As promised at last week's meeting, I'd like to propose description of an
additional attack for the Security Considerations section of marid-core:
-----
6.4 Address Space Hijacking
This mechanism assumes the integrity of IP address space for determining
whether a given client is authorized to send messages from a given PRA. In
addition to the TCP attack given in section 6.2, a sufficiently resourceful
attacker might be able to alter the IP routing structure to permit two-way
communication using a specified IP address. It would then be possible to
execute an SMTP session that appears to come from an authorized address,
without the need to guess TCP sequence numbers or transmit in the blind.
Such an attack might occur if the attacker obtained access to a router which
participates in external BGP routing. Such a router could advertise a more
specific route to a rogue SMTP client, temporarily overriding the legitimate
owner of the address.
-----
Attackers (typically spammers and phishers) are very good at adapting to
countermeasures we put in place. I have been rather concerned that
authorization based on IP address will push them in the direction of these
sorts of attacks on IP address space, which is a place where none of us would
like to see them go.
-Jim