Wednesday, November 21, 2012

A follow up to "Traveler traffic you don't want."


OK we went back to the office and reproduced the strange issue as blogged yesterday.

So here's the problem reproduced, you can see the time-stamps showing the sequence of events here.

Created a test user and set up Traveler access for this user's iPhone set to "PUSH", everything works well and is fine at this point.


Now, added the person to the Deny Access Group. The Person Doc and mail file are still on the server at this stage.





In Domlog we now see this, the constant device attempts at synching with Traveler show Access Denied, as expected.

So now we remove the Person Document to simulate the strange issue we noticed and we now get this. 



Opening one of the log documents show a now apparently Authenticated user and Request fulfilled messages in Domlog.


The no-longer-present-in-the-Directory user's iPhone continued to hammer the server with requests until the manual removal of the Active-Sync profile from the device finally silenced it.

Wonder how many Organisations have this exact scenario going on but are just unaware of it because they don't have http logging (Domlog) set up or just don't ever check it?

3 comments:

Dragon Cotterill said...

"or just don't ever check it?"

And therein lies the problem. Any given log file could have hundreds or thousands of requests a day. Would you want to read all those log entries? I wouldn't.
But it can be automated. I've created a very basic analyser which pattern matches requests to remove valid database accesses (based on whatever you have in your Internet settings in the Directory) and then works out valid requests. It catches people who cross load your graphics onto other websites (checks Referrer) and a lot of automated attacks (script kiddy style PHP/Apache attacks). But it has issues when people use attacks specifically designed against Domino servers. This sort of thing can only be detected by correctly writing defensive designs. ie $$ViewTemplateDefault should actually be a tripwire to catch attackers as per my UKLUG talk.

Adam Osborne said...

Hi Dragon,

Thanks for your response.

What we don't like is that it reports a 200 OK for a user that does not exist. I think this is a bug. Agents looking for problems might think this is OK.

Is your UKLUG talk available on the net ?

Dragon Cotterill said...

No, that talk is not available on the net. Technically it's illegal (at least in the UK) because it gives details on how to hack a Domino server.
http://www.legislation.gov.uk/ukpga/2006/48/section/37