Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC Feature of the Week: The 404Project

Published: 2012-01-18
Last Updated: 2012-01-18 17:52:30 UTC
by Adam Swanger (Version: 1)
2 comment(s)

The 404Project is a simple snippet of code you add to your 404 error page that submits information back to ISC for reporting. The main purpose of this project is to trend the web pages crawlers and automated bots are trying to access. A public report page will be available when enough data had been collected. isc.sans.edu/tools/404project.html

Overview
The 404Project submits URI, IP and USER AGENT. Additionally, date, time and your credentials are stored along with the data. Your personal information is protected https://isc.sans.edu/privacy.html#4 and your specific user information is not shared with third parties. https://isc.sans.edu/privacy.html#1
 

Instructions
- You must have an ISC Portal ID and Identification Key to use this tool. https://isc.sans.edu/login.html
- Once logged in and submitting data, you can view your 404 summary information. https://isc.sans.edu/my404.html
- Get started! https://isc.sans.edu/tools/404project.html#instructions

Our skilled users have ported the 404Project to many languages! At the time of this writing, in addition to the original PHP, there is also Perl, Python, .NET and even Javascript! https://isc.sans.edu/tools/404project.html#alternatives

You can leave comments in the section below or send any questions or comments in the contact form https://isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)

 

Keywords: ISC feature
2 comment(s)
Oracle Quarterly Patch Advisory Released, January 17th 2012: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
ISC StormCast for Wednesday, January 18th 2012 http://isc.sans.edu/podcastdetail.html?id=2266

Use of Mixed Case DNS Queries

Published: 2012-01-18
Last Updated: 2012-01-18 01:05:49 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

   In my DNS server query logs, I am starting to see more queries using mixed case, like for example:

jOHanNEs.HoMePC.OrG
www.HOMEPC.ORg
wWW.Homepc.org
Www.HoMepC.ORg
WwW.homepc.ORg
WwW.HOmepc.oRG
WWw.homePc.oRg

   These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.

For example, the first value show above ( www.HOMEPC.ORg ) represents a value of 11100000001 . How does this help DNS security? Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query. For example:

> dig WwW.HoMePc.OrG 

; <<>> DiG 9.7.3-P3 <<>> WwW.HoMePc.OrG 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;WwW.HoMePc.OrG. IN A

;; ANSWER SECTION:
WwW.HoMePc.OrG. 100 IN A 70.91.145.9
.. [rest of answer omited] ...

As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliveratly encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.

While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.

Right now, none of the major DNS servers appear to support this feature. A Google search only found two pieces of software that do:

Unbound: https://calomel.org/unbound_dns.html: see "use-caps-for-id"
pydig: http://www.huque.com/software/pydig/ 

I would be interested to learn if there are other DNS servers (or DNS related software) that supports this method.

References:
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
http://courses.isi.jhu.edu/netsec/papers/increased_dns_resistance.pdf

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dns dnssec
6 comment(s)
Diary Archives