Credited to: Matthew Prince.
June 6th is known as World IPv6 Day so we thought it was a good time to look at the trends in IPv6 usage across CloudFlare’s network. Two big themes we’ve seen: 1) IPv6 usage is growing steadily, but at the current pace we’re still going to be living with IPv4 for many years to come; and 2) while the majority of IPv6 traffic comes from legitimate users on mobile networks, attackers too are beginning to launch attacks over the protocol.
CloudFlare has supported IPv6 on our network for the last year and a half. We have become one of the largest providers of the IPv6 web because we offer a free IPv6 gateway that allows any website to be available over IPv6 even if a site’s origin network doesn’t yet support the protocol. For the last year, we’ve enabled IPv6 for customers on CloudFlare by default. Today, IPv6 is enabled for more than 1 million of our customers’ websites.
Since the beginning of 2013, IPv6 connections as a percentage of CloudFlare’s total traffic fluctuate daily with the minimum 0.849% on January 5 to a maximum of 1.645% on June 3, 2013. If look at the overall trend, IPv6 connections to our network have grown 26.5% since the start of the year.
Digging into where IPv6 connections are coming from it appears the majority of the growth has been from mobile network providers. Increasingly, traffic from mobile devices to the web has passed over IPv6. We saw a significant drop in IPv6 connection from mid-March through early-April when it appears a large mobile operator appears to have disabled and then reenabled IPv6 connectivity from their network.
While the overall increase in IPv6 usage is encouraging, the trend unfortunately indicates we are going to be living with IPv4 for some time to come. At current growth rates, assuming adoption of IPv6 is linear, it will take almost 67 years for IPv6 connections to surpass IPv4 connections and the last IPv4 connection won’t be retired until May 10, 2148.
Things are a bit more optimistic if IPv6 adoption turns out to be exponential rather than linear. In that case, IPv6 connections will surpass IPv4 in about 5 years and 9 months. Not long thereafter, we’ll extinguish IPv4 entirely on January 10, 2020. Our guess is the reality will be somewhere between the linear and exponential case. Regardless of what IPv6’s adoption curve looks like, as a CloudFlare user you’re covered. We anticipate we will be operating a dual-stack network with both IPv4 and IPv6 support for all our customers until IPv4 is fully retired, whether that takes 7 years or 140.
While the majority of IPv6 connections today are coming from legitimate users on mobile networks, over the last two months we’ve seen a marked increase in the number of IPv6-based web attacks. Largely these have been DDoS attacks. The attacks have typically been both Layer 4 (e.g., SYN floods) as well as Layer 7 (e.g., application layer attacks).
To date, the IPv6-based DDoS attacks have been relatively modest. The largest we’ve seen to date generated approximately 3 gigabits per second of traffic and accompanied a much larger traditional IPv4-based DDoS.
While a novelty, these attacks don’t cause significant harm to CloudFlare’s systems. We designed CloudFlare anticipating the transition to IPv6, so our defenses assume an IPv6-enabled world. We speculate, however, that attackers may be targeting IPv6 as a way of bypassing older protections that base their protection largely on IPv4 blacklists.
IPv6 makes a strict blacklist on a per-IP basis much more challenging since the number of addresses available to an attacker can be significantly larger. This is a challenge that large blacklist operators like Spamhaus are currently thinking through. While IPv6 can present a challenge to some attack filtering strategies, it also presents opportunities. For example, since IPv6 reduces the need for NATs and provides users addresses that are routable all the way to the end device, we believe over time IPv6 will provide the ability to build significantly more accurate whitelists.
We will continue to monitor overall IPv6 growth rates as well as interesting trends in IPv6-based attacks. In the meantime, there’s no better way to celebrate World IPv6 Day thansigning up for CloudFlare and ensuring your site is automatically available for the increasing percentage of users that are accessing it over IPv6. It’s free and will only take you 5 minutes to join the modern web.
DNS (Domain Name System) is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as http://www.fbi.gov, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment—without them, you would not be able to access websites, send e-mail, or use any other Internet services.
Criminals have learned that if they can control a user’s DNS servers, they can control what sites the user connects to on the Internet. By controlling DNS, a criminal can get an unsuspecting user to connect to a fraudulent website or to interfere with that user’s online web browsing. One way criminals do this is by infecting computers with a class of malicious software (malware) called DNSChanger. In this scenario, the criminal uses the malware to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal. A bad DNS server operated by a criminal is referred to as a rogue DNS server.
The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it. The FBI is also undertaking an effort to identify and notify victims who have been impacted by the DNSChanger malware. One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS
services. To address this, the FBI has worked with private sector technical experts to develop a plan for a private-sector, non-government entity to operate and maintain clean DNS servers for the infected victims. The FBI has also provided information to ISPs that can be used to redirect their users from the rogue DNS servers to the ISPs’ own legitimate
servers. The FBI will support the operation of the clean DNS servers for four months, allowing time for users, businesses, and other entities to identify and fix infected computers. At no time will the FBI have access to any data concerning the Internet activity of the victims.
It is quite possible that computers infected with this malware may also be infected with other malware. The establishment of these clean DNS servers does not guarantee that the computers are safe from other malware. The main intent is to ensure users do not lose DNS services.
What Does DNSChanger Do to My Computer?
DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.
Information regarding malicious software removal can be found at the website of the United States Computer Emergency Readiness Team: https://www.us-cert.gov/reading_room/trojan-recovery.pdf.
Internet Security Alliance Daily Brief
** Your source for current and relevant cyber security issues **
For Your Immediate Attention
The DoD Cyber Strategy – “Department of Defense Strategy for Operating in Cyberspace” outlines 5 strategic initiatives. They are to treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential; employ new defense operating concepts to protect DoD networks and systems; partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy; build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity; and leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.
Click here to read the strategy: http://www.defense.gov/news/d20110714cyber.pdf
In Today’s News
Key senator calls for special cyber security panel – LA Times, July 14
Republican Senator John McCain called on Wednesday for the creation of a bipartisan panel to draft long-sought legislation to combat data breaches and espionage aimed at U.S. companies and defense networks. “The only way to move comprehensive cyber security legislation forward swiftly is to have committee chairmen and ranking members step away from preserving their own committees’ jurisdiction … (and) develop a bill that serves the national security needs of all Americans,” McCain wrote. Lawmakers have considered several cybersecurity bills in recent years, but failed to pass any. But the question of how to fight cyber crime and espionage has taken on new urgency in the past year with a spate of high-profile and, sometimes, sophisticated attacks. McCain said the serious threat of cyber incursions into U.S. networks and companies by foreign governments and organized crime created a need for quick action. SenatorJoe Lieberman, an Independent and chair of the Homeland Security Committee, and Senator Susan Collins, the top Republican on the panel, responded to McCain that they disagreed strongly with the idea of a select committee. “A select committee will necessarily require a restart of efforts that have been underway for years and would wash away the significant progress that the Senate has made,” they wrote in a letter, also to Reid and Collins.
DOD Could use force in cyber war – Politico, July 15
The Pentagon is ready to fight hackers with their own weapons in cyberspace, the newest domain for warfare but also “reserves the right” to respond to a cyberattack with military force, defense officials said Thursday. At the National Defense University in Fort McNair, the Department of Defense unveiled its 13-page, de-classified cyberstrategy detailing how the U.S. would defend its networks and systems against cyberattacks. “It would be irresponsible, and a failure of the Defense Department’s mission, to leave the nation vulnerable to a known threat,” Deputy Defense Secretary William Lynn told reporters. “Accordingly, the United States reserves the right, under the laws of armed conflict, to respond to serious cyberattacks with a proportional and justified military response at the time and place of our choosing.” Lynn addressed concerns that the department is taking an aggressive, offensive role in cyberspace, saying the strategy’s “overriding emphasis is on denying the benefit of the attack.” “If an attack will not have its intended effect, those who wish us harm will have less reason to target us in the first place,” Lynn said. He added that the response to a cyberattack is “dictated by the effect” and “not by the location.” The president would “consider all the tools he has” if the attacks result in massive damage, including human losses and significant economic damage.The bottom line is that the decision will be a judgment call, according to experts. The DOD cyberstrategy is made up of five initiatives. First, the Pentagon has recognized cyberspace as a new domain for warfare — just like land, sea, space and air. As such, the strategy calls for the department to equip and train itself to operate effectively in this new domain. Secondly, the department will continue to implement new cyberpractices to defend its networks and systems, as well as take steps to prevent personnel disclosure of classified information through training and adopting new policies. Participation in the pilot program is voluntary, and Lynn said it has already stopped intrusions on some of the private partners. In the same vein as the Obama administration’s global cybersecurity strategy, the department’s strategy encourages working with other countries to develop common cybersecurity standards and to share information about cyberthreats and criminals. The long-awaited DOD cyberstrategy “hit everything they need to hit,” Lewis said. But some components may be more difficult than others to implement. The call for more of a public-private partnership is a great idea but “expanding to get these hip, West Coast companies is going to be hard,” he said.
