Initial Situation
On June 20, we received several reports from customers who could no longer reach our cloud. A closer look at the situation revealed that requests to DRACOON were being blocked by the IP-based geoblocking filter of their firewalls, as they would have been routed to Jordan.
The Analysis
Our team immediately started an analysis together with our customers to rule out possible DNS-based attacks. The analysis revealed that at least one geolocation service provider was currently incorrectly resolving the IP address of our central cloud - 141.95.22.201 - as Jordan. Users of Sophos and Watchguard firewalls are particularly affected.
Next steps
Our analysis is that this is not a DNS-based attack on our customers, but an incorrect entry in an IP geolocation database that was probably automatically sent to various firewalls. If you are affected by your geolocation blocker preventing connections to DRACOON, please take the following steps:
- Check whether the DNS resolution of your DRACOON instance correctly points to the IP address 141.95.22.201. You can determine this, for example, by calling
nslookup your-dracoon.domain.com
in the terminal. - Adjust the Geo-IP filter in your firewall to define an exception for the IP address 141.95.22.201. For details on how to do this, please refer to your firewall vendor's documentation.
At no time were our customers at risk. It was not an attack, but the problem resulted from incorrect entries in the geolocation database of a provider. DRACOON had no influence on the entry and has already reported the incorrect information to the manufacturers of the affected firewalls.
Comments
0 comments
Article is closed for comments.