Aug 19, 2013 ... 3 710'902 domains that have a DNS record for a web server; all other domains
have .... 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13. Vendor apple linux .....
1304 bit. 1456 bit. 1536 bit. 2048 bit. 4096 bit. 17%. 7%. 66%. 8%.
NORA Report Q2 / 2013
ABSTRACT The NetObservatory is a research project leaded by the Information and Communication Technologies (ICT) Institute of the university of applied science of western Switzerland (HES-SO) located in Fribourg (Ecole d’Ingénieurs et d’Architectes de Fribourg / EIA-FR). The project aims to deliver detailed and precise information about the general level of Information Technologies (IT) security on the public domain in Switzerland.
TABLE OF CONTENT ABSTRACT
1
TABLE OF CONTENT
2
1 INTRODUCTION
3
2 GENERAL INFORMATION
6
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 2.1 2.2 2.3 2.4 2.5 2.6 2.7
3 3 3 3 3 4 5 5
NORA OBJECTIVES INVESTIGATION METHOD DATA PROTECTION ATTACK SURFACE UPDATE NEWS INCIDENT REPORT
6 6 7 9 11 12 13
SCOPE STATISTICS DOMAIN NAMES WEB SERVERS DNS SERVERS MAIL SERVERS OPERATING SYSTEMS
3 WEB ACTIVITIES
14
4 MAIL
25
5 DOMAIN NAMES RELATIONS
28
6 OPEN PORTS
38
3.1 3.2 3.3 4.1 5.1 5.2 5.3 6.1
14 20 24
SSL QUALITY CONTENT MANAGEMENT SYSTEMS SOFTWARE DISTRIBUTION
25
MAIL SERVERS
28 32 33
NAME SERVER RELATIONS IPV6 RELATIONS DNSSEC
38
OPEN PORTS
7 REVIEW 2012
40
8 CONCLUSION
41
9 MISCELLANEOUS
43
7.1 7.2 7.3 7.4 7.5 7.6 8.1 8.2 8.3 8.4 8.5 8.6 8.7 9.1 9.2 9.3
40 40 40 40 40 40
INTRODUCTION GENERAL INFORMATION ADDRESS SPACE IPV4 DNS SERVERS MAIL / WEB SERVERS THE SLOW MOVING PROJECTS
41 41 42 42 42 42 42
STATE RISKS EVOLUTION REASONS MITIGATION FUTURE ANALYSIS BUSINESS DEVELOPMENT
43 43 43
REDACTION CONTACT DISCLAIMER
NetObservatory
NORA Report Q2/2013
2/43
1 INTRODUCTION 1.1
NORA
NORA stands for NetObservatory Report & Analysis.
1.2
OBJECTIVES
The NetObservatory aims to provide prevention and analysis information about actual and future risks for Swiss small and medium enterprises (SMEs) connected to the global Internet. Its objectives are the following: • • •
1.3
Provide concrete and verified images and statistics of the Swiss Internet Security. Provide in-depth and verified analysis about the Swiss Internet vulnerability level and corresponding criminal activities. Provide to interested private or public organizations that use the public Internet service their own IT security vulnerabilities and weaknesses.
INVESTIGATION METHOD
In order to provide such services, the NetObservatory only collects information on the public Internet. By analysing and correlating this collected information, NetObservatory is able to draw a detailed image about current and future risks that the Swiss Internet offers to all kind of attackers. The related information is only collected by the following methods: • •
1.4
Requests to public Internet repositories (such as whois or dns server). Standard and clean requests targeted to public and commonly used Internet services (such as HTTP or SMTP). These requests are generated automatically with very low impact and non-aggressive scans evenly distributed over the Swiss Internet.
DATA PROTECTION
The NetObservatory project organization will respect the collected data confidentiality in any case. All the public communications are strictly and completely anonymised. The collected information concerning each domain and IP address will never be used or transmitted outside the restricted area of the project.
1.5
ATTACK SURFACE
An “attack surface” defines all intrusion possibilities. If one would compare it to houses, it would represent the number of houses, doors and windows of each house. It is all the possible intrusion points of the computers/services (houses/doors/windows) under control or authority of a person or a company. The next figure describes this on a technical point of view, mixing the network layers with the application layers and showing all the possible vulnerable points of a typical Internet service server.
NetObservatory
NORA Report Q2/2013
3/43
1.6
UPDATE
Q2 2013 changes: • 3.2.4 rewritten, introduction of section 1.8 (Incident Report). Q1 2013 changes: • Figures 4.1.3, 5.1.1, 5.1.2, 5.3.1 and 6.1.1 have been changed to historical values. Q4 2012 changes: • Typo3 and WordPress vulnerabilities figures in 3.2.3 are incorrect and are temporarily removed until the issue is resolved. • Inclusion of yearly report 2012. Q3 2012 changes: • Several figures have been changed to historical values, giving a better overview of the evolution and the trends. Q2 2012 changes: • Corrected a mistake in the generation of figure 2.7.1 Q1 2012 changes: • Removed the content of chapter 7 (Yearly review). • Added a news section in chapter 1.
NetObservatory
NORA Report Q2/2013
4/43
1.7
NEWS
A few months ago we decided to change several figures to historical data. The trend continues in this report with 6 newly converted figures. Historical data gives a much better view of the evolution over time without having to compare the data to previous reports. It is a real gain in usability and understanding of the report. The yearly review will be kept in the report also to increase usability. Readers won’t need to get the corresponding report to find the yearly review, but will always find the past year review in the current report.
1.8
INCIDENT REPORT
On the 19th of August at 12h40 a major DNS incident happened in Switzerland. Almost 10’000 dot CH domains were redirected to a “Domain Parking”1 site. Those domains pointed all to the DNS servers of ip-plus.net (Swisscom AG). Unfortunately, as one could read in the press2, Swisscom forgot to pay the domain and it expired. Network Solutions Inc., a registrar of the dot NET domains redirected the expired domain to a “Domain Parking” site. This meant that all domains pointing to the ip-plus.net DNS servers were now also pointing to the “Domain Parking” website. This resulted in a major outage affecting SMEs but also large corporations, public administrations, online banking of major banks, major newspapers and an endless list of critical domains. This affected not only their website but also any application depending on the domain such as email. At 15h25 the same day, the problem was corrected but DNS caching kept most domains offline for a whole day (24 hours). If many domains depend on one domain, the DNS server domain, certain precautions should be taken: • Choose a registry/registrar you can reach, updates the TLD zone at frequent intervals, that you can trust and that does not forward unpaid domains to “Domain Parking” websites. • Make sure to pay your bills. If this seems obvious it wasn’t for Swisscom. Verify that all your contact details are always up-to-date.
1 2
http://en.wikipedia.org/wiki/Domain_parking http://www.inside-it.ch/articles/33469 - http://www.nzz.ch/aktuell/digital/nzz-dns-1.18135806 NetObservatory
NORA Report Q2/2013
5/43
2 GENERAL INFORMATION 2.1
SCOPE
In this document, the use of words such as “all” or “any” is referencing to the scope of this analysis, which is the Swiss public Internet.
2.2
STATISTICS
The amount of collected data is huge. The numbers below should give a fairly good idea of the data volume that is treated by NetObservatory. Almost 20 millions IP addresses (21259’287) under control of 667 (ASN) network operators and over a million CH domain names (1’316’060) have been used and analysed to generate this report. The first and basic information gathering shows that the 1,3 million CH domain names are: • • • •
Owned by 605’290 distinct individuals or companies. Hosted by 33’941 DNS server (name servers). Hosted by 46’449 mail servers. Hosted by 710’9023 web sites on 75’424 web servers.
NOTE: The domain list used by NetObservatory is a sample of CH domains, which represents about 75% of the effective domain list.
3
710’902 domains that have a DNS record for a web server; all other domains have no record or are inactive. NetObservatory
NORA Report Q2/2013
6/43
2.3
DOMAIN NAMES
2.3.1
Domain names distribution
Legend The figure above shows the distribution of CH domain names among the population, split by cantons. The result is a CH domain names usage based on the geographic region independently of the size of the canton. Analysis Languages, cultural regions, or economically strong cities do not influence the distribution of Internet domain names usage. The usage is fairly distributed with very few exceptions. Jura and Uri have clearly a lower usage, under 70 domains per 1’000 inhabitants and on the other side Zug a higher usage with over 310 domains per 1’000 inhabitants. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
7/43
2.3.2
Top 10 domain names holders
0.7% 0.36% 0.35% 0.33% 0.17% 0.14% 0.13% 0.1% 0.09% 0.09% 0.0%
0.1%
0.2%
0.3%
0.4%
0.5%
0.6%
Legend The figure above shows the top 10 domain names holders. The result is shown in percent of the total number of registered CH domain names. These companies or individuals have acquired the most CH domain names. Analysis The top holder has 9200 CH domain names. While the number could impress some, it is worth noticing that this only represents a very small fraction (0.7%) of all CH domain names. The result shows no market domination of any kind in the domain ownership. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
8/43
2.4
WEB SERVERS
2.4.1
Top 10 ASN by number of hosted web sites
ASN−METANET HOSTPOINT−AS GREEN SWISSCOM Infomaniak−AS WEBLAND−AS LGI−UPC CYON NINE VTX−NETWORK 0
50,000
100,000
150,000
Legend Top 10 network operator names sorted by number of web sites hosted under their IP addresses. This does not mean that they directly host those sites; a hosting provider can be customer of those network operators for their Internet access. Analysis The only really relevant information shown here, apart from the company names, is that large hosting companies want to have their network independence and run their own network infrastructure. Three of the first four are not Internet access providers but still operate their own network infrastructure. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
9/43
2.4.2
Top 10 web server applications
Apache
76%
Microsoft IIS
15%
nginx MiniServ lighttpd Lotus Domino httpd DirectAdmin httpd Zope Squid webproxy IBM HTTP Server others 0%
10%
20%
30%
40%
50%
60%
70%
