ISC Feature of the Week: The 404Project
The 404Project is a simple snippet of code you add to your 404 error page that submits information back to ISC for reporting. The main purpose of this project is to trend the web pages crawlers and automated bots are trying to access. A public report page will be available when enough data had been collected. isc.sans.edu/tools/404project.html
Overview
The 404Project submits URI, IP and USER AGENT. Additionally, date, time and your credentials are stored along with the data. Your personal information is protected https://isc.sans.edu/privacy.html#4 and your specific user information is not shared with third parties. https://isc.sans.edu/privacy.html#1
Instructions
- You must have an ISC Portal ID and Identification Key to use this tool. https://isc.sans.edu/login.html
- Once logged in and submitting data, you can view your 404 summary information. https://isc.sans.edu/my404.html
- Get started! https://isc.sans.edu/tools/404project.html#instructions
Our skilled users have ported the 404Project to many languages! At the time of this writing, in addition to the original PHP, there is also Perl, Python, .NET and even Javascript! https://isc.sans.edu/tools/404project.html#alternatives
You can leave comments in the section below or send any questions or comments in the contact form https://isc.sans.edu/contact.html
--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)
Use of Mixed Case DNS Queries
In my DNS server query logs, I am starting to see more queries using mixed case, like for example:
jOHanNEs.HoMePC.OrG www.HOMEPC.ORg wWW.Homepc.org Www.HoMepC.ORg WwW.homepc.ORg WwW.HOmepc.oRG WWw.homePc.oRg
These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.
For example, the first value show above ( www.HOMEPC.ORg ) represents a value of 11100000001 . How does this help DNS security? Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query. For example:
> dig WwW.HoMePc.OrG ; <<>> DiG 9.7.3-P3 <<>> WwW.HoMePc.OrG ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;WwW.HoMePc.OrG. IN A ;; ANSWER SECTION: WwW.HoMePc.OrG. 100 IN A 70.91.145.9 .. [rest of answer omited] ...
As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliveratly encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.
While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.
Right now, none of the major DNS servers appear to support this feature. A Google search only found two pieces of software that do:
Unbound: https://calomel.org/unbound_dns.html: see "use-caps-for-id"
pydig: http://www.huque.com/software/pydig/
I would be interested to learn if there are other DNS servers (or DNS related software) that supports this method.
References:
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
http://courses.isi.jhu.edu/netsec/papers/increased_dns_resistance.pdf
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago