[Top] [All Lists]

Re: [ietf-smtp] SMTP Over TLS on Port 26 - Implicit TLS Proposal

2019-01-09 00:05:34
Thank god. I used Google and Cloudflare. Or you would have hacked me :-)

On a serious note, that was very insightful.

On Wed, Jan 9, 2019 at 11:26 AM <valdis(_dot_)kletnieks(_at_)vt(_dot_)edu> 

(warning - long digression on computer security and attacker mindset
follows.  Feel free to hit 'discard' if you're not interested)

On Wed, 09 Jan 2019 08:41:55 +0530, Viruthagiri Thirumavalavan said:
So the snooper just makes a connection over port 26 to the server to
in the missing
information if they want it.

And Mark is being nice and glossing over how much recon an attacker is
going to
do... But I'm *way* too caffienated for midnight and somewhat bored, so...

So.. say I'm a snooper. The thought process goes as follows....

I find that doing a 'traceroute -A' to the target host is often quite
enlightening -
between the PTR entries for each hop and looking up the ASN for it, you
find helpful information even if the final host PTR is obfuscated and the
DNS registrar's
entry in WHOIS is less that informative. 'dig mx' shows that
email service is hosted by Google. 'dig any' and 'soa' tells
me that Cloudflare
is providing DNS. And traceroute tells me that Cloudflare is providing
as well.  And it's on 2 anycast instances (the chances it's on only one
that just *happens* to be the *very next* hop once the packets leave
network are pretty much zero).

And a minute with google shows that other things served off the same IP
include,, and what appears to be at least
3 or 4 other domains that have been naughty and serving up malware.

Probably an F5 load balancer or similar gear in front of a server farm. If
I was
serious, I'l point nmap at it and make sure.

Damn. Took me longer to actually *write* all that than it took to do that
initial recon.

If I was serious enough about attacking to try to MITM its
I'd definitely do a more thorough trawl of DNS to find what other domains
Cloudflare is serving up on those same 2 IP addresses and then a bit of
on all the *other* things hosted, and see if any of them have obvious SQL
injections or other weak spots, to get a foothold on the hypervisor or
side of the load balancer.  Yeah, probably Cloudflare is smart about
their hypervisors against Spectre and friends, and the territory behind any
load balancers has properly secured routers and VLAN setup so even if I get
hold of another instance back there, I can't easily leverage it to get's instance.

But who knows... it's worth the effort, even properly run places screw
things up
once in a while.

And you'd think that after somebody hijacked the show network at Defcon 16
Las Vagas in 2012 and routed it through a server in NYC *and nobody
people would be a bit more careful about BGP security issues that make it
a lot
easier to MITM a host.

But just recently there was discussion on the NANOG list about a nice BGP
"leak"/"hijack" that routed a lot of traffic that should have stayed in
America through China Telecom.

And that's after this nice little escapade... (thread broken in two by the
nanog archive)

Ok I missed that one. Good point.

You missed a *bunch* of stuff.  See above. :)

And yes, your attacker *will* at least think about *all* of the above, and
a bunch more....

I'm not sure whether all snoopers would know all these loopholes.

It's safer to assume they do.  It's also a good idea to assume that
is only part of their plans - that's why I talked a bunch about webservers
SMTP servers.

I've been doing computer security at least part of my job for 4 decades
And I *always* approach it with the assumption that my attacker knows *at
least* as much as I do about the loopholes, because they do it full time
day, and I spend time doing other stuff, like dealing with petabytes of
problematic users, etc etc. :)

Best Regards,

Viruthagiri Thirumavalavan
Dombox, Inc.
ietf-smtp mailing list