DOD announces first strategy for operating in cyberspace – US Department of Defense, July 14
The Department of Defense (DOD) released the DOD Strategy for Operating in Cyberspace July 14. It is the first DOD unified strategy for cyberspace and officially encapsulates a new way forward for DOD’s military, intelligence, and business operations. Reliable access to cyberspace is critical to U.S. national security, public safety, and economic well-being. Cyber threats continue to grow in scope and severity on a daily basis. More than 60,000 new malicious software programs or variations are identified every day threatening the security, economy, and citizens of the United States. “The cyber threats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,” the Deputy Secretary of Defense said. “Our infrastructure, logistics network and business systems are heavily computerized. With 15,000 networks and more than 7 million computing devices, DOD continues to be a target in cyberspace for malicious activity.” The DOD and other governmental agencies have taken steps to anticipate, mitigate, and deter these threats. DOD deepened and strengthened coordination with DHS to secure critical networks as evidenced by the recent DOD-DHS Memorandum of Agreement. “Strong partnerships with other U.S. government departments and agencies, the private sector and foreign nations are crucial,” the Deputy said. “Our success in cyberspace depends on a robust public/private partnership. The defense of the military will matter little unless our civilian critical infrastructure is also able to withstand attacks.”
Google+ related scams move to Facebook – Help Net Security, July 14
Scammers continue to take advantage of the interest raised by the introduction of Google+ and have begun tricking Facebook users into giving them access to their accounts via a rogue application. Users are lured in by updates on their news feeds seemingly posted by their friends, which “like” the “Google+ – Get Invite” Facebook page. Clicking on the link gets users to the page, where the rogue app by the name “Google Plus – Direct Access” is linked. Clicking on the link initiates the request for permissions from the app. Once the permission is given, the victim is urged to “like” the page that propagates the app and is encouraged to send and invite to their friends to visit it — in the hope that they will fall more easily for the scam if a friend of theirs appears to be supporting it. At the end of the process, the user is redirected to the official Google+ homepage. However, if they try to sign-in, they are faced with the notice that the service currently exceeded capacity.
Apache Tomcat security bypass vulnerability – Help Net Security – July 14
A security issue and a vulnerability have been reported in Apache Tomcat, which can be exploited by malicious, local users to bypass certain security restrictions or cause a DoS, according to Secunia. The security issue is caused due to Apache Tomcat not properly verifying sendfile request attributes when running under a security manager, which can be exploited by a malicious Web application to bypass intended restrictions and, for example, disclose local files. The vulnerability is caused due to Apache Tomcat not properly handling sendfile requests with invalid start and endpoints, which can be exploited to crash the JVM. Successful exploitation requires that a malicious Web application is deployed, and a security manager and the HTTP NIO or HTTP APR connector with enabled sendfile is used. Source: http://www.net-security.org/secworld.php?id=11285
Sega forums still closed a month after mystery hack – The Register, July 14
Sega’s forum remains offline almost a month after its forums and other sites were hit by hacktivists, The Register reported July 14. Hackers broke into Sega’s systems and made off with user registration details, e-mail addresses, birth dates, and encrypted passwords of about 1.3 million users in June. No financial data was exposed by the hack, which was initially blamed on the hacking group LulzSec. The now defunct group denied involvement, even going so far as offering to track down the miscreants. Sega took the precaution June 16 of suspending its forums and other sites accessed via Sega Pass system while it beefed up security. This work remains ongoing almost a month later. A representative of Sega told The Register the sites remain offline for testing. No date has been set for restoration.
VLC Media Player vulnerable to heap overflow exploits – H Security, July 14
According to the VideoLAN project, VLC Media Player is susceptible to two heap overflow vulnerabilities in the Real Media and AVI file parsers. These holes, rated as “Highly critical” by security specialists at Secunia, could be exploited by an attacker to crash the player or possibly execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a specially crafted malicious file. The vulnerabilities have been confirmed to affect the latest 1.1.10 release of VLC, from early June. According to the VLC developers, an upcoming maintenance and security update, VLC 1.1.11, will address these problems and introduce further stability fixes.