Legend Most used web server software for the CH domain web sites. Analysis Except for a little 15% ran by Microsoft IIS, Apache HTTP dominates the market of web server software. This can be explained by the fact that it is the best-known Free Software for that function and is known to run well. The market dominance of Apache is a worldwide fact but in Switzerland its share is 12% higher than in worldwide average (NetCraft, January 2013 survey). A strong open source community can partially explain this, but this is mainly explained by the fact that nginx, a new and fast growing web server, has reached a global market share of 13%, but has only a 3% among the .ch domains. It is important to note that this figure only shows the distributions among webservers that show their name. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
10/43
2.5
DNS SERVERS
2.5.1
Top 10 name service (DNS) hosting
hostpoint.ch
6.8%
hoststar.ch
4%
infomaniak.ch
3.6%
webland.ch
2.5%
ch−meta.net
2.3%
hostcenter.com
2.3%
genotec.ch
2.2%
ch−inter.net
2%
kreativmedia.ch
2%
sedoparking.com
1.9% 0%
1%
2%
3%
4%
5%
6%
Legend Name servers where most domains are hosted in percent of all CH domain names. The names are broken down to the second level domain to avoid duplicates domains. For example “ns1.netobservatory.ch” and “ns2.netobservatory.ch” are here shown as “netobservatory.ch”. Analysis The market leaders in DNS hosting clearly appear. On a security point of view, having 6.8% of all CH domain names hosted by one company can be a risk; any network or host disruption can lead to a quite large number of CH domains being inaccessible. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
11/43
2.6
MAIL SERVERS
2.6.1
Top 10 mail service hosting
hostpoint.ch
9.4%
infomaniak.ch
4.8%
hostcenter.com
3%
genotec.ch
2.8%
vtx.ch
1.2%
messaging.ch
1.1%
udag.de
0.8%
netzone.ch
0.8%
worldsoft−mail.net jimdo.com 0%
2%
4%
6%
8%
Legend Mail servers where most domain mail is hosted in percent of all CH domain names having a mail exchange (MX record). The names are broken down to the second level domain to avoid duplicates domains. For example “mail1.netobservatory.ch” and “mail2.netobservatory.ch” are here shown as “netobservatory.ch” Analysis Identical to the previous figure, the market leaders in mail hosting clearly appear. On a security point of view, having 9.4% of all CH domain names hosted by one company can be a risk. Any network or host disruption can lead to a quite large number of CH domain mail being inaccessible. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
12/43
2.7
OPERATING SYSTEMS
2.7.1
Operating systems – vulnerability report over time
Number of disctinct CVE
140 120 100 Vendor 80
apple linux
60
microsoft
40 20 0 99
00
01
02
03
04
05
06
07
08
09
10
11
12
13
Year
Legend Number of serious security issues per year for the top 3 most known vendors of computer operating systems. Analysis While there are, indeed, differences between vendors; the most important point to understand here is; no matter which vendor is used, all have security issues. If a system is not updated on a regular base, it is always vulnerable, no matter which vendor is used. Differences since Q1 2013 report 2013 trend follows 2011.
NetObservatory
NORA Report Q2/2013
13/43
3 WEB ACTIVITIES 3.1
SSL QUALITY
SSL is used when the URL starts with “https://”. It is used for secure transactions (ebanking, online payments, etc) but also for extranet applications (home office, remote workers, etc) or when privacy is relevant. Every web server running SSL has a certificate that is delivered to the user. A trusted authority (certificate authority, CA) has signed this certificate. This way the user is able to verify the identity of owner of the web site he is visiting and can ensure he is not being trapped on a harmful site. When something is not correct with the certificate, the browser will warn the user and ask if he wants to continue or not. 3.1.1
SSL Certificates validation
valid / wrong host
62%
invalid / wrong host
37%
valid / correct host invalid / correct host 0%
10%
20%
30%
40%
50%
60%
Legend Validation of certificates returned by web servers using SSL (Secure Socket Layer). The analysis is done per domain name and verifies if the certificate is valid and if the hostname of the certificate matches the tested domain name. Analysis Out of 400’000+ sites only 5’500+ have a valid SSL certificate and a valid hostname. This is due to the fact that many management interfaces use SSL with self-signed certificated or pre-generated certificates with invalid hostnames. Over 400’000 domains do have an SSL version with access to a management interface. This is not a problem by itself as long as the user of this site is aware of that. Risks may only occur with pre-generated certificates because another user having the same system would have the same certificate and therefore able to decrypt the traffic of other users using the same certificate. Differences since Q1 2013 report Minimal
NetObservatory
NORA Report Q2/2013
14/43
3.1.2
Distribution of SSL key length
100%
80%
60%
Key length >= 2048 bits >= 1024 bits
40%
< 1024 bits
20%
0% 05/11 09/11 11/11 02/12 04/12 06/12 08/12 11/12 01/13 03/13 06/13
Date (month/year)
Legend Distribution of encryption key length among SSL servers. The longer the key is, the better the encryption is. Analysis Nowadays keys shorter than 1024 bits are considered weak and should not be used anymore. Only a very small amount of servers still use such weak keys. Keys of 1024 bits are still considered secure but it is recommended to use a stronger length, such as 2048 bits, if one really wants a secure service. Most banks use 2048 bits keys for their e-banking service for example. Differences since Q1 2013 report The trend to replace 1024 bits keys by 2048 keys continues unchanged.
NetObservatory
NORA Report Q2/2013
15/43
3.1.3
Distribution of hash algorithms
dsa md5 sha1 sha256 sha384 sha512
6% 93%
0%
20%
40%
60%
80%
Legend To identify a certificate, the certification authority uses a hash algorithm. If the hash algorithm is weak or broken, a villain can impersonate a valid certificate and users (their browser) will fully trust the impersonated web site. Analysis The MD5 hash algorithm is known to have weaknesses since 2008. It should not be used anymore. Unfortunately it is still in use by 6% of the web sites. Most use SHA1, known to be safe (for now) and only very few use SHA256, which is even safer, but slower. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
16/43
3.1.4
Hash algorithms by creation time
80%
60%
Hash Algorithm md5
40%
sha1
20%
0% 00
01
02
03
04
05
06
07
08
09
10
11
12
13
Certificate Emission Year
8000
6000 Hash Algorithm md5
4000
sha1 2000
0 00
01
02
03
04
05
06
07
08
09
10
11
12
13
Certificate Emission Year
Legend The use of hash algorithm by the certificate authorities depending on the certificate creation year as found in the certificates that are currently in use. This is not a timeline, it is the current state and the years are the certificates creation date. Analysis Between 2005 and 2008 the weakness of MD5 was proven multiples times, more and more certificate authorities decided to change to SHA1/SHA256. In 2009 almost all new certificates used SHA1/SHA256. Differences since Q1 2013 report The statistics show the expected trend. No significant change has been seen so far.
NetObservatory
NORA Report Q2/2013
17/43
3.1.5
SSL flavours High TLSv1 Med TLSv1
Cipher Support
Low TLSv1
no
Weak TLSv1
yes
SSLv2 0
100,000
200,000
300,000
400,000
Legend SSL has many different flavours; SSLv2 or SSLv3/TLSv1 (which includes different cipher mechanisms) and so on. This figure shows all the different, in terms of security, SSL protocol supported by the websites. Analysis Almost two-third of the websites running still support SSLv2. SSLv2 is obsolete and must be abandoned; All modern browsers have discontinued support of SSLv2. Weak and Low TLSv1 should also be turned off on the webserver and too many of them still support it. Almost all webserver support Med and High TLSv1 which is positive sign. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
18/43
3.1.6
Certificate Authority
RapidSSL CA
10%
Parallels Panel
5%
Thawte DV SSL CA
5%
Go Daddy Secure Certification Authority
4%
PositiveSSL CA 2
4%
Thawte SSL CA
3%
plesk − Parallels*
3%
COMODO High−Assurance Secure Server CA
3%
GeoTrust DV SSL CA
3%
StartCom Class 1 Primary Intermediate Server CA
3% 0%
2%
4%
6%
8%
10%
Legend Distribution of CAs (Certificate Authorities) among analysed certificates. Analysis RapidSSL CA is the most used CAs among Swiss domains. With 10% of the market share a security issue on their side could compromise thousands of secure web servers. CAs with an asterisk are self-signed, often management interfaces certificates or default certificates and they are not recognised/trusted by browsers. In 2011, two Root CA had security issues, Comodo and DigiNotar. DigiNotar was (ab)used to create fraudulent certificates of Google, Yahoo! and many other sites. The hierarchical model is quite risky, users have to trust completely the Root CA they choose. A security breach in a CA is the gold medal of Internet fraud because you can easily make phishing web sites without the users noticing it and there is almost nothing the users can do to make sure they are not being abused by a forged SSL certificate. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
19/43
3.2
CONTENT MANAGEMENT SYSTEMS
Content management systems (CMS) are web applications (often based on web frameworks) offering modern capabilities for web authoring, content and subscriber management and many other features modern web sites need. 3.2.1
Top 10 used CMS
100%
Application Joomla TYPO3
80%
WordPress Drupal
60%
Contao CMS Made Simple
40%
xtCommerce osCommerce Magento
20%
DotNetNuke Plone
0%
Concrete5 04/11 06/11 08/11 02/12 04/12 06/12 08/12 10/12 12/12 03/13 05/13
Date (month/year)
Legend Top 10 content management systems detected on web servers. Analysis Joomla and TYPO3 are by far the most used content management systems. WordPress is also widely used, mainly for blogs. These top 3 applications represent 82% of the detected CMS. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
20/43
3.2.2
Top3 CMS distribution
TYPO3
Joomla
WordPress
Legend Geographical distribution proportional to the population. Analysis While Joomla is fairly distributed overall the country, TYPO3 and WordPress have a stronger presence in the German speaking part of the country and are less present in the French and Italian speaking parts. So far, this is the only occurrence of an e-röschtigraben detected by NetObservatory. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
21/43
3.2.3
Updated releases of WordPress and TYPO3
Temporarily removed due to issues in the generation of figures. These figures will reappear as soon as the issues are solved.
