Somebody else has registered a name pointing to my webserver's IP address in .ma TLD.
My domain foo.bar -> my ip address 1.2.3.4
Somebody defined:
suspiciousdomain.ma -> my ip address 1.2.3.4
So this looks like a reverse to typical DNS spoofing.
Questions:
is this preparation for some other attack? Like, people log into the suspiciousdomain.ma website, then suspiciousdomain.ma changes the IP address after some time and redirects traffic to a "man in the middle" server used for stealing credentials?
What is the best way to prevent this?
I was thinking about blocking HTTP requests on Host: header (that is, rejecting all the http requests that do not have Host: foo.bar header set). Would this be effective, that is, is there no reasonable way that attackers could abuse it? (is that header set by browser?)
Embedding javascript code to prevent this in the page does not have to be effective since the attackers could after all delete this code when they switch DNS to "man in the middle" server address.
You can easily prevent this at the webserver level by explicitly defining your
ServerNamedirectives. Non-matching hosts would simply be funneled to the default page (or whatever you choose).It is possible to fool the Host: header, but this prevents the most common ways. More damaging is that the suspicious domain will duplicate content on your domain which hurts SEO ratings (search engines hate duplicate websites), so the Apache fix would do the trick.