/alleycat/ - Alleycat BBS (cat scratch fever)

I first began reporting on DNS issues in early March when Vanwanet was doing some sort of maintenance work (I'm guessing) and the subdomain "sys.8kun.top" fell out of the DNS. This did not affect reading the site but it blocked posting. The solution was to patch the "hosts" file or to work through TOR. The situation cleared up in early April.

The current snafu is a different issue which does not involve Vanwanet. The top-level DNS server for domains under the control of Vanwanet is "ns1.vanwanet.com" which, strangely enough, has the same IP address as "sys.8kun.top" (185.165.190.88). I have tested this DNS server and have found no issues so the problem does not originate from there.

The next post is my updated report which I first issued at the end of April. Board owners are invited to copy my posts to their own boards so that more anons will become aware of this. Whoever is behind this DNS fuckery might decide to not spring the trap if everybody knows about it.

DNS fuckery is still in progress

This report was last posted on May 2. This is an updated version.

This is serious. The situation is stable right now but there is clearly a plan to open a can of worms on the anons here. DNS servers worldwide are being seeded with invalid IP addresses for all of the 8kun subdomains. Apparently, this is being done through an exploit and many (possibly all) servers are affected to some degree. You can use the links below to monitor the situation. Note that "8kun.top", "media.8kun.top", "nerv.8kun.top" and "softserve.8kun.top" all share the same IP addresses so they do not need to be tested separately.

https://dnspropagation.net/A/8kun.top

https://dnspropagation.net/A/sys.8kun.top

Refresh the page a few times and look through it to see if some servers are showing a wrong IP address for the subdomain. For "8kun.top", there should be a set of 7 IP addresses. The bad DNS lookups occur randomly. This is happening with my own ISP and also with Google and OpenDNS. I am still trying to determine if Cloudflare is vulnerable. Although I have spotted an issue with Google and OpenDNS on just two occasions each, the fact that this has happened even once indicates that they are vulnerable.

Now, the key to this is what is called the TTL which means "Time To Live". It is normally 60 seconds for this site. This means that, if your DNS server gets seeded with an invalid IP address then you need to wait till the TTL runs out for your DNS cache to refresh and get a new address. I have observed that the TTL for the bad IP addresses exceeds 60 seconds (up to 300 seconds, it seems). Note that this TTL is not necessarily adhered to. Some DNS servers (meaning the one supplied by your ISP) may ignore this value. That is, it may take a longer period of time for the bad IP address to get flushed out of the cache. I don't know this but you should keep it in mind if the site seems to go down for a long period.

There are three critical subdomains involved: "8kun.top", "media.8kun.top" and "sys.8kun.top". If "8kun.top" fails, auto-updates will fail and the catalog will fail (the site will become inaccessible). If "media.8kun.top" fails, images and other media will not load. The two will almost never fail at the same time. This is another reason why it may look like just a temporary glitch. If "sys.8kun.top" fails, posting and captchas will not work. Board administration also runs through this subdomain.

I have seen very few problem reports so it is impossible to gauge just how many people are affected. Most of the time, a bad IP address will be unresponsive and your access to 8kun will fail silently. It is possible that you may get an error message from your web browser about an invalid security certificate. Some of the IP addresses belong to Facebook and a few anons have reported getting what appears to be an error message from Facebook. When you see an error message, just close it and try again in a minute or few.

There could be hundreds of bad IP addresses being circulated. I am no expert on DNS or Internet security so I have no conclusion to make about the distribution. I will note that a cursory examination suggests to me that the addresses are all under the control of possibly just one Internet authority. Look here:

https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

Next post: what might be coming and some hints on how to prepare.

DNS fuckery: what is to come and how to prepare

If you perform the DNS Propagation Test as suggested in the previous post, you will notice that some servers exhibit the problem regularly but others seem to be unaffected. The DNS attacks may not be totally random. There may be a purposeful pattern which targets some more than others. If the frequency of attack on a particular server is very low then you may never spot it. I have seen two instances of a bad IP address from Google but separated by days. OpenDNS gave me two in the same day but that was after weeks of testing. On the other hand, my ISP will feed me a bad IP address several times a day. This is all very circumstantial but I'm not inclined to write a bot to hit the DNS servers in order to gather statistics.

There are thousands of DNS servers spread around the globe, each serving a specific market. If the ultimate target of the attack is YOU then only certain upstream servers feeding the local ISP market would need to be targeted. I don't have any idea what upstream server my ISP uses but I can say that it is not Google or Cloudflare or OpenDNS. Since most people accept whatever default DNS server is assigned by their ISP then the targeting makes sense. Switching away from your default DNS is a good idea but you shouldn't expect that to keep you safe if the black hats decide to put on a full-scale assault. All DNS servers should be considered suspect until proven otherwise.

Here is what we need to be prepared for:

The exploit which is being used to seed bad IP addresses can clearly be used to modify the TTL (Time To Live). Simply extending the TTL to an hour or so could take down the site or at least reduce the traffic considerably. The site operators and Vanwanet would not even know what happened. This would work like a valve. Open the valve to let the traffic through and then close it for any desired period of time. This could be controlled geographically like a wave sweeping across the globe. As it is right now, the TTL is low enough that the fuckery looks like a temporary glitch. In addition, bad IP addresses could be seeded more frequently but, judging from I'm already seeing from my ISP, the frequency is already high enough. Bumping up the TTL could lock me out of 8kun indefinitely if I were to rely on my default DNS server.

Savvy anons know exactly what to do because we've been through this before. For now, you should change your DNS server but this is not a long-term solution if the attack escalates. Think logically: if they REALLY want to take us down then no DNS server is safe. In the event that you do get hit with a bad IP address and the TTL is set to a long period then you should know how to flush your system DNS cache (though this won't help if your DNS server is still holding the bad IP address in its own cache). The ultimate solution is to not rely on the DNS servers at all. Most anons have probably (by now) learned the trick of modifying the "hosts" file. These are the currently valid IP addresses for the site:

sys.8kun.top: 185.165.190.88

8kun.top, media.8kun.top, nerv.8kun.top, softserve.8kun.top:

94.103.81.80, 94.103.82.74, 94.103.94.73, 109.234.38.4, 193.178.169.19, 195.2.92.96, 195.2.93.193

DNS server IP addresses:

Cloudflare - 1.1.1.1 and 1.0.0.1, Google - 8.8.8.8 and 8.8.4.4, OpenDNS - 208.67.222.222 and 208.67.220.220

I am not providing any instructions on how to implement these solutions because that depends on what operating system you are on. Also, I have zero familiarity with phonefagging and I have no idea what can be done in that context. Do your own research to prepare yourself.

DNS fuckery: possible attack vectors

So what exploit could the black hats be using to target the DNS servers? I have no idea. I'm not an Internet expert so I can only take a guess. These two articles might be helpful:

https://en.wikipedia.org/wiki/dns_cache_poisoning

An anon posted this one: https://kb.isc.org/docs/cve-2021-25216

Interesting thing about the second article is the post date (April 28). This is just two days before I started noticing the fuckery. Holy hell. Is that a coincidence? To make matters even more spoopy, Dan Kaminsky died recently. He was an Internet security researcher and he gained prominence for his work on patching a DNS "cache poisoning" vulnerability in 2008. What was he working on recently? Something that somebody did not want to become public?

https://en.wikipedia.org/wiki/Dan_Kaminsky

That's all I got right now. Will update this post with more info if I find some.

DNS fuckery: investigation leads to a pair of servers in China

The situation came to my attention on April 30 and nothing has changed since. Random IP addresses for 8kun have been infecting DNS servers worldwide. It does not appear, at this point, that there is a "trap" waiting to be sprung. I finally decided to write a bot to poll the DNS servers in an effort to gather information which might lead to some theory of what is going on besides "black hats hacking the Internet".

I tested nearly 300 DNS servers and what I found was a huge discrepancy where some servers are badly poisoned at a rate as high as 30% and other servers at a rate of just 5% or less. It seems to be always the same servers affected at about the same rate. The problem is not worse by region or service provider so that seems to rule out the possibility that it is a targeted attack. What could be going on? I decided to learn more about how DNS works and find some way to trace the DNS lookups across the Internet to find out if there could be a specific server in the chain that might be at fault.