NetObservatory
NORA Report Q2/2013
22/43
3.2.4
Timeline of a WordPress release
Percentage of WordPress CMS
100%
80%
Version installed 3.5.x 3.4.x
60%
3.3.x 3.2.x
40%
3.1.x 3.0.x
20%
< 3.0
0% 04/11 06/11 08/11 02/12 04/12 06/12 08/12 10/12 12/12 03/13 05/13
Date (month/year)
Number of WordPress CMS
25000
20000
Version installed 3.5.x 3.4.x
15000
3.3.x 3.2.x
10000
3.1.x 3.0.x < 3.0
5000
0 04/11 06/11 08/11 02/12 04/12 06/12 08/12 10/12 12/12 03/13 05/13
Date (month/year)
Legend Distribution in percentage and absolute values of WordPress versions across CH domains. Analysis WordPress is among the most popular CMS around the world. Major corporations, SMEs but also by individuals, use it. Over time, WordPress developers understood their responsibility to keep their software up-to-date and have increased the simplicity for the users to update their CMS. The figures show clearly that the older versions of WordPress took more time to spread while the more recent versions are deployed faster. Before version 3.0 is was not possible to update the CMS without some minimal technical knowledge. The figures show without any doubt that pre-3.0 version are not doing away. On the other side, almost all version 3.0, 3.1 and 3.3 have been updated. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
23/43
3.3
SOFTWARE DISTRIBUTION
3.3.1
Apache vulnerability
vulnerable
42%
unknown
57%
not vulnerable 0%
10%
20%
30%
40%
50%
Legend Distribution of Apache web server software version in three categories; vulnerable, not vulnerable and unknown. Vulnerable means the software version returned by the server has known and documented security issues. Not vulnerable means the version returned has no known security issues, and finally “unknown” means the server is hiding its version. Analysis Knowing that Apache is run by 77% of all web servers one can quickly conclude that over three/quarter of all web servers represent a security risk. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
24/43
4 MAIL 4.1
MAIL SERVERS
4.1.1
SSL support
ssl enabled
31%
ssl disabled
69% 0%
10%
20%
30%
40%
50%
60%
Legend Not only web servers can do SSL and encrypt data exchange; Mail server can also. If two mail servers are correctly configured for SSL they will encrypt the mail exchange. Analysis Almost a third of all dot CH mail servers support SSL. Differences since Q1 2013 report The 2% increase in three months represent about 3’000 mail servers.
NetObservatory
NORA Report Q2/2013
25/43
4.1.2
Software distribution
unknown
46%
postfix
23%
exim
13%
qmail
11%
sendmail
4%
mdaemon kerio qpsmtpd exchange xmail 0%
10%
20%
30%
40%
Legend Top 10 of detected mail server software. Analysis Almost half of the mail servers do not show their name or version in the welcome banner. Hiding the software or version running helps in preventing unnecessary attacks but does not secure your application. Keeping software up-to-date is more important than hiding information about it. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
26/43
4.1.3
Software version Evolution of Exim servers exposure
100%
80%
60%
Status updated unknown
40%
not updated
20%
0% 04/11 06/11 09/11 03/12 05/12 07/12 09/12 11/12 01/13 03/13 05/13
Date (month/year)
Evolution of Sendmail servers exposure 100%
80%
60%
Status updated unknown
40%
not updated
20%
0% 04/11 06/11 09/11 03/12 05/12 07/12 09/12 11/12 01/13 03/13 05/13
Date (month/year)
Legend As for the web, the mail servers are major elements of the attack surface and are exposed to automatic attack trials. The importance of having an up-to-date mail server is not questionable. Analysis Exim shows a good example of how the permanent evolution circle works. A vulnerability is found, a new release is done to correct it, OS distributions integrate is and administrators update. This whole process can take up to a year. Differences since Q1 2013 report The increase in Exim updates is related to the release of Debian Wheezy and Ubuntu Raring Ringtail. NetObservatory
NORA Report Q2/2013
27/43
5 DOMAIN NAMES RELATIONS 5.1
NAME SERVER RELATIONS
5.1.1
DNS servers accepting recursive lookup
100%
80%
60% yes 40%
no
20%
0% 05/11 08/11 10/11 12/11 03/12 05/12 07/12 09/12 11/12 01/13 03/13 05/13
Date (month/year)
Legend DNS servers accepting and refusing recursive lookup. Internet access provider customers use a recursive DNS server to resolve domains. A non-recursive DNS server is used to serve a defined list of domains. Analysis Most of the DNS servers are non-recursive, which is, in this case, the correct mode of operation. 10% allow recursive lookups, probably due to misconfiguration or misunderstanding of the function. Depending on the operating system and the DNS server software this could lead to a potential risk like DNS cache poisoning. Differences since Q1 2013 report A 2% decrease of the servers accepting recursive lookups in the last 3 months.
NetObservatory
NORA Report Q2/2013
28/43
5.1.2
DNS servers accepting zone transfer
100%
80%
60% allowed 40%
not allowed
20%
0% 05/11 08/11 10/11 12/11 03/12 05/12 07/12 09/12 11/12 01/13 03/13 05/13
Date (month/year)
Legend Domains having at least one DNS server accepting zone transfer. A zone transfer (AXFR) is a complete copy of every records of a domain name. It is used to synchronise secondary name servers with the primary. Analysis Similar to the previous graphic, most of the DNS servers are configured correctly. However, 14% of the domains have a DNS server accepting zone transfer; risking to leak corporate internal information or information about services that are not intended for the public. While this is not a risk by itself, it can dramatically increase the exposed attack surface of that company (showing an attacker a list of computers he could then try to attack). Differences since Q1 2013 report An inexplicable 3% increase of servers accepting zone transfer occurred. Data analysis did not result in a clear pattern.
