Thank god. I used Google and Cloudflare. Or you would have hacked me :-)
On a serious note, that was very insightful.
On Wed, Jan 9, 2019 at 11:26 AM <valdis(_dot_)kletnieks(_at_)vt(_dot_)edu>
wrote:
(warning - long digression on computer security and attacker mindset
follows. Feel free to hit 'discard' if you're not interested)
On Wed, 09 Jan 2019 08:41:55 +0530, Viruthagiri Thirumavalavan said:
So the snooper just makes a connection over port 26 to the server to
fill
in the missing
information if they want it.
And Mark is being nice and glossing over how much recon an attacker is
going to
do... But I'm *way* too caffienated for midnight and somewhat bored, so...
:)
So.. say I'm a snooper. The thought process goes as follows....
I find that doing a 'traceroute -A' to the target host is often quite
enlightening -
between the PTR entries for each hop and looking up the ASN for it, you
often
find helpful information even if the final host PTR is obfuscated and the
DNS registrar's
entry in WHOIS is less that informative. 'dig dombox.org mx' shows that
its
email service is hosted by Google. 'dig dombox.org any' and 'soa' tells
me that Cloudflare
is providing DNS. And traceroute tells me that Cloudflare is providing
hosting
as well. And it's on 2 anycast instances (the chances it's on only one
instance
that just *happens* to be the *very next* hop once the packets leave
Comcast's
network are pretty much zero).
And a minute with google shows that other things served off the same IP
addresses
include picshouse2.com, yoodownload.com, and what appears to be at least
3 or 4 other domains that have been naughty and serving up malware.
Probably an F5 load balancer or similar gear in front of a server farm. If
I was
serious, I'l point nmap at it and make sure.
Damn. Took me longer to actually *write* all that than it took to do that
initial recon.
If I was serious enough about attacking dombox.org to try to MITM its
email,
I'd definitely do a more thorough trawl of DNS to find what other domains
Cloudflare is serving up on those same 2 IP addresses and then a bit of
recon
on all the *other* things hosted, and see if any of them have obvious SQL
injections or other weak spots, to get a foothold on the hypervisor or
other
side of the load balancer. Yeah, probably Cloudflare is smart about
patching
their hypervisors against Spectre and friends, and the territory behind any
load balancers has properly secured routers and VLAN setup so even if I get
hold of another instance back there, I can't easily leverage it to get
dombox.org's instance.
But who knows... it's worth the effort, even properly run places screw
things up
once in a while.
And you'd think that after somebody hijacked the show network at Defcon 16
in
Las Vagas in 2012 and routed it through a server in NYC *and nobody
noticed*,
people would be a bit more careful about BGP security issues that make it
a lot
easier to MITM a host.
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf
https://www.youtube.com/watch?v=IDoivWHVrGI
But just recently there was discussion on the NANOG list about a nice BGP
route
"leak"/"hijack" that routed a lot of traffic that should have stayed in
North
America through China Telecom.
https://mailman.nanog.org/pipermail/nanog/2019-January/098721.html
And that's after this nice little escapade... (thread broken in two by the
nanog archive)
https://mailman.nanog.org/pipermail/nanog/2018-November/097740.html
https://mailman.nanog.org/pipermail/nanog/2018-December/098051.html
Ok I missed that one. Good point.
You missed a *bunch* of stuff. See above. :)
And yes, your attacker *will* at least think about *all* of the above, and
a bunch more....
I'm not sure whether all snoopers would know all these loopholes.
It's safer to assume they do. It's also a good idea to assume that
snooping
is only part of their plans - that's why I talked a bunch about webservers
not
SMTP servers.
I've been doing computer security at least part of my job for 4 decades
now.
And I *always* approach it with the assumption that my attacker knows *at
least* as much as I do about the loopholes, because they do it full time
every
day, and I spend time doing other stuff, like dealing with petabytes of
storage,
problematic users, etc etc. :)
--
Best Regards,
Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp