Source port vulnerabilities in .JP - static ... - DNS-OARC · Vulnerabilities suspected Heavy user...

JAPAN REGISTRY SERVICES

Copyright © 2008 Japan Registry Services Co., Ltd.

Source port vulnerabilities in .JP

- static source port issue -

24 SEP 2008

2008 OARC Workshop in Ottawa

Izuru Shirai

Japan Registry Services Co., Ltd.



Contents

Introduction

About JPRS and .JP

JP DNS

General statistics

DNS vulnerability issue

JPRS’s work

Progress report

Characteristics of source port usage

Discussion

2



INTRODUCTION

3



About JPRS and .JP

history Aug, 1986: JP domain name was delegated to Jun MURAI

Dec, 1991: JNIC established.

Apr, 1993: JNIC reorganized as JPNIC.

Dec, 1993: JPNIC delegated by InterNIC to manage reverse DNS name server for JPNIC-assigned address block.

Jun, 1995: Application fees for IP addresses and JP domain names introduced.

Dec, 2000: JPRS established to succeed management and administration of JP domain names.

Feb, 2002: “ccTLD Sponsorship Agreement(.JP)” executed.

Role .JP registration

.JP DNS operation

4



Outline of JP domain

Registered JP Domain Names (@2008/09/01)1,043,513 domains

.JP has two levels of name space3rd and more level domain

Organizational Type and Geographic Type JP Domain Name

Judgment required

sub total: 386,447 domains

Ex) jprs.co.jp, nic.ad.jp, metro.tokyo.jp, city.yokohama.jp…

2nd level domain

General-Use JP Domain Name

sub total: 657,066 domains

Ex) jprs.jp

Local presence required

5



Time-Series Data of .JP

6

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

num

ber of

the d

om

ains

Organizational Type and Geographical Type Domain Name General-Use JP Domain Name



JP DNS

JP DNS servers are managed by JPRS and

operated by the following organizations.

2 more NS will be added.

NS IPv4 IPv6 Organization Anycast

a.dns.jp 203.119.1.1 2001:dc4::1 JPRS BGP anycast

b.dns.jp 202.12.30.131 - JPNIC N/A

d.dns.jp 210.138.175.244 2001:240::53 IIJ IGP anycast

e.dns.jp 192.50.43.53 2001:200:c000::35 WIDE BGP anycast

f.dns.jp 150.100.2.3 2001:2f8:0:100::153 SINET N/A

7



JP DNS Server Locations

Active Sites (7 Japan, 3 US, 1EU)

8



GENERAL STATISTICS

9



Statistics for a.dns.jp

Why a.dns.jp?

We have whole query log at a.dns.jp from Jan,2004.

Time-series analysis is easily.

Various feature has been supported.

BGP anycast ready

IPv6 ready

10



0

50,000,000

100,000,000

150,000,000

200,000,000

250,000,000

300,000,000

350,000,000

400,000,000

num

ber of

the q

ueries

per

day

Time-series data for number of the queries at A.DNS.JP

number of the query exponential approximation

11



DSC: Client Geography

Some node Another node

12

APNIC and ARIN blocks are dominant.



Heavy user (Heavy hitter?)

13

0%

20%

40%

60%

80%

100%

0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 50,000

Rati

o o

f q

ueri

es

ranking by queries

0.4% clients send 50% of the queries

TOP 5%

TOP 10%

TOP 0.4%



DNS VULNERABILITY ISSUE

14



What has JPRS done?

Co-operated with JPCERT/CC and JPNIC for

disclosure on the issue

The suspected host list has been informed via the .JP

registrar

Reported technical details in Japanese

Making analysis of the queries at a.dns.jp

Progress report of applying patches

Suspected host list (who are heavy user)

Call direct attention to some heavy user

15



Progress report in .JP

Making classification

Analyzed the queries per hour

Green means the clients are probably safe.

They use multiple source ports.

Red means the clients are vulnerable.

They use only one source ports.

Yellow means the clients are not classified.

They send only one query per hour.

16


Copyright © 2008 Japan Registry Services Co., Ltd. 17

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

06/30 07/07 07/14 07/21 07/28 08/04 08/11 08/18 08/25 09/01 09/08 09/15

rati

o o

f th

e I

P a

dd

resses

detected Safe/Vulnerable/Unclassified clients

Source IP addresses of the queries to A.DNS.JP are classified by the count of port numbers used per hour. green(safe): using multiple source ports red(vulnerable): using single source port yellow(unclassified): sending only one query