NetObservatory
NORA Report Q2/2013
29/43
5.1.3
SPF Records
no SPF record
83%
SPF record
17% 0%
20%
40%
60%
80%
Legend SPF (Sender Policy Framework) is a special DNS record done to help combatting SPAM. It defines who (which IP) is allowed to send email from this domain. Analysis With 17% of the dot CH domains having an SPF record the success of the SPF project is lower than expected. However, the figure should show the percent of mailboxes tied to a domain with or without SPF records. Such an information (number of mailboxes per domain) is not available. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
30/43
5.1.4
Glue records
incorrect glue records
35%
correct glue records
65% 0%
10%
20%
30%
40%
50%
60%
Legend Glue records are DNS records done for 2nd level domains at the 1st level registry. They must exist in order to resolve the name of DNS servers having the same name as the domain itself. If the DNS server of netobservatory.ch is dns1.netobservatory.ch, the registry (SWITCH), must know the IP address of dns1.netobservatory.ch. Analysis 35% of the glue records do not correspond to the content of the zone. This means that DNS servers list has been modified and/or some of the DNS servers changed their IP. The domain holder did not update the registry to reflect these changes. This is an improper setup and should be corrected quickly in order to avoid a non-working domain. Differences since Q1 2013 report The 2% increase of the last report has been reversed.
NetObservatory
NORA Report Q2/2013
31/43
5.2
IPV6 RELATIONS
IPv6 is the Internet Protocol version 6. It exists for over 10 years and its usage was very low, if not only experimental, until recently. IPv4, the current and globally used Internet Protocol, is slowly but surely reaching its limitation; the maximum number of simultaneous computers connected to the Internet. The IANA (Internet Assigned Numbers Authority) pool is now exhausted and also the APNIC (responsible to delegate IP addresses in the Asia / Pacific region) pool is exhausted. The European registry, RIPE, expects its pool to hold for another 6 to 9 months. Adoption of the new IPv6 protocol is urgent, especially for service and access providers. 5.2.1
IPv6 adoption in standard DNS entries
mx
70% IP Version
a
6
91%
4
31%
ns
100% 0%
20%
40%
60%
80%
Legend Percentage of domain names having an IPv4 and/or an IPv6 record for standard DNS entries. Analysis 31% of the domains have DNS servers reachable in IPv6. Mail and web records are still very low at 5%. Further analysis and historical data will be shown in future reports to follow the progression of IPv6. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
32/43
5.3
DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS, which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. (Source: Wikipedia) NetObservatory observes the evolution of DNSSEC applied to dot CH domains and verifies if they are correctly configured. To understand correctly this DNSSEC chapter, a good understanding of DNSSEC is required. Beginners can start reading the Wikipedia article at http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions and RFC 4033 at http://www.ietf.org/rfc/rfc4033.txt 5.3.1
DNSSEC State
100%
80% State bogus
60%
self sig self sig (denied)
40%
trusted trusted (denied) untrusted
20%
0% 12/11
04/12
06/12
08/12
10/12
01/13
04/13
Date (month/year)
Legend This figure describes the DNSSEC state of the zones. “trusted” are correctly configured domains. “trusted (denied)” are domains that do not resolve or that are not configured/not active (no glue record). “self sig” would be correctly configured but the chain of trust is incomplete. “self sig (denied)” don’t have a “Trust Anchor” and do not resolve. “untrusted” are domains without DNSSEC parameters, a valid NSEC or NSEC3 can be obtained. “bogus” domains have a chain of trust but at least one element (RRSIG, NSEC/NSEC3, DS) is corrupted or incomplete. Analysis With about 500 “trusted” domains the adoption of DNSSEC is far from its goal. It will need years before a significant amount of domains to be secured by DNSSEC. One of the main reasons is probably the lack of knowledge by DNS administrators and stable implementations. The largest implementation of DNSSEC is done by the EIA-FR (Ecole d’Ingénieurs et d’Architectes de Fribourg) with about 100 domains out of 500. Differences since Q1 2013 report Trusted (denied) progression of 1%. NetObservatory
NORA Report Q2/2013
33/43
DNSSEC Response time
# Occurrences
5.3.2
0
1000
2000
3000
Response Delay (ms)
Legend When resolving a DNSSEC enabled domain, the different checks the client needs to do and the different records it needs to fetch needs more time than just requesting a simple nonDNSSEC record. This figure shows how this affects the time to resolve and verify a DNS record. In green the ‘normal’ response times and in red the DNSSEC enabled and verified response time by a recursive resolver with DNSSEC validation enabled. It takes in account the resolution of the root-zone, tld-zone and 2ld-zone. Analysis A strong drawback of DNSSEC, while resolvers respond in average after 260ms without DNSSEC verification it jumps to over 1.1 seconds with DNSSEC verification enabled and in some rare cases takes over 5 seconds to complete the resolution. It is worth noting that this is the response time of an empty cache server. This means that once the DNS server has cached these records, responses are faster. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
34/43
5.3.3
DNSSEC ZSK algorithms RSA/SHA−512 RSA/SHA−256
36%
RSASHA1−NSEC3−SHA1
29%
RSA/SHA−1
34%
DSA/SHA−1 0%
5%
10%
15%
20%
25%
30%
35%
Legend The .CH top-level domain is using the RSASHA1-NSEC3-SHA1 algorithm for its ZSK key on which the DS point to. This figure shows the distribution of the algorithms used by the 2ndlevel domains for their own ZSK key. Analysis Due to the very low number of DNSSEC enabled domains (trusted) nothing meaningful can be analysed for this figure. Differences since Q1 2013 report No rational analysis can be done due to the very low number of domains involved; A change in only a few domains could change the results significantly.
