IPv6 Wall of Shame
▻https://ipv6wallofshame.com
65% of the top 124 websites don’t support IPv6 yet
iOS 9 Supporting IPv6-only Networks
▻https://developer.apple.com/news/?id=05042016a
At WWDC 2015 [Apple] announced the transition to IPv6-only network services in iOS 9. Starting June 1, 2016 all apps submitted to the App Store must support IPv6-only networking.
#IPv6
La newsletter Afnic de janvier est en ligne ! Consultez la ici ▻http://afnic-media.fr/newsletter/20160119.html
Pour vous inscrire ►https://www.afnic.fr/fr/ressources/newsletter-afnic-36.html
Afnic newsletter for January is out! Read it here ▻http://www.afnic-media.fr/newsletter/20160119-english.html
Subscribe directly here ▻https://www.afnic.fr/en/resources/afnic-newsletter-43.html
[Blog Afnic] IPv6 et DNSSEC ont 20 et 19 ans. Même combat et mêmes défis !? par Mohsen Souissi ▻https://www.afnic.fr/fr/ressources/blog/ipv6-et-dnssec-ont-20-et-19-ans-meme-combat-et-memes-defis.html
[Afnic blog] IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges? by Mohsen Souissi ▻https://www.afnic.fr/en/resources/blog/ipv6-and-dnssec-are-respectively-20-and-19-years-old-same-fight-and-challenges
RFC 7720 : DNS Root Name Service Protocol and Deployment Requirements
L’Internet repose en grande partie sur le #DNS (si ce dernier est en panne, presque plus rien ne fonctionne) et le DNS doit à sa nature arborescente de dépendre de sa racine ou plus exactement de ses serveurs racine. La gestion de ces derniers est donc une question cruciale. Ce très court RFC précise les obligations des serveurs racine en terme de protocoles réseau à suivre. D’autres documents décrivent les exigences opérationnelles.
Maintenant faut juste encore trouver un moyen de se défendre contre une attack DDoS vers les DNS root servers comme celle de fin novembre - début décembre :)
Enfin bon, je pense que l’attaque a montré que le système est tout de même assez robuste.
5 milion de requêtes par seconde c’est quand même pas mal.
L’effet de ces deux attaques, vues par DNSmon : beaucoup de rouge !
▻https://atlas.ripe.net/dnsmon/?dnsmon.session.color_range_pls=0-10-10-50-100&dnsmon.session.exclude-er
ah oui c’est vrai, je n’avais pas regardé là pour voir l’effet.
en plus, je trouve cet interface super bien faite.
@erratic Et si on veut rigoler avec ces attaques, le texte délirant du délirant McAffee vaut la peine (résumé : ces attaques sont faites par Daesh avec des téléphones) ▻http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-ap
OK pour ISIS oui, proofless speculation.
mais pour les smartphones, why not ?
McAfee and other cybersecurity experts believe that smartphones are the most likely culprit for such a botnet, as one can be easily installed to a device through an app, such as a flashlight app. There are other possibilities for the botnets, such as Spam emails, but due to the sheer volume displayed in the attack that answer is unlikely. With more than 7 billion smartphones in the world, McAfee sees this route for an attack on the internet as the logical answer.
[...]
“The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe,” McAfee says. "This is virtually impossible using spoofing. The second oddity is that every single request asked to resolve the exact same address. There is only one circumstance that can explain the above: the mythical “Zombie Army” of botnets has been built and has been partially activated."
Verisign’s Perspective on Recent Root Server Attacks
▻http://www.circleid.com/posts/20151215_verisign_perspective_on_recent_root_server_attacks
Sometimes, the DNS root name servers receive attack traffic where the intent seems to be clear. By examining the traffic, and perhaps with other supporting information, it may be easy to discern whether the intended victim is a third party, or perhaps the root server system itself. At other times, however, the intent is less obvious.
The events of Nov. 30 and Dec. 1, 2015, are one of those cases where the intent as observable on the root server operations side of the system is unclear. While a number of DNS root name servers did receive high levels of traffic, it is unclear whether the intent was to harm the root server system itself.