DNS works in a hierarchical fashion. There are 13 root servers which are the first step to resolving Top Level Domains (TLD) like "com" or "top". The root server returns a list of TLD servers which will either deliver the final result or a list of "authoritative" servers which must be queried next. Generally, you don't expect a final result from a TLD server and that would be a red flag if it happens. The next step, querying the authoritative server, is usually the final step which leads to one or more IP addresses as the answer to the original question. In the case of "8kun.top", the authoritative servers are "ns1.vanwanet.com" and "ns2.vanwanet.com". I tested these servers and found no instance of a bad IP address.

The TLD servers for the "top" domain are these:

a.zdnscloud.com (203.99.24.1), b.zdnscloud.com (203.99.25.1), c.zdnscloud.com (203.99.26.1), d.zdnscloud.com (203.99.27.1),

f.zdnscloud.com (114.67.16.204), g.zdnscloud.com (42.62.2.16), i.zdnscloud.com (IPv6 address), j.zdnscloud.com (IPv6 address)

Go here to perform the DNS trace: https://simpledns.plus/lookup-dg

Run the DNS trace a few times (just reload the page) until you see a message like this:

Received response:

-> Answer: A-record for 8kun.top = 199.96.58.177

*** Lame response - not authoritative and no referral

This happens ONLY with "f.zdnscloud.com" and "g.zdnscloud.com". These two servers are "ground zero" for the DNS fuckery.

Continued next post...

DNS fuckery: who in China wants to poison 8kun?

Use this tool to trace the IP addresses indicated in the previous post: https://www.whatismyip.net/

The 6 IP addresses to test are: 203.99.24.1 - 203.99.25.1 - 203.99.26.1 - 203.99.27.1 - 114.67.16.204 - 42.62.2.16

The first four servers are managed by Beijing Engineering Research Center. The last one is managed by China Telecommunications. The second last one (f.zdnscloud.com) is in question as to who really manages this server because I get different answers from other web sites. It appears to have originally been under VMware which owns a product called vCloud and which has a business relationship with China Telecom. I think it is safe to say that China Telecom runs this. Also, the server might be in Guangdong rather than Beijing. The details don't really matter. The fact is that "8kun.top" is at the mercy of Chinese goodwill for its DNS service. In other news, the DDoS protection service is located in Russia and the actual 8kun servers might be hidden on a pig farm in the Philippines. Seems pretty bizarre but the idea is to eliminate the possibility of a single entity taking the site down.

The next step in my investigation was to figure out just how to verify the fuckery on my own desktop rather than relying on web sites. It turns out that a tool called "nslookup" can do the job. Boom! Caught red-handed. The two servers (f.zdnscloud.com and g.zdnscloud.com) identified earlier in the investigation are undeniably the source of the DNS fuckery. I suppose the next step would be to notify 8kun management (meaning Jim Watkins) that this is happening so he can make a polite phone call to China and ask them to knock it off. Kek. Anyway, here's the command line:

nslookup -type=A 8kun.top a.zdnscloud.com

Try this with servers a,b,c,d to see what the DNS result should look like. Then try the f and g servers to see the fuckery. Every damn time, no matter which 8kun subdomain, the result is a random IP address. The servers are in charge of the following domains: baidu, citic, ren, sohu, top, unicom, wang and a bunch of weird ones. Try these domains that I dug up (brandon.wang, crackstreams.top, angebot.top) to see that the servers are doing what they are supposed to do. They're just not doing their job with 8kun. It appears that someone on the inside has inserted a rather sizable IP address list and then misconfigured the system to deliver IP addresses instead of links to the Vanwanet downstream servers. I suppose that this COULD have been pulled off from the outside but I don't think so.

Continued next post...

DNS fuckery: how bad is it and who is vulnerable?