NetObservatory
NORA Report Q2/2013
35/43
5.3.4
DNSSEC KSK lengths
4096 bit
8%
2048 bit
66%
1536 bit 1456 bit 1304 bit 1280 bit
7%
1024 bit
17%
768 bit 512 bit 0%
10%
20%
30%
40%
50%
60%
Legend This figure shows the distribution of the KSK (Key Signing Key) length. Analysis Due to the very low number of DNSSEC enabled domains (trusted) nothing meaningful can be analysed for this figure. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
36/43
5.3.5
DNSSEC ZSK lengths
4096 bit 2304 bit 2048 bit 1280 bit
5%
1152 bit 1024 bit
91%
768 bit 512 bit 0%
20%
40%
60%
80%
Legend This figure shows the distribution of the ZSK (Zone Signing Key) lengths. Analysis Due to the very low number of DNSSEC enabled domains (trusted) nothing meaningful can be analysed for this figure. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
37/43
6 OPEN PORTS An open port is a service running on a server waiting for a client to connect. Ports are related to specific services.
6.1
OPEN PORTS
6.1.1
Unconventional open ports
100%
80%
Service mysql rpcbind
60%
msrpc microsoft−rdp
40%
netbios−ssn microsoft−ds
20%
postgresql
0% 05/11 09/11 12/11 03/12 05/12 07/12 09/12 11/12 01/13 03/13 05/13
Date (month/year)
Legend This graphic shows strange ports found to be open on servers. Analysis These ports are strange because they are not supposed to be accessible for the public; they expose the servers to an additional and unnecessary risk. Most of this is due to misconfiguration or ignorance. MySQL and PostgreSQL are database applications. Microsoft DS, NetBIOS SSN and Microsoft RPC are used by Microsoft Windows clients and servers for file sharing or administration and are known to have many security flaws. Microsoft RDP is the “Remote Desktop” service. RPC Bind is used for NIS (Network Information Service). All the services above have no use to be exposed to the public Internet. If network or server administrators need to access them, they should use a secure connection (VPN) and filter them to avoid being exposed to the public Internet. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
38/43
6.1.2
SMB servers
Samba Windows 2003 or 2008 Windows 2000 Others 0
500
1,000
1,500
2,000
Legend Number of SMB service by application/operating system found among DNS, web and mail servers. Port TCP/445 is used for Microsoft Windows file sharing protocol called SMB or CIFS. Analysis TCP port 445 is known for security issues on Microsoft Windows operating system for over 10 years. Thousands of viruses and worms use this port to infect other computers over the Internet. Viruses or worms probably infected a fair amount of the servers shown in this graph. Having this protocol open to the public is a high and useless risk. It should be avoided. Differences since Q1 2013 report Minimal.
NetObservatory
NORA Report Q2/2013
39/43
7 REVIEW 2012 7.1
INTRODUCTION
2012 is the second complete year covered by NORA reports. The yearly report shows an overview of the past year, especially significant events.
7.2
GENERAL INFORMATION
During this year NORA introduced more historical figures allowing a better overview of the progression without the need to read all the previous reports. During 2013 NORA will introduce more figures with historical information and hopefully, by the end of the year, all figures will be shown this way.
7.3
ADDRESS SPACE IPV4
In 2011, IANA (Internet Assigned Numbers Authority) gave the last chunks of IPv4 address space to the five Regional Internet Registries (ARIN, RIPE NCC, LACNIC, AFRINIC and APNIC). In 2012, Europe’s Regional Internet Registry, RIPE NCC, went out of IPv4 addresses on 14th of September 2012. This is a significant change for all European Internet providers; they can no longer have more IPv4 addresses if they need to. The development of the market for IPv4 address has already started and the price range per IPv4 address is currently between 10 and 20 USD.
7.4
DNS SERVERS
The quality of the DNS servers servicing dot CH zones has seen almost no change in 2012. The only noticeable change is the number of servers allowing recursive lookup which went from 17% to 13%. A third of the domains are still misconfigured (incorrect glue records), one transfer is still allowed by 10% of the servers and the number of zones with SPF records went from 15% to 17%. The number of zones having IPv6 records had almost no change except for the NS records, which rose from 23% to 27%. Knowing the IPv4 address space is exhausted in the RIPE NCC region does not seem to worry domain owners.
7.5
MAIL / WEB SERVERS
Mail and Web servers software is often updated. Regular readers of the NORA report have probably noticed how often the “updated / not updated” figures for Exim, Sendmail, Apache, WordPress and TYPO3 tend to “jump around”. The team behind the NORA report is working on improvements in the reporting of those figures. The day after a release of a new software, all servers are considered as “not updated”, which makes the reporting very difficult to stay stable. These figures will probably be shown similarly to the WordPress figure 3.2.4, a timeline of versions instead of a Boolean “updated / not updated”.
