keyserver traffic hijacking?

Ludwig Hügelschäfer mlisten at hammernoch.net
Sat Aug 30 13:09:05 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Lawrence Chin wrote on 30.08.2008 6:23 Uhr:
> Hi everyone.
> 
> I've been confused about one thing. Several days ago when I typed in the
> url http://pool.sks-keyservers.net into my browser, this website called
> www.kim-minh.com kept popping up instead and wouldn't let me go to
> pool.sks-keyservers.net. Is this some sort of traffic hijacking or what?
> Did anyone see the same thing?

pool.sks-keyservers.net isn't a single machine. As the name indicates,
it is a pool of machines. Which one you get out of this pool is more or
less random.

If you lookup the IP-address of pool.sks-keyservers.net you get

pool.sks-keyservers.net. 28800 IN A 195.113.19.83
pool.sks-keyservers.net. 28800 IN A 202.191.99.51
pool.sks-keyservers.net. 28800 IN A 195.111.98.30
pool.sks-keyservers.net. 28800 IN A 66.163.18.195
pool.sks-keyservers.net. 28800 IN A 78.47.223.101
pool.sks-keyservers.net. 28800 IN A 216.215.6.39
pool.sks-keyservers.net. 28800 IN A 91.121.167.18
pool.sks-keyservers.net. 28800 IN A 86.59.21.34
pool.sks-keyservers.net. 28800 IN A 193.174.13.74
pool.sks-keyservers.net. 28800 IN A 64.71.173.107
pool.sks-keyservers.net. 28800 IN A 194.171.167.147
pool.sks-keyservers.net. 28800 IN A 213.239.210.122
pool.sks-keyservers.net. 28800 IN A 72.190.107.50
pool.sks-keyservers.net. 28800 IN A 128.220.220.244
pool.sks-keyservers.net. 28800 IN A 212.227.108.151
pool.sks-keyservers.net. 28800 IN A 213.239.212.133
pool.sks-keyservers.net. 28800 IN A 85.214.20.227
pool.sks-keyservers.net. 28800 IN A 213.146.108.162
pool.sks-keyservers.net. 28800 IN A 195.22.207.161
pool.sks-keyservers.net. 28800 IN A 64.71.173.98

If you lookup www.kim-minh.com you get

www.kim-minh.com.	43200 IN CNAME kim.kim-minh.com.
kim.kim-minh.com.	43200 IN A 91.121.167.18

so that's one of the above addresses for pool.sks-keyservers.net

If you go to http://91.121.167.18, you end up in a web-interface that
looks like a key lookup or trust chain lookup. It's in french, so I'm
not a 100% sure.

Port: 11371 for hkp is open, so there seems to be a keyserver implemented.

However, the command

gpg --keyserver hkp://91.121.167.1 --recv-key 0xdeadbeef

fails with a timeout, so there may be a temporary network problem.

All in all there is no sign of DNS poisoning or traffic hijacking in my
eyes.

HTH

Ludwig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSLkqUFYnpxVXVowdAQrXbQf9ESFm8mPUgwn2Djn6L1eXJyWC5prjb6yg
ANNBpJXbDUO03udtIdSV8hncd8af+vxL/KoEiQH42jHPN+DK69u/lIs8PoGhSwKk
+BV8yO7mFM8AkRumz+jqkNR7dWf6WpTYBMS3gXNHdy4D4maFU2amm03YQVg0baAv
tROhPXLXb3lW3aCjuCSt+jR9x/IVmVnih7nPUYLBgIAgpeqaJLK6k0fWOcqIdz8Q
Hnwnbc3Vi8WwCs58CpdbFl5NRq15vVrfs+Xx8syMjA1KkEjnN9kvnNHunkGJmVht
WcX9kCG7G77TrHNO/htUECS6Z4sxuCD2lz2kLzaWj8g6/c4++ErUsg==
=SJJN
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list