Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-03-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spamhaus DDOS

Published: 2013-03-18
Last Updated: 2013-03-18 21:49:30 UTC
by Kevin Shortt (Version: 1)
3 comment(s)

A few readers have written in offering and asking for information on the Spamhaus Project outage.   
We have very little confirmed information at this time.

The website is confirmed to be unreachable [1] and there is some chatter on twitter [2] [3] [4].  I've read there is an elusive email notification sent from Spamhaus.  We have yet to see it or read it.   

Please comment with any information or impact you are experiencing from the outage today.

 

[1] http://www.spamhaus.org
[2] https://twitter.com/spamhaus
[3] https://twitter.com/LucRossini/status/313394569435807745
[4] https://twitter.com/search?q=%23Spamhaus

 


-Kevin
--
ISC Handler on Duty

3 comment(s)

IPv6 Focus Month: What is changing with DHCP

Published: 2013-03-18
Last Updated: 2013-03-18 19:12:24 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

 

   Among the different methods to configure IPv6 addresses, most managed networks will likely stick with DHCP. DHCPv6 however is a bit different then DHCPv4. We will summarize here some of the basic differences between DHCPv4 and DHCPv6.
 
   DHCPv4 is often used to manage a limited address pool. This problem is not going to be an issue in IPv6, and as a result, the focus of the protocol changes to provide address management and renumbering of hosts. DHCPv6 is also a complete rewrite of the protocol. A lot of the old BOOTP parameters are gone, and the DHCPv6 packet is a simple type-length-value format packet without many of the fixed fields present in DHCPv4
 
   DHCPv6 uses UDP ports 546 and 547, not 67/68 like DHCPv4.

DHCP Unique Identifiers (DUID)

   In DHCPv4, hosts are identified by there MAC addresses. However, MAC addresses are Ethernet specific, and other networking technologies may use different identifiers. DHCPv6 introduces a mandatory DUID to identify hosts. Some modern DHCPv4 implementations use an optional DUID, but in DHCPv6, a DUID becomes mandatory.
 
   RFC3315 defines three different methods to assign DUIDs. Most commonly, the time stamp of the first boot of the system, followed by the link layer address (MAC Address for Ethernet) is used as DUID. This is then referred to as DUID-LLT (link-layer address plus time). Other options are vendor assigned DUIDs or the use of the link layer address by itself. The reason to add the time stamp is to distinguish two clients that are connected to the same network, even if they are not connected at the same time (which wouldn't work for Ethernet). The link layer address by itself should only be used for devices without non-volatile storage that are connected permanently to the network.
 
   If a system has multiple network interfaces, all will use the same DUID. To distinguish different interfaces, an identity association (IA) will be used.
 
   If you configure static IP addresses in your DHCP server, you will have to using the DUID and IA to identify the system, not the MAC address. Sadly, different servers use different formats to represent these identifiers, and you need to figure out how to translate the number your host provides into one the server configuration understands.

DHCP and Router Advertisements

   At first, it may look like DHCP is an alternative to router advertisements. This is true when it comes to address assignments. But overall, DHCPv6 is an extension to router advertisements, and DHCPv6 will not work without router advertisements. First of all, the "managed" and "other" flags of router advertisements will let the host know to request an address, or other configuration parameters via DHCP. Also, the default gateway will be assigned via router advertisements, not DHCP.

"managed" and "other" flags

   If only the "other" flag is set in router advertisements, it indicates that addresses are assigned via router advertisements, but other parameters, like recursive DNS servers, are assigned via DHCP. DHCP will in this case configure everything BUT the address. The "managed" flag on the other hand will tell the host to use DHCP for address configuration as well as to configure additional parameters.

DHCP-PD

   For IPv6, ISPs will likely assign /64 or larger networks to each customer. Right now, ISPs usually use DHCP to assign addresses. The customer typically runs a NAT gateway and the external IPv4 address assigned by the ISP is shared within the customer's network. DHCPv6 includes a special mode, "prefix delegation" to allow this architecture for IPv6. Instead of assigning an individual address, DHCP is used to assign a prefix to a router. The router will then typically use router advertisements to advertise this prefix internally and hosts will use these addresses.

Renumbering

    With DHCPv4, a host will pick up an address, along with a lease time. Half way through the lease, the host will check if the address is still valid. In addition, the host will request a new address after each reboot. In IPv6, this is still true in principle. However, the DHCP server may initiate renumbering if for example the IPv6 prefix changed. In addition, a host that reboots will first check if the old address is still valid. This behavior is also frequently seen in IPv4, but in IPv6 it is more likely that the old address can be reused.
 
Did I forget anything? For just a simple network configuration, setting up DHCPv6 isn't all that hard. The part where it gets tricky is if you try to assign static addresses, or multiple addresses to a particular interface.
 
References: DHCPv6 RFC http://tools.ietf.org/html/rfc3315

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)
Diary Archives