7.6
THE SLOW MOVING PROJECTS
Unfortunately, no significant change has been noticed regarding IPv6 usage and DNSSEC usage. Clearly, more awareness, information and maybe tools must be given to publishers, service providers (access and hosting), and training programs. SWITCH, the national academic network and dot CH registry made a small brochure about DNSSEC4 but much more work must be done to motivate the domain holders and hosting providers to provide and enable DNSSEC. Regarding IPv6, the real deployment will start during 2013 and 2014 because some hosting and access providers will start to run out of IPv4 space, pushing them into the newest version of the protocol. 4
https://www.nic.ch/reg/cm/wcm-resource/download/dnssec/DNSSEC_en.pdf NetObservatory
NORA Report Q2/2013
40/43
8 CONCLUSION 8.1
STATE
8.1.1
General
The state of the Swiss Internet is good, but some aspects are worrying. The hosting market is fairly shared among small and medium sized companies and no large company is in a pseudo-monopoly position. What is worrying is the lack of maintenance and updates of the applications running all the services. There are too many not being frequently updated exposing their flaws to the whole Internet. 8.1.2
IPv6
Since the mid 90s the IPv4 exhaustion problem is known and a new protocol, IPv6, has been invented to circumvent the limitations of IPv4 address space. But IPv6 offers no commercial advantage and the Internet development being mainly commercial no major outbreak of IPv6 happened in the last 15 years. Beginning of 2011, IPv4 address space finally exhausted and IPv6 awareness started to spread stronger and quicker than before. In June 2011 the “World IPv6 day”, an IPv6 test day, was run to increase awareness and test the impact of enabling IPv6 of major services (like Facebook, Google, etc.). NetObservatory noticed some change in the IPv6 DNS records since the first NORA report in December 2010. Two larger hosting companies made a move that had great impact on the NORA statistics. Hostpoint AG enabled IPv6 DNS services for all their customers, pushing the statistics from 15% to 22% of dot CH domains having an IPv6 NS record. Infomaniak SA also made a move; they enabled IPv6 mail services for all their mail customers and modified the statistics results significantly from lower than 1% to over 4% of all dot CH domains having an IPv6 MX record. Both, with one simple move, became number one in Switzerland, by hosting the most domains with IPv6 capabilities. In conclusion, we finally see IPv6 coming to reality and hope to see more moves like Hostpoint and Infomaniak in the future. 8.1.3
DNSSEC
While the first RFC describing DNSSEC (RFC4033) is already 6 years old, the implementation and deployment of DNSSEC is almost insignificant. Worse than IPv6, the need to deploy DNSSEC is low. DNSSEC ensures that only authorised servers respond for a given zone and that the answer can be verified. Threats to the current DNS system are mainly hijacking and response spoofing. DNS administrators don’t seem to have the feeling that these threats are important enough to deploy DNSSEC. Presentations, standards and tutorials are available at http://www.dnssec.net/practical-documents. Once an administrator has the basic knowledge of DNSSEC, the deployment is not very difficult. The future will show if the DNSSEC deployment increases or not but for now it’s, unfortunately, insignificant.
8.2
RISKS
The risks are high for companies having their web site, mail server or other services exposed to abuse. It can be a financial and company image nightmare if an attacker abuses their services. Here are a few examples in order to really understand the risks. What can happen? •
A company running a teenager forum gets hacked and the attacker uploads a pornographic image on the web site’s first page.
NetObservatory
NORA Report Q2/2013
41/43
•
• •
A company runs its complete business on a web shop and the attacker inserts a malware (virus or advertisement) on every page. The web site enters the “dangerous sites” list in every browser. (When a customer points his browser to the web site, it will display a big warning telling to avoid this site because it is infected). An attacker simply deletes all content of a server. …
What are the consequences? • • • •
8.3
Destruction of company image. Can sometimes be fatal for a company. Hours or days of inaccessible service. Can be weeks or months if there is data loss and backups do not exist or cannot be restored. Unexpected costs of high-level network, systems and security experts. …
EVOLUTION
Technological evolution has always the same companion, complexity. Most companies do not understand the technology and its risks. Too often, companies (especially SMEs) try to limit the costs of their ICT infrastructure leading to unnecessary risks. The evolution of the technology is not helping them. The risks will continue to increase if they do not spend more resources on monitoring the state of the security of their systems.
8.4
REASONS
The main reason, as state above, is the complexity and its relation to the SME budget. Large companies usually understand the risks and proportionally spend much more money on their ICT infrastructure. The complexity also creates specialised jobs and companies. Involving so many companies, even for small projects leads to dilution of the responsibilities for maintenance and update. Too often web solutions are offered as turnkey projects and the web framework or CMS are left abandoned of any maintenance or update.
8.5
MITIGATION
SMEs can mitigate the risks by investing more in ICT infrastructure or services offered by professionals.
8.6
FUTURE ANALYSIS
This is the fifth NORA of NetObservatory. Future reports will also analyse Internet access providers, web frameworks and more.
8.7
BUSINESS DEVELOPMENT
Additionally to NORA, NetObservatory aims to establish a company offering in-depth inspection of services. Customers of this new company will be able to get their public infrastructure and services analysed regularly by a fully automated process. This service will warn the customer of any known security issue and be its “guardian”. Customers can then react rapidly in case of an incident or do preventive updates.
NetObservatory
NORA Report Q2/2013
42/43
9 MISCELLANEOUS 9.1
REDACTION
Report redacted by Pascal Gloor with the precious help of project members.
9.2
CONTACT
Netobservatory c/o École d'ingénieurs et d'architectes de Fribourg Bd de Pérolles 80 Case postale 32 CH-1705 Fribourg E-mail:
[email protected]
9.3
DISCLAIMER
The NetObservatory project and its participants, private and public, have done their best to provide an accurate and reliable document. They shall in no event be liable for the content of this document. The document is provided “as is” without warranty of any kind, information may contain mistakes, be inaccurate or be partially or completely false.
NetObservatory
NORA Report Q2/2013
43/43