Informed the suspected host list

to the registrar

Patch released

Details leaked

Informed the list from our analysis

to the heavy user



0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

06/30 07/07 07/14 07/21 07/28 08/04 08/11 08/18 08/25 09/01 09/08 09/15

Rati

o o

f th

e q

ue

rie

s

detected queries from the Safe/Vulnerable/Unclassified clients

Patch released

Details leaked

Informed the suspected host list

to the registrar

Informed the list from our analysis

to the heavy user

18



Overview of the graph

Current status

Reached equilibrium in ratio of the clients

Slightly making progress in ratio of the queries

Watching the behavior of heavy user

Discussion

randomness in their query source ports

Not checked in this graph

necessity of infrequent user in making statistics

Shown by later discussion

19



CHARACTERISTIC OF

SOURCE PORT USAGE

20



Characteristic distribution among port number

Ranking by the client count Before – July

1. 32768 0.73%

2. 53 0.58%

3. 32769 0.24%

4. 49155 0.11%

5. 1024 0.11%

6. 49156 0.09%

7. 32770 0.06%

8. 1025 0.05%

9. 1026 0.05%

10. 1027 0.04%

After – September1. 32768 0.17%

2. 53 0.17%

3. 32769 0.05%

4. 1024 0.04%

5. 1025 0.02%

6. 32770 0.02%

7. 1026 0.01%

8. 32772 0.01%

9. 32771 0.01%

10. 1027 0.01%

Ranking by the query count Before – July

1. 32768 3.9%

2. 53 3.7%

3. 32769 3.5%

4. 14053 1.2%

5. 53000 1.1%

6. 32772 0.9%

7. 54088 0.9%

8. 49152 0.8%

9. 32777 0.7%

10.34914 0.7%

After – September1. 53 2.1%

2. 32768 1.3%

3. 32769 0.5%

4. 32772 0.4%

5. 1024 0.2%

6. 1053 0.1%

7. 32770 0.1%

8. 32771 0.1%

9. 15282 0.1%

10.39441 0.1%

21

Environmental Reason

OS default

NAT effect

32768,1024,49152…

Operational Reason

required by Firewall

distribution’s default

53,14053,53000…



How to show enough randomness

Plotting two data in the same graph

detected number of the queries from the clients(Y

axis) which use specific count of the source ports(X

axis).

detected number of the clients(Y axis) which use

specific count of the source ports(X axis).

22



1

10

100

1,000

10,000

100,000

1,000,000

10,000,000

1 10 100 1,000 10,000 100,000

nu

mb

er

of

the

cli

en

ts/q

ue

rie

s

number of the using ports

number of the using ports and number of the clients/queries(2008/09/01 23:00-24:00 JST)

number of the clients number of the queries

A.DNS.JP servers detected 298,873 queries

from 39 clients which used 256 source ports.

A.DNS.JP servers detected 39 clients which

used 256 source ports.

23



Overview of the graph

Basically scatter charts for queries and clients

make similar figure, because there is only small

number of the heavy users.

Exceptional dot is existence of the suspect

vulnerable heavy users.

not enough randomness!

Special shape

Y=X, Y=2X, Y=3X…

Fully randomize source port usage

24



1

10

100

1,000

10,000

100,000

1,000,000

10,000,000

1 10 100 1,000 10,000 100,000

nu

mb

er

of

the

cli

en

ts/q

ue

rie

s

number of the using ports

number of the using ports and number of the clients/queries(2008/09/01 23:00-24:00 JST)

number of the clients number of the queries

Heavy user exists.

Vulnerabilities suspected

Heavy user exists.


Heavy user exists.


25

Queries are sent by one client

using fully randomize source port.

(approximately Y=X line)



DISCUSSION

26



Discussion: specific hostname

Current vulnerable heavy user

Specified hostname by the reverse DNS

Vulnerable *.jp heavy user

Generally decreasing

Some *.jp clients who have specific hostname

Relatively increasing

Supposed reason

SPAM detector

Mail-gateway Appliance

dns*.example1.jp …patched

ns*.example2.jp …patched

mta*.example3.jp …remaining

smtp*.example4.jp…remaining

27



Discussion: Spike detected

Progress report

Plotted time-series of the client count

Regularly spike observed between Aug 1st – Aug 4th

28



0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

2008/06/30 2008/07/07 2008/07/14 2008/07/21 2008/07/28 2008/08/04 2008/08/11 2008/08/18 2008/08/25 2008/09/01 2008/09/08

nu

mb

er

of

the d

ete

cte

d c

lien

ts

time-series data of the detected clientsSource IP addresses of the queries to A.DNS.JP are classified by the count of port numbers used per hour. green(safe): using multiple source ports red(vulnerable): using single source port yellow(unclassified): sending only one query black: total

29



0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

07/28 07/29 07/30 07/31 08/01 08/02 08/03 08/04 08/05 08/06 08/07

nu

mb

er

of

the

dete

cte

d c

lien

ts

time-series data of the detected clients

Source IP addresses of the queries to A.DNS.JP are

classified by the count of port numbers used per hour.

green(safe): using multiple source ports

red(vulnerable): using single source port

yellow(unclassified): sending only one query

30



Discussion: Spike detected

Observed spike

Every 15 hours

Each clients send only one query per hour

Supposed reason

Scanned by botnet?

Call for classification method

They send only one query.

How can I classify into base-line and spike?

31


Copyright © 2008 Japan Registry Services Co., Ltd. 32

Date post:	16-Oct-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

Source port vulnerabilities in .JP - static ... - DNS-OARC · Vulnerabilities suspected Heavy user...

Documents