From: Theo Schlossnagle
Sent: Wednesday, May 26, 2004 1:32 PM
On May 26, 2004, at 12:02 PM, Seth Goodman wrote:
Yes, they do still need a bunch of zombies to send out their forged
messages. If they tried to send them out from legitimate machines,
they
would quickly get blacklisted and the DDoS would grind to a halt.
Not true. If everyone starts adopting mailfrom CBV you are one of many
zombies. They just need one compromised machine or open proxy and they
can send message to thousands of sites running mailfrom CBV all with
the same forged victim's return path. They aren't using solely you to
do a DDoS (as that would not be distributed at all). Instead they
would be using you and a large mass of other with same "flexibility" in
using other's resources unasked to orchestrate a distribured DoS.
Yes, but think about what happens next. Lots of people presumably got the
message with the forged return path from a number of different sources. It
is also a reasonable presumption that each zombie sends out more than one
message, if the attack is going to amount to anything. If the return-path
is valid, the CBV will pass and you will accept the spam (maybe an empty
message). Some of these end users will report the spam source to a
blacklist, thus ending the useful life of the zombie. If the CBV target
site implements SES, they will reject all the CBV's, thus allowing the
DDoS'ers to reject the messages. They can still report the source IP to a
blacklist since that IP attempted to hand them a forgery, and they can prove
it. Either way, the zombies get listed and the DDoS eventually subsides.
In case it isn't obvious, this "service" has been in place since
RFC821 came
out. Anyone controlling a zombie group can barrage a target with MAIL
FROM:<>, RCPT TO:<anyuser(_at_)yourdomain(_dot_)com> SMTP sessions. While
this
doesn't
have the multiplier effect of a spam run, it could still be an
effective
attack.
Zombies can do that, so your legitimate email service should be able to
do it? You just equated yourself with Zombies, I hope that wasn't
intended. Sure, Zombies can attack servers that way (because they are
hostile and malicious), how and why does that give you the right to do
that?
What gives your credit card company the right to call you on the phone to
ask if you did indeed make a particular purchase? Since I have caller ID
and I chose to answer the phone, it looks like I gave them the right. Even
though every instance of this has been a waste of my time, I still don't
mind that they verify things when they feel the need and I'm sure most
people feel the same way. If I found it bothersome, I would first tell them
to quit doing it and if that failed, I just wouldn't pick up the phone.
If credit card fraud became far more rampant, it would be reasonable for the
credit car companies to start calling more often to verify things. That
would be annoying, but necessary, unless you, as a customer, are willing to
pay the cost of any fraud on your account. Nobody would like this
situation, but it is what it takes to keep things going. Philosophers may
take issue with it, but practical problems have to be dealt with in the
present.
The reason nobody does this is that it is so easy to deflect with IP
heuristics at the initiation of the connection. In particular, if you
include a DNSBL that lists dynamic IP address space, most of it can be
eliminated. If the attack is indirect, via a spam run, you can stop
accepting CBV's until the attack stops.
Nobody does this? We constantly witness sessions that last 5 minutes
and disconnect in the middle. Also MAIL FROM: RCPT TO: disconnect
sessions as a part of directory harvesting attempts. It has the same
resource consuming effect regardless of whether there was intention or
the exact mechanics employed.
I didn't ask if anyone ever did a CBV on your site, I asked if you know of
any instances where CBV's were used as a DDoS mechanism. If you know of
any, please say so. Since at least two large providers have the necessary
"attack engines" in place for quite some time, why hasn't this been used
this to propagate an attack?
As far as major providers using CBV's, since there is no way to verify
MAIL
FROM: at present, it does tend to cost shift to third parties. If all
mail
recipients did CBV's, the load would be equally shared, more or less.
I
agree that the load belongs to the sender, but until something
sensible is
widely adopted, there is currently no way to do that. Absent a way to
put
the load in the "correct" place, I don't have any problem with the
recipient
community jointly sharing the costs of CBV's. Doing nothing in the
face of
the current problem is not a reasonable option.
