[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-08 23:56:40
(warning - long digression on computer security and attacker mindset
follows.  Feel free to hit 'discard' if you're not interested)

On Wed, 09 Jan 2019 08:41:55 +0530, Viruthagiri Thirumavalavan said:
So the snooper just makes a connection over port 26 to the server to fill
in the missing
information if they want it.

And Mark is being nice and glossing over how much recon an attacker is going to
do... But I'm *way* too caffienated for midnight and somewhat bored, so... :)

So.. say I'm a snooper. The thought process goes as follows....

I find that doing a 'traceroute -A' to the target host is often quite 
enlightening -
between the PTR entries for each hop and looking up the ASN for it, you often
find helpful information even if the final host PTR is obfuscated and the DNS 
entry in WHOIS is less that informative. 'dig mx' shows that its
email service is hosted by Google. 'dig any' and 'soa' tells me that 
is providing DNS. And traceroute tells me that Cloudflare is providing hosting
as well.  And it's on 2 anycast instances (the chances it's on only one instance
that just *happens* to be the *very next* hop once the packets leave Comcast's
network are pretty much zero).

And a minute with google shows that other things served off the same IP 
include,, and what appears to be at least
3 or 4 other domains that have been naughty and serving up malware.

Probably an F5 load balancer or similar gear in front of a server farm. If I was
serious, I'l point nmap at it and make sure.

Damn. Took me longer to actually *write* all that than it took to do that 
initial recon. 

If I was serious enough about attacking to try to MITM its email,
I'd definitely do a more thorough trawl of DNS to find what other domains
Cloudflare is serving up on those same 2 IP addresses and then a bit of recon
on all the *other* things hosted, and see if any of them have obvious SQL
injections or other weak spots, to get a foothold on the hypervisor or other
side of the load balancer.  Yeah, probably Cloudflare is smart about patching
their hypervisors against Spectre and friends, and the territory behind any
load balancers has properly secured routers and VLAN setup so even if I get
hold of another instance back there, I can't easily leverage it to get's instance.

But who knows... it's worth the effort, even properly run places screw things up
once in a while.

And you'd think that after somebody hijacked the show network at Defcon 16 in
Las Vagas in 2012 and routed it through a server in NYC *and nobody noticed*,
people would be a bit more careful about BGP security issues that make it a lot
easier to MITM a host.

But just recently there was discussion on the NANOG list about a nice BGP route
"leak"/"hijack" that routed a lot of traffic that should have stayed in North
America through China Telecom.

And that's after this nice little escapade... (thread broken in two by the 
nanog archive)

Ok I missed that one. Good point.

You missed a *bunch* of stuff.  See above. :)

And yes, your attacker *will* at least think about *all* of the above, and
a bunch more....

I'm not sure whether all snoopers would know all these loopholes.

It's safer to assume they do.  It's also a good idea to assume that snooping
is only part of their plans - that's why I talked a bunch about webservers not
SMTP servers.

I've been doing computer security at least part of my job for 4 decades now.
And I *always* approach it with the assumption that my attacker knows *at
least* as much as I do about the loopholes, because they do it full time every
day, and I spend time doing other stuff, like dealing with petabytes of storage,
problematic users, etc etc. :)

ietf-smtp mailing list