I was just reading about a malicious url redirect – something along the lines of an existing site like “mycoolstuff•com” where someone who hates the owner bought “assholegarbage•com” and set up dns to point their domain to the mycoolstuff site. My question is, can the targeted site see the “assholegarbage” redirect in the IP request headers and reject it so that the redirect fails? Is there another way to block this kind of mischief?
Yeah, that’s pretty simple to setup in Apache though I couldn’t tell you the specific code to do it. A common non-malicious example is setting up different low-traffic sites to run on the same server and then directing the domains to different virtual hosts on the main host server.
That does not quite address my question, though. Can the server observe that a header is a redirect?
I don’t believe that the destination can see that it was a redirect, but the http referer is often populated with the sender. They can send that as a blank, but I don’t see that done very often. If they do, you could always just not accept empty http referer traffic, but this would preclude someone from coming to your site on a freshly opened browser tab.
Typically, when I hear of malicious redirects, it’s someone embedding code on your site that redirects to their site, not the other way around. If someone wants to send me traffic, ummm, thanks?
The specific mechanism used by a recent instance of this is that “assholegarbage•com” returns an http 302 status code pointing to “mycoolstuff•com”. This is supposed to indicate that a resource has temporarily moved.
The browser is supposed to react to this by sending an identical request to the new location, so if a conforming browser is used the target would not know that the new request is the result of redirect, since the new request is from the same source and contains the same content.
A DNS change is different from a redirect. A DNS change points a name directly to the destination IP, whereas a redirect starts by fetching a response from some other source, which then directs the browser to go somewhere else.
Both cases can be detected. The “Host” element in the HTTP request header tells the server the hostname and port that the user requested, so that’s the one you would filter on for a DNS change.