Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New gTLDs appearing in the root zone

Published: 2014-01-30
Last Updated: 2014-01-30 21:12:38 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Over the last month or so, new gTLDs (generic top level domains) have been added to the root zone by ICANN. This is the beginning of a process of adding a couple hundred new gTLDs which ICANN colleted applications for last year.

To get a full list of current valid gTLDs see http://newgtlds.icann.org/en/program-status/delegated-strings

It is up to the individual registrars who received the gTLDs to decide how to use them. Some are limited to particular organizations. Others are already available to the public for pre-registration.

This is important if you are doing more detailed input validation on domain names, for example to validate e-mail addresses. For example, the longest name I was able to spot was ".INTERNATIONAL" . 

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: DNS domains gTLD icann TLD
2 comment(s)

IPv6 and isc.sans.edu (Update)

Published: 2014-01-30
Last Updated: 2014-01-30 19:21:04 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

About 4 years ago, I published a quick diary summarizing our experience with IPv6 at the time [1]. Back then, the IPv6 traffic to our site was miniscule. 1.3% of clients connecting to our server used IPv6. Since then, a lot has changed in IPv6. Comcast, one of the largest US ISPs and an IPv6 pioneer now offers IPv6 to more then 25% of its users [2] . Many mobile providers enable IPv6, and more users access our site from mobile devices then before. So I expected a bit of an increase in IPv6 traffic. Lets see what I found.

The short summary is: We do see A LOT more IPv6 traffic, but auto-configured tunnels pretty much went away (probably a good thing)

Overall, the number of IPv6 clients multiplied by about 3 and about 4% of requests received by our web server now arrive via IPv6. Given that we use a tunnel and proxy at this point to provide IPv6 access, we can only assume that there are more IPv6 capable clients out there but technologies like "happy eyeballs" make them prefer IPv4.

The difference is even more significant looking at tunnels. 6-to-4 tunnels only make up 0.3 % of all IPv6 requests, and Terredo is not significant (only about 100 requests total for all of last month). 2001::/16 remains the most popular /16 prefix, but 2002::/16 which was #2 in 2010 no longer shows up.

Within 2001::/16, Hurricane Electric (2001:470::/32) still dominates, indicating that we still have a lot of tunnels. But it is now followed by 2607:f740::/32 (Host Virtual) , 2401:c900::/32 (Softlayer) , 2a01:7a0::/32 (Velia) and 2607:f128::/32 (Steadfast). 

As far as reverse DNS resolution goes, still only very few ISPs appear to have it configured for IPv6. 

[1] https://isc.sans.edu/diary/IPv6+and+isc.sans.org/7948
[2] http://www.comcast6.net

and of course our IPv6 Security Essentials class. 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
1 comment(s)

Oracle Reports Vulnerability

Published: 2014-01-30
Last Updated: 2014-01-30 01:28:56 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.

Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.

If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g

The vulnerabilities were assigned following CVE numbers 

CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty

      Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1

CVE-2012-3152 - URLPARAMETER code execution

Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.

[1] http://netinfiltration.com

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cpu oracle patch
4 comment(s)
Diary Archives