Responding to a few messages with one message:
At 04:23 AM 8/12/2004 -0500, Gordon Fecyk wrote:
I have been
rather concerned that authorization based on IP address will
push them in the direction of these sorts of attacks on IP
address space, which is a place where none of us would like
to see them go.
As if this hasn't been done before.
ISPs have been authorizing mail relay based on IP for seven years now. And
k1dd13z were supposedly attacking IRC and other TCP-based networks for at
least as long. I'm not convinced there are attacks they already haven't
tried.
Agreed that these aren't new attacks. What's new is the additional motivation
to launch such an attack.
At 11:31 AM 8/12/2004 -0600, Michael R. Brumm wrote:
Jim Fenton wrote:
Such an attack might occur if the attacker obtained access to a
router which participates in external BGP routing. Such a router
could advertise a more specific route to a rogue SMTP client,
temporarily overriding the legitimate owner of the address.
At that point, much larger attacks can be done. For example, DNS queries for
reputable domains could be redirected to a spammers DNS server which replies
with a MARID record authorizing the IP addresses of zombies. This would
allow the attacker to basically hijack the reputable domains and send out
spam to everyone.
I'm under the impression that these attacks would be fairly short-lived, so
redirection of DNS would be possible but DNS caches would mitigate that threat
(not sure to what extent). But a short-lived attack misappropriating one of
the outgoing mail server addresses would allow the attacker to send messages
from that domain and have them verify correctly, since that is done as the
message is received.
Note that although the attack scenario I mentioned above is different from
the one mentioned in section 6.1, it too would be solved by DNSSEC (at least
that is my understanding).
Redirection of the DNS server would be solved by DNSSEC, but redirection of the
outgoing email server's address would not.
At 11:50 PM 8/11/2004 -0700, william(at)elan.net wrote:
It not an easy thing to achieve for somebody to try to use somebody elses
(otherwise already actively used) ip space, this will be quickly discovered
and tracked to the source ASN doing the announcement. Just having hacked
access to bgp router is also not enough, you need to actually have prior
authorization with upstream, which it itself will usually require access
to email account of isp or organization attacker is trying to appear as.
And if somebody does have hacked access to large enough bgp router they
could actualy do a lot lot worth things then just spam or phishing
(routers are worth quite a bit on the black market, on the order of
1:10,000 or more what zombie is worth).
In a world where authorization to use a given PRA is under control, the
opportunity for a phisher to send messages as <large-bank>.com is probably
quite lucrative.
Now it is not exactly that I'm saying its not a threat or that it can not
happen (it probably will), but there are a easier means to achieve similar
result, like using zombies or if access to particular net is desired hacking
computer on that net. But if others do really feel like this should be
included as possible threat, my opinion is that first paragraph is all
that should be included and is enough (lets not give a spammer who have read
the document any ideas about hacking bgp routers, as you so allegantly put
at the end it this "is a place where none of us would like to see them go").
I thought a lot before I wrote what I did. I believe we aren't teaching the
bad guys any new tricks here, any more than we are in the section about TCP
sequence number attacks.
-Jim