On Wed, 2004-06-23 at 14:05, Meng Weng Wong wrote:
On Wed, Jun 23, 2004 at 12:46:02PM -0500, Eric A. Hall wrote:
|
| What is the possibility that an attacker could list a (SID|SPF) record
| with references to ~thousands of domains, forcing my SMTP server to spend
| large amounts of time and/or processing power validating the junk data?
| What other similar kinds of attacks are enabled by infinite extensibility?
These attack scenarios have been raised in the past. Seen
from the point of view of "don't spammers want their mail to
get through?" they seem unlikely, but if we counter "but
spammers may want to attack the integrity of the entire
system as a whole" they make more sense.
In fact, your attack scenario can be constructed independent
of extensibility considerations. The moment you introduce a
new behaviour (a MARID dns lookup) you are able to attack it
(a slow SERVFAIL will consume resources). Extensibility
amplifies the attack in degree but not in kind.
By attacking and breaking the MARID mechanism in the channel, assurances
offered recipients become easily spoofed. The result of the attack
could allow a bonanza of fraud displaying the highly promoted MARID seal
of approval.
We are moving from an "assumed innocent unless proven
guilty" model of email to an "assumed guilty unless proven
innocent" model.
I see this as a simple matter of hygiene in the big city.
If the crazy homeless guy on the street offers me a
bloodstained driver's license, I won't even get as far as
looking at its expiration date; I won't even take it for
fear of disease.
In the same way, the best defense against the attacks you
suggest is to perform the reputation lookup *before* the
authentication lookup.
If the name of the domain is used, there would be no protection
afforded. Reputation based upon address is difficult to accurately vet
and thus is not as comprehensive. An address also provides no history
other than was once known to have been abused.
If the reputation lookup says "bad guy" then the authentication
lookup is moot.
If the reputation lookup says "good guy" then you have
reason to believe the query won't crash your system.
This would suggest that a "good guy" address list be created as
protection prior to SPF/CID authentication techniques. This would be
difficult to vet and would be prone to false negatives. The service
would not see the domain it references. With all this, it sounds as if
you are advocating DNS be mirrored privately.
Attacks may be staged by selecting diverse and real, but complex and
convoluted records. Heavy loads on these name servers could provide
erratic responses without a need to engineer this behavior. The SPF/CID
process will continue through the entire list as a result. Add to this,
the use of hostile name servers offering maniacal records that do
authenticate. Frankly, either approach could bring down this complex
SPF/CID system regardless of the use of these hygienic precautions.
If the reputation lookup says "no reputation, but
accredited" you can provisionally assume "good guy".
This implies yet another category. New to the "good guy" list perhaps?
If the reputation lookup says "unknown and unaccredited",
If you are being very cautious, you may wish to greylist
and return 4xx without doing the auth lookup at all. A
distributed reputation system should obtain information
fast enough to be useful the next time the query happens.
If you are being less cautious, you can do the auth lookup
anyway, and if it fails to resolve within a reasonable
amount of time, you can abort the lookups and feed a
grumpy opinion into your reputation service. The next
time the attack occurs, you'll know not to do the auth
query. Introduce noise into subsequent iterations
according to game theory to create opportunities for
forgiveness.
Some MTA admins I know are looking at the OS fingerprint of
the incoming packets and rejecting any mail that comes from
a Windows OS. This blocks a lot of viruses at the cost of
cutting out legitimate Windows MTAs. I mention this as an
anecdote only.
Authorizing and authenticating the MTA can happen at the same moment a
query is sent to reputation services, if this authorization and
authentication only require return of a single record as illustrated in-
http://www.ietf.org/internet-drafts/draft-ietf-marid-csv-csa-00.txt
With this approach there would be little exposure to a threat without
reliance upon a reputation service. In addition, use of the HELO domain
would enable a means to follow-up on abuses needed by authorities. For
absolute protection from joe jobs, promote the use of the Fenton
proposal for critical communications such as those used for commerce.
Perhaps make it criminal not to use this Fenton mechanism when
advertising. This Fenton process can safely take place at the MUA and
not negatively impact either SMTP or DNS. This krs approach is
extensible if desired as it can be scaled. Have it add a photo, voice,
or video to help prevent mistaken identifications of the human kind.
Importantly, these alternatives would not break the current way mail is
used.
-Doug