[...]
In addition to anycasting and an array of DNS transaction processing capabilities, Verisign and the other DNS root server operators have a number of techniques for identifying anomalous system loads and then classifying and mitigating malicious activity, as appropriate.
• blocking bogons
• source address filtering, (#BCP38)
although not usable at the root server system itself in this case due to the obvious presence of source address spoofing employed by the attacker source networks
• response rate limiting (RRL)
In this very interesting video is shown graphically, using Hilbert space-filling curve[1] representations that the spoofed source addresses are being generated more or less sequentially, and you can obtain an idea of how the attack operated in two fronts, as monitored on Verisign’s A-Root.
_
[1] a space-filling curve, mapping 1D into 2D while preserving locality, ie. points near each other in terms of distance along the curve will also be near each other on the 2D plane ▻http://datagenetics.com/blog/march22013/index.html
@erratic Il n’existe aucune indication qu’il s’agisse de smartphone. Pure spéculation sensationnaliste. Le raisonnement de McAfee est ridicule : c’est justement si les adresses sont usurpées qu’elles peuvent être réparties équitablement ! En outre, c’est un cinglé connu ▻https://en.wikipedia.org/wiki/John_McAfee#Legal_issues
@stephane En effet, curieux personnage !
Ce qui est intéressant c’est de voir de plus en plus de sites/blogs reprendre ses spéculations sur les smartphones espions.
Je suis curieux de voir ce que le #téléphone_arabe en aura fait dans 1 mois, et s’il y aura encore des traces de l’origine du message.
Sinon, je viens de tomber sur cet article assez, on va dire polarisé. Mais bon, si en effet la Maison Blanche l’intéresse, je peux comprendre son discours sur les smartphones.
▻http://www.jeuneafrique.com/mag/275859/politique/john-mcafee-drugs-guns-and-paranoia
NetworkManager and privacy in the IPv6 internet
▻https://blogs.gnome.org/lkundrak/2015/12/03/networkmanager-and-privacy-in-the-ipv6-internet
after 3.5 years: nmap 7 : new an improved
adds among other improvements:
• mature IPv6 support
• faster and better SSL/TLS-related scans
• 171 new scripts:
ajp-auth, ajp-brute, ajp-headers, ajp-methods, ajp-request, allseeingeye-info, bacnet-info, bjnp-discover, broadcast-ataoe-discover, broadcast-bjnp-discover, broadcast-eigrp-discovery, broadcast-igmp-discovery, broadcast-pim-discovery, broadcast-sonicwall-discover, broadcast-tellstick-discover, cassandra-brute, cassandra-info, cups-info, cups-queue-info, dict-info, distcc-cve2004-2687, dns-check-zone, dns-ip6-arpa-scan, dns-nsec3-enum, docker-version, enip-info, eppc-enum-processes, fcrdns, firewall-bypass, flume-master-info, freelancer-info, gkrellm-info, gpsd-info, hnap-info, hostmap-ip2hosts, hostmap-robtex, http-adobe-coldfusion-apsa1301, http-avaya-ipoffice-users, http-cisco-anyconnect, http-coldfusion-subzero, http-comments-displayer, http-cross-domain-policy, http-csrf, http-devframework, http-dlink-backdoor, http-dombased-xss, http-drupal-enum, http-drupal-enum-users, http-errors, http-exif-spider, http-feed, http-fetch, http-fileupload-exploiter, http-form-fuzzer, http-frontpage-login, http-git, http-gitweb-projects-enum, http-huawei-hg5xx-vuln, http-icloud-findmyiphone, http-icloud-sendmsg, http-iis-short-name-brute, http-ls, http-mobileversion-checker, http-ntlm-info, http-phpmyadmin-dir-traversal, http-phpself-xss, http-referer-checker, http-rfi-spider, http-robtex-shared-ns, http-server-header, http-shellshock, http-sitemap-generator, http-slowloris-check, http-slowloris, http-stored-xss, http-svn-enum, http-svn-info, http-tplink-dir-traversal, http-traceroute, http-useragent-tester, http-virustotal, http-vlcstreamer-ls, http-vuln-cve2006-3392, http-vuln-cve2010-0738, http-vuln-cve2013-0156, http-vuln-cve2013-7091, http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128, http-vuln-cve2014-2129, http-vuln-cve2014-8877, http-vuln-cve2015-1427, http-vuln-cve2015-1635, http-vuln-misfortune-cookie, http-vuln-wnr1000-creds, http-waf-fingerprint, http-webdav-scan, http-wordpress-users, http-xssed, icap-info, ike-version, ip-forwarding, ip-https-discover, ipv6-ra-flood, irc-sasl-brute, isns-info, jdwp-exec, jdwp-info, jdwp-inject, knx-gateway-discover, knx-gateway-info, llmnr-resolve, mcafee-epo-agent, metasploit-info, metasploit-msgrpc-brute, mikrotik-routeros-brute, mmouse-brute, mmouse-exec, mrinfo, msrpc-enum, ms-sql-dac, mtrace, murmur-version, mysql-dump-hashes, mysql-enum, mysql-query, mysql-vuln-cve2012-2122, nje-node-brute, omron-info, oracle-brute-stealth, pcanywhere-brute, qconn-exec, quake1-info, rdp-enum-encryption, rfc868-time, rmi-vuln-classloader, rpc-grind, s7-info, sip-call-spoof, sip-methods, smb-ls, smb-print-text, smb-vuln-conficker, smb-vuln-cve2009-3103, smb-vuln-ms06-025, smb-vuln-ms07-029, smb-vuln-ms08-067, smb-vuln-ms10-054, smb-vuln-ms10-061 [stuxnet], smb-vuln-regsvc-dos, snmp-hh3c-logins, snmp-info, ssl-ccs-injection, ssl-date, ssl-dh-params, ssl-heartbleed, ssl-poodle, sstp-discover, supermicro-ipmi-conf, targets-ipv6-map4to6, targets-ipv6-wordlist, targets-xml, teamspeak2-version, tls-nextprotoneg, tor-consensus-checker, traceroute-geolocation, unittest, ventrilo-info, weblogic-t3-info, whois-domain, xmlrpc-methods
#IPv6 performance (2015-11-19 presentation at #RIPE71)
▻https://ripe71.ripe.net/wp-content/uploads/presentations/39-2015-11-19-v6-performance.pdf
NTP - Network Time Protocol - can be abused for attacks on HTTPS, DNSSEC, and Bitcoin.
Researchers at University of Boston describe how unencrypted NTP traffic can be intercepted and then used to change the time of clients. For example, the clock can be turned back to a point where the host would accept a fraudulent digital certificate that has been revoked.
Or by advancing the time on a DNS resolver the DNSSEC validation can be made to fail.
The researches also give advice on how to protect yourself against these various attacks.
Attacking the Network Time Protocol
Abstract—We explore the risk that network attackers can
exploit unauthenticated Network Time Protocol (NTP) traffic to
alter the time on client systems. We first discuss how an onpath
attacker, that hijacks traffic to an NTP server, can quickly
shift time on the server’s clients. Then, we present a extremely
low-rate (single packet) denial-of-service attack that an off-path
attacker, located anywhere on the network, can use to disable NTP
clock synchronization on a client. Next, we show how an off-path
attacker can exploit IPv4 packet fragmentation to dramatically
shift time on a client. We discuss the implications on these
attacks on other core Internet protocols, quantify their attack
surface using Internet measurements, and suggest a few simple
countermeasures that can improve the security of NTP.
▻http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf
backup: ▻http://docdro.id/Cf0QqBD
War machines arise from Kyiv’s ’tank cemetery’
▻http://www.kyivpost.com/content/ukraine/war-machines-arise-from-kyivs-tank-cemetery-399967.html
“Ukraine had approximately 5,000 to 7,000 tanks left after the breakup of Soviet Union,” military expert and director of consulting firm Defense Express Serhiy Zhurets told the Kyiv Post. “But I doubt that the government has allocated any funds for tank maintenance at all for the last 25 years. About 10 tanks could have been kept in good condition, but no more.”
