav websites?

[mountain_jim]

The IP / domain name association is true for all platforms, as it is in the design of the internet protocols.

I assume the apple OS also allows nslookups and pings from its os, or you can use the nslookup web-sites to perform the same function.

I think a new thread to list everybody's favorite sites IPs would be a good idea, so as not to derail this one any further.

I wonder whether my ISP DSL connection will even work properly if domain name resolution is down, however.

[EYES WIDE OPEN]

Which forum would be the best place for the new thread?

[ThePythonicCow]

Posted by hohoemi (here)
i probably misunderstood the question because of something i was wondering myself:
how do you get an ip adress once the DNS is down?

Yes, the earlier question, how to get an IP address, was ambiguous.

If you're asking how to get an IP address now, while DNS servers are working, then the answer is to use such commands as nslookup, dig, host, or ping (these are the Linux names; I do not know which one of these you can find on Windows or Mac), or to use such web service sites as whois.net or www.networksolutions.com/whois.

If you're asking how to get an IP address when your DNS service (and perhaps most DNS on the web) is broken, then the answer is to have a backup plan (see below) for DNS service.

yes, that would be an idea, however i don't think it would work for dynamic pages such as this forum - you could save the IP address of the main page or any currently existing post, but how do you follow the link to the next page of a thread etc.?

also, nslookup can't find projectavalon.net/forum4 or the IP of a specific thread... what's up with that?:

It is NOT the case that each web page on the Internet has its own IP address. There are only 4 billion or so IP addresses available (in the current IP4 protocol). barely enough for all the network attached computers, smart phones and other web attached devices.

Rather each web site has a single IP address. The IP address for davidicke.com is 80.87.129.146, and the IP address for projectavalon.net is 67.212.160.12. Then David Icke owns a web server answering to the address 80.87.129.146 that handles all webpage requests for that address, and Bill Ryan owns a web server answering to the address 67.212.160.12 that handles all webpage requests for that address (Paul and Ilie administer that last web server .)

Looking at a full web URL, such as http://projectavalon.net/forum4/showthread.php?36083-Mitchell-Coombes-Does-he-really-have-access-to-insider-info. the dot-connected portion "projectavalon.net" after the "http://" and before the next slash "/" is the portion that gets its own IP address.

=======

Here's what I would suggest for a DNS backup plan. Having the IP address of one or a few of your favorite websites won't get you very far on the web ... you would be amazed how many different IP addresses even some simple web browsing will traverse.

Rather I would have the web address of a few sites that list alternative DNS servers and provide Windows, Mac and Linux instructions for changing which DNS server you're using.

Then, if your local Internet Service Provider (ISP) can't handle a major DNS attack, perhaps one of the major alternative DNS providers is in better shape, and you can switch to them.

The Operation Global Blackout attack on the root DNS servers that Quantum Logic's post mentioned above should not, I would hope, cripple all the alternative DNS providers. They should be able to fall back to issuing whatever (increasingly stale) top level domain IP addresses they had, before the root servers were taken down by any such attack. I'd also expect that any such attack would have a higher risk of being used to justify Internet clamp downs by the thugs working under the badge of legal authority, than it would have a risk of seriously disabling the Internet for very long.

Personally, I always use an alternative DNS provider, not my ISP's DNS. Some of the alternative's are bigger, faster and more reliable.

Perhaps the two best list of alternatives, with instructions for changing which DNS service your PC uses are:

• http://theos.in/windows-xp/free-fast-public-dns-server-list/
• http://wikileaks.org/wiki/Alternative_DNS

If your DNS service is not working, you can get to these two web pages at:

• http://75.126.153.211/windows-xp/free-fast-public-dns-server-list/
• http://88.80.2.31/wiki/Alternative_DNS

If your web geek skills are medium, you might want to print out one of these pages, to have on hand if all your web pages start coming up Not Found (the usual sign of a broken DNS, or of your internet connection being down, or of your cable modem being unplugged by the cat, or of ...).

If your web geek skills are high, you don't need these pages ... you already know enough of it .

If your web geek skills are low ... become a friend with a geek, or don't use the web when it's not working.

My favorite two alternative DNS services are OpenDNS (208.67.222.222) and Level 3 (4.2.2.1). OpenDNS has more features and specializes in DNS services, but Level 3 (a major Internet backbone player) is usually the fastest (in the places I've lived) and has an IP address that I've long since memorized (4.2.2.1).

My personal DNS backup plan is actually more elaborate. I run my own DNS server, and have a cron job dump it's entire mapping every 20 minutes (before anything expires). My elaborate backup system then keeps all copies of that map, and I am prepared to fall back to to any earlier version of my DNS map as need be. My backup maps keep getting bigger, as I visit more sites. Currently it has 58126 IP addresses, being all the websites I've visited (or some page I loaded used) in the last year or two.

¤=[Post Update]=¤

Posted by mountain_jim (here)
I think a new thread to list everybody's favorite sites IPs would be a good idea, so as not to derail this one any further.

Oops - looks like I just derailed this thread further. Sorry.

[EYES WIDE OPEN]

So back on topic, what would be the best place for the IP thread? I think it needs to be fairly high profile as it could prove important. Might as well decide now so that a mod does not have to move it at a latter date. Current events maybe? Once its started, maybe the mods can move all this info into the new thread and delete these posts from here?

[ThePythonicCow]

Posted by EYES WIDE OPEN (here)
Perhaps we can start a list of I P addresses for our fav websites?

As I noted just now, when I added the Mod-edit to the opening post of this thread, my hunch is that this "threat" of a major takedown of the web by a denial of service attack on the Internet's root DNS servers is a potential false flag operation, to open the door to further denials of freedom on the web.

That doesn't mean it won't happen ... just that we won't know who did it .