Here's the math. We have two TLD servers handing out an IP address when they are supposed to be serving links for the Vanwanet DNS. With two bad servers out of six there is a 1 in 3 chance of a bad hit. A server that accepts the bogus response FAILS BIGLY. A smart server will try again with one of the other five servers. If it hits the other bad server then it may give up and accept the result. This is a 1 in 15 chance of a bogus IP address reaching the user. A very smart server will always get the correct result on the third try (error rate of zero). The math agrees with my observations when I polled the DNS servers with a bot though that doesn't totally explain everything just yet.

Many servers have an error rate much lower than 1 in 15 (but still greater than zero). This can be explained as a consequence of redundancy or workload mitigation. If the task of performing DNS lookups is parcelled out to several machines (connected to appear as a single server) then the error rate will be lowered by the fact that not all of the machines are vulnerable. It depends on what software the individual machines are running. This is just good network design since proper redundancy dictates diversity. A bad design would be all of the machines being the exact same. Analysis over.

I have tested all of the big public servers such as Google, Cloudflare, OpenDNS and Quad9. They have proven to be totally error-free or very nearly so. One, however, stands out as failing bigly and it is Yandex DNS (77.88.8.1 and 77.88.8.8). The failure rate is 1 in 3 and this can be easily verified if you care to change your DNS provider to Yandex. You may get lucky and be able to connect to 8kun but your luck is unlikely to last more than 15 minutes. It is BAAAAD! Yandex works very nicely otherwise. There are a bunch of Internet service providers that fail the test including Verizon, Shaw, Primus, Comcast and many smaller outfits. I don't intend to publish a list because only some of their DNS servers are vulnerable. For example, I tested 11 Verizon servers and only two of them failed. Servers are not created equal so it is impossible to lay blame on any particular ISP.

What's next? I don't know. If an insider did this to the two servers owned by China Telecom then that person might be unable to do the same to the other four because they are owned by a different entity. If it is an outside job then maybe the other four are not vulnerable to the exploit. Is this where it ends or will there be an attempt to elevate the threat? Is China Telecom even aware of this? Could Jim Watkins call them up and get the problem fixed? Maybe somebody should tell him. I leave that task to another anon. Maybe it would suffice to drop a note with Codemonkey.

Here's some additional resources till my next report:

Delegation Record for the "top" domain: https://www.iana.org/domains/root/db/top.html

Master root zone file (plain text): https://www.internic.net/domain/root.zone

Long time no update

My last post in this thread is dated May 28. That is nearly two months ago. My, how time flies! The reason that I haven't posted is because there is nothing to report. The situation remains exactly the same with those two compromised Chinese servers. If there is some sort of plan to take down 8kun via the DNS servers then I guess the plan is on hold or it has been abandoned.

By the way, you should check out my Kraker Local Proxy Server with the socks5 update. It's been available for a while and, so far, it is performing super-well for me. It can be used to bypass the DNS fuckery on 8kun as well as any other web site that gets hit. Remember, we are in a war. You should be ready for an Internet takedown by familiarizing yourself with how the Internet works and you should start using the tools that I'm offering.

Free yourself from the tyranny of comped web sites by learning how to bypass the fuckery.

Go here: https://archive.org/details/alleycat-player

not only seeding dns

but proxys are now pulling an 8kum.top page not found, go back to facebook

Thanks for the in depth info BO.

Run nslookup now (between 11:50 and 12:10 UTC+1), and got the following results:

Google DNS 3/5 times:

~ $ nslookup -type=A 8kun.top

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

Name: 8kun.top

Address: 193.178.169.19

Name: 8kun.top

Address: 94.103.82.74

Name: 8kun.top

Address: 195.2.93.193

Name: 8kun.top

Address: 94.103.94.73

Name: 8kun.top

Address: 94.103.81.80

All of these you've mentioned in

>>971

as good ones, however 195.2.92.96 is missing (might just be based on my location?).