[…]
What is known is that hundreds, perhaps thousands, have ended up in outdoor storage sites dotted around the country, like the Kyiv Armored Vehicles Plant. The plant, which was designed to produce new tanks and armored personnel carriers, as well as repair them, has mostly been used as a storage site for Defense Ministry’s property since Ukraine became independent.
[…]
There are at least 350 tank hulks in the plant’s outdoor storage area – equal to perhaps a third of Ukraine’s present tank force.
Avec une galerie de 17 photos prises sur le site
▻http://www.kyivpost.com/multimedia/photo/ukroboronprom-tank-cemetery-399944.html
je voulais essayer et @seenthis est tombé en carafe
On a beaucoup parlé des attaques #DoS par réflexion + amplification en les présentant souvent comme spécifiques à #UDP. Mais un article récent (mais passé curieusement inaperçu) montre qu’on peut en faire également avec #TCP.
TCP Handshake Amplification
DDoS amplification attacks currently typically use UDP-based protocols with spoofed source IPs. The reason being that there is no 3-way handshake in UDP.
However, it turns out there are TCP-based protocols are also vulnerable to amplification attacks. Better even, the handshake itself can be abused for amplification.
Authors of the 2014 research mentioned in Stéphane’s article (and below) have identified 4.8 million devices vulnerable to an average TCP-based amplification factor of 112x. Of those, they identified thousands of hosts that can be abused for an amplification of almost 80.000x.
They identified that there are hosts responding to a SYN with an excessive amount of RST packets, and others that transmit actual payload data via PSH packets – even before the three-way handshake has been completed.
From the point of view of an attacker, the number of amplifiers is important to scale up the overall attack bandwidth.
Compared to UDP-based amplification attacks, the fact that there are much more amplifiers makes this form still the most attractive.
An attacker has to scan many more IPv4 hosts in order to find a large enough number of TCP-based amplifiers.
Why would TCP-based amplifiers be interesting?
• They could be interesting to attackers who have little bandwidth available and who want to amplify as much as possible.
• Also, TCP traffic is considerably harder to filter at the network edges than UDP-based protocols. It is not easy to make a difference between legitimate and malicious TCP traffic without appliances that keep trace of and inspect the states of TCP connections.
• Another reason why TCP-based is more complicated is that TCP-based amplification traffic does not carry payload that can be inspected for validity.
The paper:
Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks
(Marc Kuhrer, Thomas Hupperich, Christian Rossow, Thorsten Holz)
▻http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
SYN/ACK: The majority of amplifiers cause amplification by repeatedly retransmitting SYN/ACK packets upon our SYN segments. This attack type amplifies traffic up to 80x on average, and for SIP even up to 1,596x.
PSH: The number of amplifiers that transmit payload data via PSH (without a completed handshake) is low for most protocols. Nevertheless, the amplification factor is higher compared to the SYN/ACK amplifiers.
RST: The by far highest amplification is observed for hosts that transmit a tremendous number of RST segments. As such, an attacker could abuse the 4,242 vulnerable Telnet hosts to achieve an average amplification rate of 79,625x. Compared to SYN/ACK, the RST amplifiers of most protocols also have a much higher traf- fic volume—even though the number of hosts is significantly lower. That is, the 8,863 SYN/ACK amplifiers of NetBIOS transmitted about 25 MB of traffic, while the RST amplifiers caused traffic of more than 12 GB. Similarly, even though we observed most of the FTP ampli- fiers sending SYN/ACK packets (causing a total of 3.2 GB of traffic), the RST amplifiers transferred 15.1 GB of traf- fic in the same amount of time, a multitude of factor 5x.
#DDoS
The open #Internet ?