Report: Sixty percent of users are running unpatched versions of Adobe – Dark Reading, July 13
Six out of every 10 users of Adobe Reader are running unpatched versions of the program, leaving them vulnerable to a variety of malware attacks, according to a report published July 13. In a study of its own antivirus users, Avast Software found 60.2 percent of those with Adobe Reader were running a vulnerable version of the program, and only 40 percent of users had the newest Adobe Reader X or were fully patched. One out of every five users also had an unpatched version of Adobe Reader that was at least two generations old, the study said. Adobe Reader is the most popular PDF reader application, and is a frequent target for malware writers. More than 80 percent of Avast users run a version of Adobe Reader.
Trend Micro Control Manager file disclosure vulnerability – Help Net Security, July 13
A vulnerability in Trend Micro Control Manager can be exploited by malicious users to disclose sensitive information, according to Secunia. Input passed via the “module” parameter to WebApp/widget/proxy_request.php (when “sid” is set to “undefined” and “serverid”, “SORTFIELD”, “SELECTION”, and “WID” are set) is not properly verified before being used to read files. This can be exploited to read arbitrary files from local resources via directory traversal sequences. The vulnerability is confirmed in version 5.5 (Build 1250). Other versions may also be affected. Source: http://www.net-security.org/secworld.php?id=11279
Monsanto confirms Anonymous hacking attack – CNET News, July 13
Agricultural biotech giant Monsanto confirmed July 13 it had been victimized by a hacking attack that the online activist collective Anonymous announced July 12. “Last month, Monsanto experienced a disruption to our Web sites which appeared to be organized by a cyber-group,” the director of corporate affairs said in a statement. “In addition, this group also recently published publicly available information on approximately 2,500 individuals involved in the broader global agriculture industry,” it indicated. “Contrary to initial media reports, only 10 percent of this publicly available information related to Monsanto’s current and former employees. The list also included contact details for media outlets as well as other agricultural companies.” The company turned information on the attacks over to the “appropriate authorities,” and remains “vigilant in protecting our information systems,” the statement added. Anonymous released contact information for about 2,500 people that presumably was snagged July 12 from Monsanto, and said it had attacked the company’s Web servers to protest lawsuits the company filed against organic dairy farmers for stating on labels that their products don’t contain growth hormones. Monsanto makes genetically engineered seeds, and pesticides.
Voda femtocells open phones up to intercept – The Register, July 14
Security researchers claim to have uncovered a serious security hole in Vodafone’s mobile network. Security shortcomings in the femtocell technology supplied by the cell phone giant create a means to extract data that would allow hackers to intercept calls or impersonate users that connect through a compromised device, The Hacker’s Choice (THC) claims. Femtocells are home routers that use broadband connections to improve mobile coverage, allowing calls to be made indoors more easily. THC claims to have reverse-engineered the Sagem-manufactured kit, and discovered a way for any subscriber to use a femtocell. A second vulnerability creates a means for hackers to grab secret subscriber information from Vodafone (specifically IMSI — international mobile subscriber identity — data from Home Location Register and authentication systems). Because of this shortcoming, it is possible to turn a hacked femtocell into an interception device, the researchers claim. Access to a victim’s voicemail would also be possible. All these hacks would only work once a victim had been tricked into using a compromised base station, something that can happen automatically, but only over a short distance of around 50 meters from the device. The root cause of the problem is that the allegedly insecure base station kit is assigned functions normally restricted to carriers’ core network authentication systems. Source: http://www.theregister.co.uk/2011/07/14/vodafone_femtocell_hack/
The Solera DS 5200 is the high-performance network forensics solution for organizations that demand the performance of complete capture at speeds up to 10Gbps coupled with the large onboard storage capacity of 16TB. In addition, Solera Networks offers the only network forensics appliance available that can sustain complete packet capture and indexing at the speeds of today’s fastest enterprise networks.
Powered by SoleraSix, the Solera DS 5200 appliance creates a complete indexed, classified, and searchable record of network traffic (header and payload, layer 2-7) and allows analysis through instant reports, search, and reconstruction of all network traffic, using the integrated DeepSee Applications. This combination of detailed analysis significantly reduces incident response time and provides complete situational awareness.