SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


IPv6 insecurities on “IPv4-only” networks

When people hear about IPv6-specific security issues, they frequently tend to rate this as an argument in favour of delaying or avoiding IPv6 deployment on their enterprise or campus network. Even without IPv6 being consciously deployed, however, some of the IPv6-related security issues were already introduced to most networks many years ago. The reason for this is simple: IPv6 is implemented in all common operating systems and enabled by default. We introduced hosts with these operating systems on our networks several years ago – be they clients on the office network or servers in a data centre or DMZ.


Since most, if not all, of today’s company networks are IPv6-enabled to a certain degree, they are attackable over IPv6. To make things worse, in contrast to IPv4, IPv6 brings along different kinds of autoconfiguration functionality, which can be misused. Network operators and security people who have neither basic IPv6 experience nor measures in place to detect IPv6-related attacks run a risk, and this risk is permanently increasing as the bad guys have already started to use IPv6. Bad guys are usually early adopters.
Continue reading


IT-Security-Links #62


1 Comment

There is no such thing as a free domain

Since quite a long time now SWITCH actively cleans up drive-by sites. Attackers using the ever same tricks, analysing has become quite a routine, if not to say a bore. However recently, we stumbled over a new pattern. Many of the reported domains looked like


where XXX are three random letters. Most of the domain names didn’t give anything back when we tried. And they all had their name-servers with afraid.org, a free DNS hoster, which indeed provides quite a comprehensive service.

All these domains are used by malware, mostly ransomware. A lot has been written about this topic, so I won’t add another blog post about this.

What is the issue with afraid.org? In a nut shell: Their business model: The default, free, setting when you register a domain is public. You forked out some money to get a domain name, obviously it should be public, or no one can see it. However public in afraids terminology means:

Public – If you add your domain as public, […] , others will be permitted to create sub domains off your domain without involving you.

Indeed, creating a sub domain pointing to something totally unrelated is easy. Only premium members ($5/month) have full control over their domain.

Obviously miscreants will be busy finding new, creative, ways of using this service. And we are not the only ones concerned about this, so are our colleges at Check and Secure. But just blaming afraid.org would be too easy. Running a quality DNS service is not a simple task. It needs resources, time – know-how and, last but not least, money to buy hardware, pay power bills etc. The folks at afraid.org are very helpful and quick in fighting misuse.

So maybe it’s us (the internet community) who all too often confuse free with free beer: We are happy to use free services, free software and don’t care about the implications of a low price. Not convinced yet? Let’s rephrase this: Would you run your important e-business on infrastructure developed by a couple of aficionados in their spare time? No? Yes, you probably do. Only after a major disaster like heartbleed do people realize that there is no such thing as free as in free beer software. The same is true for free DNS.

So zooming back: How bad was this really: According to afraid.org there where about 100 ransomware sub domains with the “law-enforcement” pattern. Looking at Dynamoo’s Blog there were many more domains and patterns. They are, thanks to the afraid.org folks gone. As we have seen many other .ch/.li domains hosted at afraid.org abused, we informed about 700 owners of afraid.org hosted .ch/.li domains with the default public shared state. Our recommendation: Pay $5 / month!