JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Source port vulnerabilities in .JP
- static source port issue -
24 SEP 2008
2008 OARC Workshop in Ottawa
Izuru Shirai
Japan Registry Services Co., Ltd.
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Contents
Introduction
About JPRS and .JP
JP DNS
General statistics
DNS vulnerability issue
JPRS’s work
Progress report
Characteristics of source port usage
Discussion
2
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
INTRODUCTION
3
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
About JPRS and .JP
history Aug, 1986: JP domain name was delegated to Jun MURAI
Dec, 1991: JNIC established.
Apr, 1993: JNIC reorganized as JPNIC.
Dec, 1993: JPNIC delegated by InterNIC to manage reverse DNS name server for JPNIC-assigned address block.
Jun, 1995: Application fees for IP addresses and JP domain names introduced.
Dec, 2000: JPRS established to succeed management and administration of JP domain names.
Feb, 2002: “ccTLD Sponsorship Agreement(.JP)” executed.
Role .JP registration
.JP DNS operation
4
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Outline of JP domain
Registered JP Domain Names (@2008/09/01)1,043,513 domains
.JP has two levels of name space3rd and more level domain
Organizational Type and Geographic Type JP Domain Name
Judgment required
sub total: 386,447 domains
Ex) jprs.co.jp, nic.ad.jp, metro.tokyo.jp, city.yokohama.jp…
2nd level domain
General-Use JP Domain Name
sub total: 657,066 domains
Ex) jprs.jp
Local presence required
5
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Time-Series Data of .JP
6
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
num
ber of
the d
om
ains
Organizational Type and Geographical Type Domain Name General-Use JP Domain Name
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
JP DNS
JP DNS servers are managed by JPRS and
operated by the following organizations.
2 more NS will be added.
NS IPv4 IPv6 Organization Anycast
a.dns.jp 203.119.1.1 2001:dc4::1 JPRS BGP anycast
b.dns.jp 202.12.30.131 - JPNIC N/A
d.dns.jp 210.138.175.244 2001:240::53 IIJ IGP anycast
e.dns.jp 192.50.43.53 2001:200:c000::35 WIDE BGP anycast
f.dns.jp 150.100.2.3 2001:2f8:0:100::153 SINET N/A
7
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
JP DNS Server Locations
Active Sites (7 Japan, 3 US, 1EU)
8
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
GENERAL STATISTICS
9
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Statistics for a.dns.jp
Why a.dns.jp?
We have whole query log at a.dns.jp from Jan,2004.
Time-series analysis is easily.
Various feature has been supported.
BGP anycast ready
IPv6 ready
10
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
0
50,000,000
100,000,000
150,000,000
200,000,000
250,000,000
300,000,000
350,000,000
400,000,000
num
ber of
the q
ueries
per
day
Time-series data for number of the queries at A.DNS.JP
number of the query exponential approximation
11
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
DSC: Client Geography
Some node Another node
12
APNIC and ARIN blocks are dominant.
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Heavy user (Heavy hitter?)
13
0%
20%
40%
60%
80%
100%
0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000
Rati
o o
f q
ueri
es
ranking by queries
0.4% clients send 50% of the queries
TOP 5%
TOP 10%
TOP 0.4%
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
DNS VULNERABILITY ISSUE
14
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
What has JPRS done?
Co-operated with JPCERT/CC and JPNIC for
disclosure on the issue
The suspected host list has been informed via the .JP
registrar
Reported technical details in Japanese
Making analysis of the queries at a.dns.jp
Progress report of applying patches
Suspected host list (who are heavy user)
Call direct attention to some heavy user
15
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Progress report in .JP
Making classification
Analyzed the queries per hour
Green means the clients are probably safe.
They use multiple source ports.
Red means the clients are vulnerable.
They use only one source ports.
Yellow means the clients are not classified.
They send only one query per hour.
16
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd. 17
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
06/30 07/07 07/14 07/21 07/28 08/04 08/11 08/18 08/25 09/01 09/08 09/15
rati
o o
f th
e I
P a
dd
resses
detected Safe/Vulnerable/Unclassified clients
Source IP addresses of the queries to A.DNS.JP are classified by the count of port numbers used per hour. green(safe): using multiple source ports red(vulnerable): using single source port yellow(unclassified): sending only one query
Informed the suspected host list
to the registrar
Patch released
Details leaked
Informed the list from our analysis
to the heavy user
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
06/30 07/07 07/14 07/21 07/28 08/04 08/11 08/18 08/25 09/01 09/08 09/15
Rati
o o
f th
e q
ue
rie
s
detected queries from the Safe/Vulnerable/Unclassified clients
Patch released
Details leaked
Informed the suspected host list
to the registrar
Informed the list from our analysis
to the heavy user
18
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Overview of the graph
Current status
Reached equilibrium in ratio of the clients
Slightly making progress in ratio of the queries
Watching the behavior of heavy user
Discussion
randomness in their query source ports
Not checked in this graph
necessity of infrequent user in making statistics
Shown by later discussion
19
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
CHARACTERISTIC OF
SOURCE PORT USAGE
20
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Characteristic distribution among port number
Ranking by the client count Before – July
1. 32768 0.73%
2. 53 0.58%
3. 32769 0.24%
4. 49155 0.11%
5. 1024 0.11%
6. 49156 0.09%
7. 32770 0.06%
8. 1025 0.05%
9. 1026 0.05%
10. 1027 0.04%
After – September1. 32768 0.17%
2. 53 0.17%
3. 32769 0.05%
4. 1024 0.04%
5. 1025 0.02%
6. 32770 0.02%
7. 1026 0.01%
8. 32772 0.01%
9. 32771 0.01%
10. 1027 0.01%
Ranking by the query count Before – July
1. 32768 3.9%
2. 53 3.7%
3. 32769 3.5%
4. 14053 1.2%
5. 53000 1.1%
6. 32772 0.9%
7. 54088 0.9%
8. 49152 0.8%
9. 32777 0.7%
10.34914 0.7%
After – September1. 53 2.1%
2. 32768 1.3%
3. 32769 0.5%
4. 32772 0.4%
5. 1024 0.2%
6. 1053 0.1%
7. 32770 0.1%
8. 32771 0.1%
9. 15282 0.1%
10.39441 0.1%
21
Environmental Reason
OS default
NAT effect
32768,1024,49152…
Operational Reason
required by Firewall
distribution’s default
53,14053,53000…
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
How to show enough randomness
Plotting two data in the same graph
detected number of the queries from the clients(Y
axis) which use specific count of the source ports(X
axis).
detected number of the clients(Y axis) which use
specific count of the source ports(X axis).
22
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
1 10 100 1,000 10,000 100,000
nu
mb
er
of
the
cli
en
ts/q
ue
rie
s
number of the using ports
number of the using ports and number of the clients/queries(2008/09/01 23:00-24:00 JST)
number of the clients number of the queries
A.DNS.JP servers detected 298,873 queries
from 39 clients which used 256 source ports.
A.DNS.JP servers detected 39 clients which
used 256 source ports.
23
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Overview of the graph
Basically scatter charts for queries and clients
make similar figure, because there is only small
number of the heavy users.
Exceptional dot is existence of the suspect
vulnerable heavy users.
not enough randomness!
Special shape
Y=X, Y=2X, Y=3X…
Fully randomize source port usage
24
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
1
10
100
1,000
10,000
100,000
1,000,000
10,000,000
1 10 100 1,000 10,000 100,000
nu
mb
er
of
the
cli
en
ts/q
ue
rie
s
number of the using ports
number of the using ports and number of the clients/queries(2008/09/01 23:00-24:00 JST)
number of the clients number of the queries
Heavy user exists.
Vulnerabilities suspected
Heavy user exists.
Vulnerabilities suspected
Heavy user exists.
Vulnerabilities suspected
25
Queries are sent by one client
using fully randomize source port.
(approximately Y=X line)
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
DISCUSSION
26
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Discussion: specific hostname
Current vulnerable heavy user
Specified hostname by the reverse DNS
Vulnerable *.jp heavy user
Generally decreasing
Some *.jp clients who have specific hostname
Relatively increasing
Supposed reason
SPAM detector
Mail-gateway Appliance
dns*.example1.jp …patched
ns*.example2.jp …patched
mta*.example3.jp …remaining
smtp*.example4.jp…remaining
27
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Discussion: Spike detected
Progress report
Plotted time-series of the client count
Regularly spike observed between Aug 1st – Aug 4th
28
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
400,000
2008/06/30 2008/07/07 2008/07/14 2008/07/21 2008/07/28 2008/08/04 2008/08/11 2008/08/18 2008/08/25 2008/09/01 2008/09/08
nu
mb
er
of
the d
ete
cte
d c
lien
ts
time-series data of the detected clientsSource IP addresses of the queries to A.DNS.JP are classified by the count of port numbers used per hour. green(safe): using multiple source ports red(vulnerable): using single source port yellow(unclassified): sending only one query black: total
29
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
07/28 07/29 07/30 07/31 08/01 08/02 08/03 08/04 08/05 08/06 08/07
nu
mb
er
of
the
dete
cte
d c
lien
ts
time-series data of the detected clients
Source IP addresses of the queries to A.DNS.JP are
classified by the count of port numbers used per hour.
green(safe): using multiple source ports
red(vulnerable): using single source port
yellow(unclassified): sending only one query
30
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd.
Discussion: Spike detected
Observed spike
Every 15 hours
Each clients send only one query per hour
Supposed reason
Scanned by botnet?
Call for classification method
They send only one query.
How can I classify into base-line and spike?
31
JAPAN REGISTRY SERVICES
Copyright © 2008 Japan Registry Services Co., Ltd. 32