Okay, I just don't feel that I could make that decision for "the
community." It is their resources and if I made that decision without
their consent, I would be stealing.
It's an open internet and no one has to answer any connection request if
they don't care to. On the other hand, if I were a large provider, I could
say that I require all senders to answer a CBV if they want me to accept
their mail. Some CBV's will go to third parties that did not originate the
messages, that is true. If those parties object, they can refuse to answer
CBV's from my service. The reason that this hasn't happened, at least in
any significant way, is that the only salient objections to this _are_
philosophical, not practical, and we are dealing with a huge practical
problem. If you really object to CBV's, I encourage you not to issue any
and to not accept any.
As far as beating the crap out of an innocent victim through an
indirect CBV
attack, I haven't heard of a single instance of this. If you have,
please
present some evidence to prove that this is an actual problem. I'll
say it
again: if you want to DDoS someone, there are better ways that are
virtually impossible to shut down. This "attack" scenario is
comparatively
easy to shut down, which is why no one uses it.
AOL has been accused of doing this for ages with DSNs. The argument
that there are better ways to abuse people is absolutely insane. It is
the same thing as saying that we will knowingly have small security
holes in our system and that it doesn't matter because bigger ones
already exist! mailfrom CBV cost-shifts without the permission of the
receiver. period. end of discussion. Why you choose to support that
method is the question I am raising. My argument is that "it works"
and "their are bigger dangers than this danger" are horrible supporting
arguments for the approach.
You misrepresent what I am saying. I am arguing that it is a useless DDoS
mechanism because it is trivial to terminate by refusing any MAIL FROM:<>
connection request. Terminating those connections does take some resources,
but it's not crippling. This may be annoying but it won't knock anyone off
the net, so as an attacker, why bother? The "bigger dangers" that you refer
to are in the nature of the TCP/IP protocol itself. This is not a Windows
vulnerability that can be patched. As long as the present version of TCP is
with us, and that is going to be a long time, there are built-in mechanisms
for DDoS attacks that are virtually impossible to shut down. That is what
makes CBV's as a DDoS mechanism such a yawn. We'll have SPF, or something
like it, in place long before TCP/IP is updated to close some of the more
blatant holes. At that time, CBV's become acceptable even from the
philosophical point of view, as you later admit.
Mechanisms that are adopted _should not_ abuse other people. period.
If you choose to ignore that or disagree with that, that is your
business. There are many people out there that believe (in this case)
that ends justify the means. That is a dangerous path to start down,
who knows what the next compromise will be.
If it was real abuse, meaning it cost people a _significant_ amount of money
to respond to CBV's, I might be more inclined to agree with you. Groups of
people take action to protect themselves from abuse all the time, and those
measures often affect innocent third parties. My neighbors and I don't like
people roaring down the road where there are children present, so we arrange
with the town to put a stop sign at the corner. This inconveniences anyone
who wants to use that as a commuting route. Too bad.
<...>
sites. This sounds more like a philosophical issue than a practical
one.
It is absolutely a philosophical issue. Sorry I didn't make that more
clear in the beginning.
Me, too. I don't like philosophical arguments. They can never be resolved.
Anyone _can_ do this. Implementation is
actually very easy. In one weekend of work, we implemented a
mailfrom_cbv inline check for Ecelerity. It supports up to 50,000
concurrent inbound sessions all with concurrent active mailfrom_cbv
checks all on a single instance.
The question is whether one _should_ do that. Arguments of the
"climate" do not provide a reason to compromise ones
ethics/morals/responsibilities to not abuse a neighbor. It shouldn't
happen off the Internet and it shouldn't happen on it. This are
philosophical views. I just hope my argument gives people something to
think about.
Think about whether people have a right to protect their own mail systems
from abuse. I you can do that without affecting anyone who is completely
innocent, more power to you. Yes, it is a judgment call as to what
constitutes abuse. I don't think CBV's are abusive. You are free to
disagree.
--
Seth Goodman