So I have configured DDNS and everything seems to be working fine except that I noticed in my OpenDNS logs that my network has been trying to resolve a couple of domains blocked under the category of Proxy/Anonymizer. The first of these 2 domains shows to be malicious per McAfee and Norton's link checkers:
Domain | Requests
cmyip.com 16 <----- Contains drive-by download per Norton's report: http://safeweb.norton.com/report/show?url=cmyip.com
checkmyip.com 10
This seemed weird to me because it didn't seem like that should be happening on my small home network. I checked further and found that OpenDNS logged an abundance of websites that check your IP address, though it didn't block them:
http://www.ip-address.org 10
whatismyip.org 10
http://www.tracemyip.org 17
my-ip-address.com 17
checkip.org 16
myip.dk 16
http://www.ip-1.com 19
automation.whatismyip.com 18
Then it hit me, this must be the DDNS service going out to check my IP address in such a way that it doesn't query my DDNS provider. In the webGUI it puts it like this:
"The check interval specifies how often the router will check whether your current IP matches the one currently associated with your domain name. This check is performed without connecting to your dynamic DNS service provider, which means that this will not cause problems with providers that ban users who connect too frequently (e.g. dyndns.com). However, a network connection is established to perform this check, so this value should not be too low. A check interval between 10 and 20 minutes is usually appropriate."
Does that sound like a correct explanation for the beaconing to all these IP address checker sites? If so, why would Gargoyle talk to this potentially malicious domain? Is it a false-positive? Did the developers just not know that one of the sites they use for checking my IP is kinda iffy?
Please help shed some light on this. Thanks!!
James
DDNS beaconing to malware site?
Moderator: Moderators
Re: DDNS beaconing to malware site?
Sorry it took me some time to see your post, but you are correct, this is the ddns service checking your current IP.
I've removed cmyip.com from the list, because this report seems especially severe. However, there really isn't much danger of malware getting on your router, even from cmyip.com, because the sites aren't loaded as with a traditional browser, but a program so simple that any malware aimed at a typical browser will not work. No javascript/flash/remote links or even CSS are downloaded, only the main html page, which is plain text. Then, this text is scanned for the first set of numbers that looks like an IP address. That's it. The worse that can happen is that the page will give you a wrong IP address.
There's a reason why some slightly sketchy sites may be included on that list. The problem is that it needs to be a long list. DNS sites don't like it if you check whether there is an IP mismatch very often, but in order to update sooner in response to a new IP address, a more frequent check is better for you, the user. So, there is a long list of sites that provide this service that are sequentially checked so that you won't check any single one too many times, too quickly and get banned. This also accounts for the possibility that one of the sites goes down -- there will then be a lot more to choose from.
A lot of sites provide this service to lure in people who want to check their IP address, but have a lot of advertisements/tracking garbage there too. However, if you're only checking the site with a browser that's too simple/stupid to look at anything other than the plain text html, that malware isn't going to do anything, but you still get what you were after: the IP address. In a way, you're scamming the scammers, since you use their bandwidth and their service without viewing their ads
If you really want to specify the source of the IP addresses, you can login via ssh and set the ip_url parameter in the uci ddns_gargoyle section. This should be a space (not comma) separated list of urls to check for IP addresses, and you will need to set the variable in each ddns section, e.g. "uci set ddns_gargoyle.ddns_1.ip_url="[URL_1] [URL_2] [URL_3]"
I've removed cmyip.com from the list, because this report seems especially severe. However, there really isn't much danger of malware getting on your router, even from cmyip.com, because the sites aren't loaded as with a traditional browser, but a program so simple that any malware aimed at a typical browser will not work. No javascript/flash/remote links or even CSS are downloaded, only the main html page, which is plain text. Then, this text is scanned for the first set of numbers that looks like an IP address. That's it. The worse that can happen is that the page will give you a wrong IP address.
There's a reason why some slightly sketchy sites may be included on that list. The problem is that it needs to be a long list. DNS sites don't like it if you check whether there is an IP mismatch very often, but in order to update sooner in response to a new IP address, a more frequent check is better for you, the user. So, there is a long list of sites that provide this service that are sequentially checked so that you won't check any single one too many times, too quickly and get banned. This also accounts for the possibility that one of the sites goes down -- there will then be a lot more to choose from.
A lot of sites provide this service to lure in people who want to check their IP address, but have a lot of advertisements/tracking garbage there too. However, if you're only checking the site with a browser that's too simple/stupid to look at anything other than the plain text html, that malware isn't going to do anything, but you still get what you were after: the IP address. In a way, you're scamming the scammers, since you use their bandwidth and their service without viewing their ads
If you really want to specify the source of the IP addresses, you can login via ssh and set the ip_url parameter in the uci ddns_gargoyle section. This should be a space (not comma) separated list of urls to check for IP addresses, and you will need to set the variable in each ddns section, e.g. "uci set ddns_gargoyle.ddns_1.ip_url="[URL_1] [URL_2] [URL_3]"
Re: DDNS beaconing to malware site?
Thanks much! What is the file path to the config file containing the URLs?
Re: DDNS beaconing to malware site?
The default urls are built into the binary. The uci config file where you can put the ip_url variable is /etc/config/ddns_gargoyle.
If you build from source the url list is near the top of this file: [gargoyle_root]/package/ddns-gargoyle/src/ddns_updater.c
If you build from source the url list is near the top of this file: [gargoyle_root]/package/ddns-gargoyle/src/ddns_updater.c