Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
NitpickLawyer 9 hours ago

Not sure why they made the connection to sentry.io and not with CT logs. My first thought was that "*.some-subdomain." got added to the CT logs and someone is scanning *. with well known hosts, of which "nas" would be one. Curious if they have more insights into sentry.io leaking and where does it leak to...

jraph 9 hours ago | parent | next [-]

That hypothesis seems less likely and more complicated than the sentry one.

Scanning wildcards for well-known subdomains seems both quite specific and rather costly for unclear benefits.

flexagoon 3 hours ago | parent [-]

Bots regularly try to bruteforce domain paths to find things like /wp-admin, bruteforcing subdomains isn't any more complicated

jraph 3 hours ago | parent [-]

> Bots regularly try to bruteforce domain paths to find things like /wp-admin

Sure, when WordPress powers 45% of all websites, your odds to reach something by hitting /wp-admin are high.

The space of all the possible unknown subdomains is way bigger than a few well known paths you can attack.

rawling 8 hours ago | parent | prev | next [-]

I feel like the author would have noticed and said so if she was getting logs for more than just the one host.

A1kmm 8 hours ago | parent | prev | next [-]

But she mentioned: 1) it isn't in DNS only /etc/hosts and 2) they are making a connection to it. So they'd need to get the IP address to connect to from somewhere as well.

jeroenhd 8 hours ago | parent | next [-]

From the article:

> You're able to see this because you set up a wildcard DNS entry for the whole ".nothing-special.whatever.example.com" space pointing at a machine you control just in case something leaks. And, well, something did* leak.

They don't need the IP address itself, it sounds like they're not even connecting to the same host.

bardsore 8 hours ago | parent | prev [-]

Unless she hosts her own cert authority or is using a self-signed cert, the wildcard cert she mentions is visible to the public on sites such as https://crt.sh/.

heipei 5 hours ago | parent [-]

Yes, the wildcard cert, but not the actual hostname under that wildcard.

imtringued 6 hours ago | parent | prev [-]

Because sentry.io is a commercial application monitoring tool which has zero incentive to any kind of application monitoring on non-paying customers. That's just costs without benefits.

You now have to argue that a random third party is using and therefore paying sentry.io to do monitoring of random subdomains for the dubious benefit of knowing that the domain exists even though they are paying for something that is way more expensive.

It's far more likely that the NAS vendor integrated sentry.io into the web interface and sentry.io is simply trying to communicate with monitoring endpoints that are part of said integration.

From the perspective of the NAS vendor, the benefits of analytics are obvious. Since there is no central NAS server where all the logs are gathered, they would have to ask users to send the error logs manually which is unreliable. Instead of waiting for users to report errors, the NAS vendor decided to be proactive and send error logs to a central service.