How To Evade URL Filters With (Not-So) Fancy Math 162
Trailrunner7 writes "In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."
Technical details here (Score:5, Informative)
virtual hosts (Score:2, Informative)
too bad this won't pass any Host: information in the HTTP header, hence anything based on a virtual host will be unreachable through pure IP address. You will have to perform a bit more hacking to do that, and it won't defeat deep packet inspection filters.
Yeah But... (Score:5, Informative)
Big problem (Score:5, Informative)
The problem with this approach is that the requested URL doesn't provide a hostname, just the IP address. As IP addresses are in short supply, it has been an extremely common practice for years to assign multiple websites to a single IP address, otherwise known as name-based virtual hosting. This is common even for large companies. When you specify the URL with an IP address, the browser doesn't provide an appropriate Host: HTTP header, so any web server set up this way won't know which of the many websites it hosts should be returned. This means that anybody browsing the web with this technique will find that some websites work and some won't, seemingly at random to them.
Parent is troll link - don't click. (Score:3, Informative)
Here is some text to get past the filter.
Welcome to the 20th century (Score:5, Informative)
I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin [mitre.org].
Re:Technical details here (Score:5, Informative)
Re:0xdeadbeef (Score:3, Informative)
Uh oh. Looks like you can`t Just Google It. Not only that, but they have all of 0xDEAD*
; <<>> DiG 9.2.4 <<>> -x 222.173.190.239
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44377
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;239.190.173.222.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
;; AUTHORITY SECTION:
173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600
173.222.in-addr.arpa. 3600 IN SOA dns1.ctnt.com.cn. root.dns1.ctnt.com.cn. 2005100802 10800 3600 604800 3600
HTTP/1.0 Perhaps, HTTP/1.1 Unlikely (Score:2, Informative)
GET
HTTP/1.1:
GET
Host: example.org
If the site relies on HTTP/1.1, as is the case when multiple domains are hosted from the same IP address, then it's not possible to access the site by IP alone. OTOH, any filter worth its salt would do a reverse DNS lookup on an unknown IP, which would reveal the single domain name for an HTTP 1.0 server, rendering this technique mostly useless for HTTP packet filtering.
Tricking HTTP proxy servers might work, if they allow CONNECT on port 80:
CONNECT 2130706433:80 HTTP/1.1
GET
Host: example.geek
Re:Technical details here (Score:3, Informative)
never mind. i misread the article, sorry
Re:Technical details here (Score:3, Informative)
Re:Technical details here (Score:3, Informative)
Re:Technical details here (Score:1, Informative)
not here. ff3.6 on windows loads the page as linked...
Re:Technical details here (Score:2, Informative)
Re:Technical details here (Score:1, Informative)
That blog post is useless as well
http://www.pc-help.org/obscure.htm is much better, note the date of that page, 2002! Nothing new here. Google for obfuscate URL and the first 15 hits are better and more informative as well.
Get prepared to have your mind blown (Score:5, Informative)
http://0x4a.8196963/ [0x4a.8196963]
And yes, congratulations on being cutting edge: this thing is so old and well-known that it's even explicitly covered in RFC 3986, section 7 ("Security Considerations"), subsection 7.4 ("Rare IP Address Formats").
Re:Simple defense: (Score:2, Informative)