As I said in a round about way in my big post earlier in this thread, the best way to get through such an outage (if you want to continue using the web) is to use a good alternative DNS provider. See the following sites for lists of good DNS alternatives:

• http://theos.in/windows-xp/free-fast...s-server-list/
• http://wikileaks.org/wiki/Alternative_DNS

If you are moderately tech savvy, I recommend permanently changing to OpenDNS (208.67.222.222) or Level 3 (4.2.2.1), rather than using your local ISP's DNS. Then, print out a list, from one of the above two links, of other alternative DNS providers, in case you need to switch to a different one during some such attack.

The most important thing you could do, if this did happen and actually was a false flag, would be to calm your friends, family and neighbors, and alert them to being wary of official reactions to "protect" us from such future attacks, by taking away our Internet freedoms.

Having a list of the IP addresses of a few of your favorite websites won't get you far, if this did happen, and won't help deal with the real threat (tyrannical bastards in power further extending their grip) if this is a false flag.

[mountain_jim]

Thanks Paul. I also point to the OPEN DNS servers on my Netgear router.

Thanks for the tip on Level 3 DNS, as it makes sense to spread out the risk over both major players.

Something weird in last 2 days, twice my wireless internet connection has been lost when using google search links for nslookup and looking for an 'archived list of domain name IP associations', and I had to re-establish the connection. It appeared the wireless node (but not my router or DSL modem I think) was taken out by something in the character stream of those requests.

[ThePythonicCow]

Posted by mountain_jim (here)
It appeared the wireless node (but not my router or DSL modem I think) was taken out by something in the character stream of those requests.

My wild guess, without knowing anything, would be that something caused some interference in the electromagnetic spectrum used by your wireless, somewhere near you. I would not expect the data contents going over a wireless connection to affect it, except in some pretty far out scenarios.

That something might include microwave ovens, cordless phones, Bluetooth devices, wireless video cameras, outdoor microwave links, wireless game controllers, Zigbee devices, fluorescent lights, WiMAX, or so on (list quoted ver batim from 20 Myths of Wi-Fi Interference.)

[Operator]

Hi All,

I have 2 remarks regarding name 2 IP resolving:

1. Most websites cannot (!) be reached by IP alone !!
A domain name will resolve to a valid IP as translated by DNS. However it resolves to an IP of a server that hosts several hundred websites.
Once you are on the right server the server looks at the domain name again and directs you to the corresponding files of the website.
The only websites that can work with IP only are the ones that have a UNIQUE IP address. Typically the websites that also use https
(encrypted (secured) protocol) need an unique IP to let the encryption certificate do its work.

My next point is related but perhaps not exactly on topic ...
2. What if the blackout is planned at the same time when major attacks, trying to start WWIII, are performed.
By now they know that they cannot rely on the MSM. Real independent info will spread like wildfire if they don't
suppress it. Just a wild hunch for the moment.

[ThePythonicCow]

Posted by Operator (here)
I have 2 remarks regarding name 2 IP resolving:

1. Most websites cannot (!) be reached by IP alone !!
...
2. What if the blackout is planned at the same time when major attacks, trying to start WWIII, are performed.

Two excellent points, Operator.

It is been my experience that even when a server hosts many websites, more often than not each of those websites will still have its own unique IP.

But let me provide some real numbers. From my logs of my own DNS server, through which all my web surfing has been passing for a couple of years now, I have visited (or at least had some page I visited pull a bit of content from) 58126 sites (by unique domain name), but only accessed 45455 unique IP addresses. Some 38407 domain names I visited each had their own unique IP address, and the other 19719 domain names I visited were shared, having two or more names (that I know about, because I visited them too!) per IP address. The sites I visited which shared the most domain names per IP address (one or two hundred each that I know of) were GoDaddy.com, TypePad.com, and sourceforge.com.

So, from that sample of one, 38407 / 58126 == 66 % (two thirds) of the web sites (by name) that I visited had their own unique IP address (so far as I know.)

However your observation is one more good reason to look for alternative DNS servers, rather than trying to manually visit sites using explicit IP numbers. Doing so lets you visit all sites, not just two thirds, and lets you load their entire page correctly, including the parts that pick up bits of other sites by named links that depend on that name.

I run three websites myself (itsy bitsy teeny weeny ones) all on one webserver, and as you describe, they share a single IP address, resolving requests by the domain name. On my server, if you come in with a request using the server's IP number, instead of a domain name I'm expecting, you will always get a particular one of the three websites, and the other two might as well not exist.

As to your second point - yes - as we can see from the Arab Spring revolts recently, the time the bastards in power are most likely to openly and blatantly mess with cell phone calls, twitter, facebook, or whatever other means of communication concerns them is right when communication between people would be most useful, that being when some nasty operation is going down.

Just guessing here (hopefully I don't think like those bastards and certainly I have no inside information) but it would not surprise me if they took this in a couple of steps:

1. First another "network hacker" attack or two, to get more tyrannical control over the web, and
2. then more seriously nasty operations, during which communication between us peons occurs only at the pleasure of the bastards in charge.

However they may be running out of time and maneuvering room for such delicacies.

[Quantum Logic]

If you really want to find out the path to where you want to go, do a full trace to find out exactly how it's routed. Thanks Paul for making this into it's own thread. But I will tell you, if you look at how the Blackhole Toolkit and subsequent scripts work that Anon is going to use, alternative DNS will eventually fail due to the reflective approach they are using. I think the Anon attack is going to use already infected systems from the original Estonian operation that ended Nov. 9,2011. You are correct- I smell a false flag as well. Think of what they could do with global net communication down, not to mention those of us who monitor HAARP and infrasound emissions will not be able to tell if the sonic signature is present. I will be posting a list of monitoring links for various sciences in the near future, resolved to true IP's with subsections.

QL