▻https://blog.apnic.net/2015/10/07/the-open-internet
"The massive proliferation of network-based middleware has resulted in an internet that has few remaining open apertures. Most of the time the packet you send is not precisely the packet I receive, and all too often if you deviate from a very narrowly set of technical constraints within this packet, then the packet you send is the packet I will never receive"
"the result is Africa becoming a dumping ground for all of that equipment (as the vendors scramble to off-load these toxic assets) — either as cheap equipment for the market or as “technical aid”. [...] I’ve seen this before — stores filled with ’donated’ networking equipment that the recipient was unable to use because the technology was old and worthless or never even existed in most African countries (think hubs and routers with ATM interfaces in Northern Cameroon or Nigeria)."
▻http://www.circleid.com/posts/20150713_ipv4_exhaustion_5_implications_for_africa_running_out_last
Apple OS X 10.11 and iOS 9 now prefer IPv6 for connections
Thanks to an improved Happy Eyeballs implementation (Erick Vyncke says 25 ms instead of the 300 ms specified in RFC 6555) that went from roughly 50/50 IPv4/IPv6 in iOS 8 and OS X 10.10 to about 99% IPv6 in iOS 9 and OS X 10.11.
This is good news, when you think that now ARIN also “ran out of IPv4 addresses”; i.e. was unable to meet a legitimate demand for IPv4 address space as from 1 July 2015. (This does not mean there are no more IPv4 addresses, it just means that for the first time ARIN could not satisfy a valid demand for address space).
▻https://www.arin.net/resources/request/waiting_list.html
#IPv6
Apple Will Require IPv6 Support For All iOS 9 Apps
▻http://seenthis.net/messages/380174
#Microsoft IT’s #IPv6 killer app: #IPv4 address depletion... Familiar story !
▻http://www.ipv6conference.ch/wp-content/uploads/2015/06/B07-Keane_Microsoft_IPv6-at-enterprise-2015-final.pdf
#IPv6 at #Swisscom - ambitious, with pure IPv6 #VoLTE among other things:
▻http://www.ipv6conference.ch/wp-content/uploads/2015/06/B10-Swisscom-Status_Roadmap_and_Outlook_IPv6.pdf
Apple Will Require IPv6 Support For All iOS 9 Apps
▻http://www.internetsociety.org/deploy360/blog/2015/06/apple-will-require-ipv6-support-for-all-ios-9-apps
“Because IPv6 support is so critical to ensuring your applications work across the world for every customer, we are making it an AppStore submission requirement, starting with iOS 9.
Well, it’s one more step in the right direction towards the tipping point
Most significantly, though, this step by Apple means that all the iOS apps that run on iOS 9 will work well over the IPv6-only networks that are starting to be deployed. Even in dual-stack (IPv6/IPv4) networks, this should mean that iOS 9 apps will work better in those environments when, for instance, IPv6 may be faster. (More needs to be understood here about the specifics of the IPv6 support.)
May 2015 update on measuring #IPv6
▻https://ripe70.ripe.net/wp-content/uploads/presentations/129-2015-05-14-ipv6-stats.pdf #RIPE70
Money quote: « IPv6 users represent 7% of the total “net user value” of the Internet »
#IPv6 for #ISP - state, lessons, future
▻https://ripe70.ripe.net/wp-content/uploads/presentations/133-IPv6-for-ISPs.pdf #RIPE70
Change of address - routing issues of transferred #IPv4 addresses
▻https://ripe70.ripe.net/wp-content/uploads/presentations/61-27-Change_of_Address_Cowie-1.pdf #RIPE70
“#Telstra has revealed it has run out of #IPv4 internet addresses, prompting warnings that its use of network addressing translation could impact the carrier’s ability to accurately collect customer metadata for the Government”
Yes, of course, undermining the police state is the most important impact from running out of IPv4 addresses.
▻http://www.itnews.com.au/News/401918,telstra-runs-out-of-ipv4-addresses.aspx #surveillance #terrorism
Oh well, let’s use the next batch of stupid pseudoantiterrorist legislation to mandate migration to #IPv6 - the moral dilemma will tear Internet geeks apart !