Beware: Your Cloud Server May Have Some IP Related Baggage

calendarMay 22, 2014 in HttpWatch , IIS

Cloud based servers are great. You can quickly fire up new instances to scale up a web site or just to make deployment easier.

However, your new cloud server may not be as clean and new as you expect. The problem is that IPv4 addresses are in short supply and your cloud server provider will maintain a pool of addresses that get recycled when a cloud server is destroyed. So when you create a new cloud server, the IP address assigned to it may have some baggage from its previous owner.

We ran into this when we deployed a major update of our site to a new server. Not long after deployment we got a Google Alert about the presence of HttpWatch related content at site with a strange domain name – let’s say malwarecentral.com. The weird thing was that this site was an exact replica of our site:

Strange Domain

The site must have had a high page rank in Google, perhaps through dubious SEO techniques. If we searched for ‘HttpWatch’ the site appeared as one of the first search results:

Google Results

Using HttpWatch we checked the IP address used by the site and found that it was the same as our latest cloud server:

IP Address

It wasn’t a copy of our site it was an existing DNS entry that was pointing at the same IP address as our server.

How could this have happened? The scenario may have gone something like this:

  1. A stolen credit card was used to register a domain name (e.g. malwarecentral.com) and setup an account at the cloud server provider.
  2. A DNS entry for the domain was setup for the new cloud server
  3. The cloud server may have been used for phishing, malware distribution or some other questionable activity
  4. The cloud server provider gets a chargeback on the credit card used to setup the account. The account is shutdown and all cloud servers related to that account are destroyed.
  5. The IP address of the server is returned to the provider’s pool of IPV4 addresses. The DNS entry for malwarecentral.com may have been created at another provider and was not deleted.
  6. We happened to get this IP address when we created a new cloud server and the DNS entry for malwarecentral.com was still using this IP address.

Tip: Never Use Default Binding For Your Web Site

A simple way to avoid old DNS entries referring to your site is to remove the default binding that allows any hostname to be used. In IIS the entry looks like this:

IIS Bindings

Once it is removed only requests containing the hostnames that you specify will be able to load pages.

 Conclusion

There may be other consequences to reusing an IP address on your cloud server. It may have been black listed by email systems if it was sending spam and it could be blocked from other web sites or services if it was engaged in Denial Of Service (DOS) attacks or hacking attempts.

This problem doesn’t exist with IPv6 because it has such a large address space that the cloud server provider could create a new address for every server instance without ever having to reuse addresses from deleted servers. However, in today’s world where IPv4 dominates it’s worth remembering that your cloud server’s IP address may come with some baggage.

 

HttpWatch Goes 64-bit and Supports EPM on Windows 8

calendarApril 3, 2014 in HttpWatch , Internet Explorer

The latest update to HttpWatch is available for download and adds the features list below:

Full 64-bit and Enhanced Protected Mode Support

HttpWatch can now be used in 64-bit versions of IE and fully supports Enhanced Protected Mode (EPM) on Windows 8 and 8.1:

HttpWatch Supports 64-bit IE

Improved Performance on Windows 64-bit

The automation interface is now available in 64-bit, as well as 32-bit, providing improved performance in 64-bit automation clients.

HttpWatch also includes a 64-bit version of the HttpWatch Studio log file viewer that can load larger files and filter data more quickly.

Property Pane Displays User Name, Browser Mode and Windows Architecture

The Properties pane now displays the browser mode (e.g. EPM), user name and Windows architecture (e.g. x86 or x64):

New Values on Properties Pane

New Fields for CSV Output

New Page ID, Device Name and User Name fields are available in the CSV output:

New CSV Fields

HttpWatch 9.2: SSL handshake and Protocol Information in Firefox

calendarFebruary 14, 2014 in Firefox , HTTPS , HttpWatch , SSL

HttpWatch 9.2 is now available for download and brings the level of SSL reporting in Firefox up to the same level as the plugin for IE and the iOS app.

SSL handshake timings are now displayed in Firefox:

SSL Handshake Timing

and in-depth information about the SSL protocol used by each connection:

SSL Information

We’ve also made some other SSL related improvements that are available in the Firefox/IE plugins and the HttpWatch Studio log file viewer. The first is that SSL information can now be added as columns in the main request grid:

SSL Columns

v92_ssl_columns_grid

There’s also a new warning that can be used to highlight HTTPS connections that have potential vulnerabilities:

SSL Warning

You can check SSL/TLS configuration our new SSL test tool SSLRobot . It will also look for potential issues with the certificates, ciphers and protocols used by your site. Try it now for free!

 

Ready to get started? TRY FOR FREE Buy Now