Google DNS 2/5 times:

~ $ nslookup -type=A 8kun.top

Server: 8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

Name: 8kun.top

Address: 108.160.166.142

Testing with yandex (77.88.8.1 and 77.88.8.8), most of the time I got same results, however I did get strange IPs:

With 77.88.8.1 on 5th attempt out of 5:

~ $ nslookup -type=A 8kun.top 77.88.8.1

Server: 77.88.8.1

Address: 77.88.8.1#53

Non-authoritative answer:

Name: 8kun.top

Address: 104.244.43.228

With 77.88.8.8 on 2nd attempt out of 3:

~ $ nslookup -type=A 8kun.top 77.88.8.8

Server: 77.88.8.8

Address: 77.88.8.8#53

Non-authoritative answer:

Name: 8kun.top

Address: 179.60.193.9

Seems the issue is still persisting. So I'll setup my hosts file on the PCs (these tests were done on android with termux).

>>1042

>however 195.2.92.96 is missing (might just be based on my location?).

Some months ago, there were 13 IP addresses for 8kun. The list has been whittled down gradually until there are only 5 right now. Thus, 195.2.92.96 is no longer valid.

>>1026

> You should be ready for an Internet takedown by familiarizing yourself with how the Internet works and you should start using the tools that I'm offering.

I'd like to do this. how can I confirm your files are not malicious?

You seem cool but I don't know you and just the fact that they're being distributed here makes them suspicious. Usually I trust open source because I can see if anyone found malware or something, this OTOH is open source that no one has heard of and tested.

>>1044

>how can I confirm your files are not malicious?

I have no idea unless you know how to read Javascript.

>this OTOH is open source that no one has heard of and tested

I wonder why. How many months must pass before somebody decides to take a hard look?

If you go on /qresearch/ to ask about this, you will likely get a dozen shills calling it malware. You are on your own, I'm afraid. All I can do is try to answer your questions.

>>1026

▶Board Owner 07/24/21 (Sat) 02:21:12 No.1026 >>1044

Long time no update

My last post in this thread is dated May 28. That is nearly two months ago. My, how time flies! The reason that I haven't posted is because there is nothing to report. The situation remains exactly the same with those two compromised Chinese servers. If there is some sort of plan to take down 8kun via the DNS servers then I guess the plan is on hold or it has been abandoned.

By the way, you should check out my Kraker Local Proxy Server with the socks5 update. It's been available for a while and, so far, it is performing super-well for me. It can be used to bypass the DNS fuckery on 8kun as well as any other web site that gets hit. Remember, we are in a war. You should be ready for an Internet takedown by familiarizing yourself with how the Internet works and you should start using the tools that I'm offering.

Free yourself from the tyranny of comped web sites by learning how to bypass the fuckery.

Go here: https://archive.org/details/alleycat-player

BOARD OWNER POST - NOT FLASHING SO MAY NOT BE HIM, OTHER ANONS CAN ENLIGHTEN

>>1046

>BOARD OWNER POST - NOT FLASHING SO MAY NOT BE HIM, OTHER ANONS CAN ENLIGHTEN

The name field is disabled. Only the owner can type a name. That means that I don't need the flashing board owner tag to identify myself. 99% of the posts on this board are mine. Would be annoying if every post had a flashing name tag on it.

>>1048

Happening here too. The "src" attribute is not present so thumbs won't load but the link to the original image is still there.

Images are visible with the 8kun Bread Launcher due to how the code resolves thumbnails from the "href" link instead of the "src" link.

Something big is on the horizon.

image haaaxx for /qresearch/ board only?

>>1050

The entire site is affected, not just QR. Anyway, everything has changed since the previous posts on the image issue. Images are now coming from a new domain (images.128ducks.com). That domain is a Cloudflare client, I might add. Problems with Vanwanet?

Hello. Testing the new version of the 8kun Bread Launcher.

Really looks like a problem that only zdnscloud can fix. Or maybe the .top top level domain registrar could stop referencing the bad servers.

Since none of us are directly their customers, the only person who can legitimately complain from a business perspective is the person who registered the 8kun.top domain name. They need to get their registrar to complain to the .top domain registrar about their nameservers that have gone rogue... unless we can identify a support contact for whoever runs .top

Thanks for coming to my TED talk.

Excellent found you again.

>>1055

Your banned TED talks are famous!

Thanks BO

Good reads

>>1055

>somebody subscribed to your newsletter!

haven't gotten a bogon-IP in weeks