Category Archives: Protocol Security

On 31 March 2012 Anonymous will not shut the Internet down

There have been recent Pastebins
and postings on Reddit that Anonymous will shut down the internet on 31/03/2012 by DDoS attack against 13 ROOT DNS servers. If only it were that easy to “shut-off” the internet but it is not.    

Let me explain a bit and please post comments and review Dan Kaminsky’s Blog on this and related topics.

There are more than 13 DNS Servers at ROOT level which offer DNS services. “There are currently 13 root name servers specified, with names in the form letter.root-servers.net, where letter ranges from A to M. This does not mean there are 13 physical servers” from Wikipedia.

  1. The entire DNS infrastructure does not operate only on IP version 4. The only addresses listed in the announcement for Operation Blackout are IP version 4 addresses.
    1. We use IPv6 in most of Asia for example. The Pastebin stated the operation would utilize static IP addresses so the attack could execute unchecked yet left out the entire IPv6 Main DNS infrastructure.
    2. There are alternate DNS/internets.
  2. There are more than 13 ROOT DNS servers.
    1. Below is a map of the publically known ROOT DNS servers both IPv4 and IPv6. You might notice there are many more than 13 physical ROOT servers with letters, the DNS infrastructure had redundancy.
  3. DNS reflective attacks don’t affect DNS SEC ROOT servers in the method contained in the Pastebin.
    1. Many of the IPv4 DNS ROOT addresses have already switched over to DNS SEC. DNS SEC provides Data Origin Authentication and Data Integrity among other more secure features. In previous years the DNS protocol might have allowed such attacks to be successful, but now not really a major threat.
  4. The attack is based on a spoofed/false source IP address.
    1. There is a bevy of security applications which detect spoofed source IPv4 addresses, sometimes based on an incorrect checksum which the script provided does not “correct”. Security and other controls normally drop the packets of suspected spoofed traffic.

 

Source: Google Maps from http://root-servers.org/

I hope this helps clarify the sensationalism regarding this topic. If you have more information or a better method to describe the issue please post or comment.

 
 

  

FBI DNS Changer Deadline Extended to 9 July, 2012

FBI DNS Changer Deadline Extended to 9 July, 2012

The US FBI was granted an extension on the court order to maintain control of the DNS Changer IP ranges until 9 July, 2012. This extension was granted based on the large amount of computers and routers which were still making DNS requests to these IP ranges. According to The Register, a research group called IID found about 18.8% of all US Fortune 500 companies surveyed were affected on 23/02/2012. This is a substantial decrease, down from 50% of US Fortune 500 companies in January, 2012 based on a previous study by IID.
The FBI court order might not be extended again due to substantial decreases in the number of USA based suspected infections. Conversely, our group has observed suspect infections in approximately 25% of the networks we advise and consult for in Europe, Africa, Middle East and Asia Pacific. The infections in the USA might be dropping; however, too many non-USA geo-located IPv4 sources remain infected. The majority of identified assets were fully updated and patched end point assets, critical servers with up-to-date Anti-virus software or routers with modified configuration files.

Why do so many suspected infections remain? 

  1. Over reliance on Anti-virus software.
    1. A clean anti-virus scan does not equate to a clean asset, it just means that version and vendor of anti-virus was unable to find an infection at this time. Malware can be written specifically to evade or disable certain features of anti-virus software.
  2. Inability to understand the risks of allowing external DNS requests to untrusted locations.
    1. You wouldn’t knowingly ask the enemy for directions to your own ambush. The same principal applies to allowing or not investigating external DNS requests to un-trusted or suspected malicious DNS servers.
    2. Also, just because a firewall dropped outbound activity does not mean there is no risk to the network. You still have a suspected infected machine that requires investigation.
  3. Inability to find the end points due to short TTL’s in large DHCP based networks or other issues.
    1. Finding end points has been a big challenge for our clients. Their networks have grown or merged in many cases without full documentation or change control. This is a huge gap in security for many but one that can be easily remedied through documentation and network mapping applications.
  4. Lack of time or fiscal budget to properly review logs.
    1. Please review your firewall and proxy drops, this is very, very important.

If your organization has assets making DNS requests to the FBI controlled IP ranges related to the DNS Changer they need to be investigated. We start in the following order in large networks with many possible infections:

  1. Revise firewall or other perimeter controls to avoid more assets making suspect requests, e.g. close the hole.
  2. Investigate all assets which successfully made DNS requests.
  3. Investigate assets attempting to make DNS requests by frequency and criticality of the asset.
    1. If the asset in question is a critical router or server, especially a DNS server open an incident immediately as further compromise of the network is suspected.
    2. If one asset is making 1000 DNS requests while another made 25 investigate the more active asset.
    3. Review the configuration file of routers which might be compromised and check through the DNS settings.


Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

 

Reporting can be your friend and can lead to pro-activity, i.e. don’t wait for your anti-virus to alert you to an infected machine. For example we wrote a very basic series ArcSight reports which runs on a daily basis:

  1. All assets making DNS requests to the FBI DNS Changer IPv4 ranges successfully.
  2. All assets attempting to make DNS requests to the FBI DNS Changer IPv4 sorted Z-A showing the assets making the most DNS requests at the top of the report with a bar graph.
    1. Using graphs can help visualize the problem to management and gain their buy-in. Looking at the problem from a business standpoint does not make you less technical but better at communicating the issue to those that approve budgets, staff and possibly investigations.

If you have any questions, concerns or techniques which have been successful in your organization please feel free to share them.