Security – Apache: Scammers point dozens of domain names at the dedicated IP. How to prevent this

apache-2.2domain-name-systemSecurity

For the sake of discussion, pretend that I have an Apache webserver which serves a website at www.example.org. This domain name resolves to the public IP address at 192.168.1.100 (pretend this is a public IP).

The discussion at Is there anything I can do about someone who has pointed their domain at my ip? demonstrates that anyone can point their domain at my IP. Apache won't prevent this by default, but an administrator can deal with these one at a time through use of a blacklist.

However, it's becoming more common for scammers to register dozens of domains (or more) for use in a scam. I'm concerned about the following possible attack:

  1. A scammer registers hundreds of domain names, and points them at my dedicated IP address.
  2. The scammer directs search engines at their scam domains, thus using my content to increase their standing in the search engines.
  3. Later, the scammer moves their domain names to point to their own servers which host a scam/porn, or a competing business, etc. thereby reaping the benefits of their standing in the search engines. Some of these domains might be used to in comment spam as well.
  4. Profit!!

I believe I have seen scammers using this trick in the past, involving dozens of domains. We didn't realize the scam implications at the time, and assumed these were misconfigured domains.

Is there a term for this nefarious SEO trick? SEO masquerading? DNS Diversion?

How could I prevent this using Apache? I'm considering a "whitelist" fix based on using a default VirtualHosts, ServerNames & ServerAliases so that Apache only responds to requests where these white-listed ServerNames appear in the "Host: " header. Everything else would be rejected (or redirected to a particular page). However, I am unsure if this is the best approach.

For example, I've configured the domain http://thisisnotserverfault.stefanco.com/ to point at the IP for Serverfault.com. You can see the results here: http://thisisnotserverfault.stefanco.com/ .

Best Answer

I would setup NameVirtualHost entries for all your own domain entries and have anything not matching those get an explanation page (which is what you have demonstrated from Serverfault). Reference http://httpd.apache.org/docs/2.0/vhosts/name-based.html

Related Topic