spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Additional security considerations

2004-07-11 13:34:43
from [wayne] [Permanent Link] 
In <00a201c466b7$5d7e40a0$c803a8c0(_at_)tag> "Andrew G. Tereschenko" 
<spf-discuss(_at_)spam(_dot_)24(_dot_)odessa(_dot_)ua> writes:


I would like to note a few more security consideration in addition to
forgery and DDoS (already discussed here).


Always good things to consider


1. How about multi-homed DNS configuration with private and public records ?

Using following record in "attacker.com" DNS zone
spfv1  IN TXT "v=spf1 exists:%{l}.nsa.gov -all"

We will be able to connect to any SPF aware servers and scan "nsa.gov" for
names ;o)


Information published in a publicly viewable zone file, is, well,
public information.

Scanning *.nsa.gov might not make the NSA very happy, but I suspect
that they understand security issues well enough to know that they
can't do much about it.

Say that scanning the the NSA caused problems for whoever did it.  I
could then cause problems for whoever I wanted by forging DNS request
with my target's IP address (trivial to do).

Of course, the easiest way to safely do this kind scanning right now
is to use an open proxy in some place like china, or even some zombied
home machine in Ukraine.

Security through obscurity just doesn't work.  Anything published in a
public zone file better not hurt if the existence or non-existence is
discovered.


I see no problem with this scenario.



2. How about online mashine online/firewall status scanning based on
responce timing ?

Using following record in "attacker.com" DNS zone:
spfv1  IN TXT "v=spf1 exists:check.%{l}.attacker.com -all"
DNS zone in attacker.com delegating subdomains to 192.168.0.{%l}

This will result in DNS request packets sent to internal network.
Based on firewall/online status such a DNS requests will be denied fast or
timed out.


No, that's not how the exists:  mechanism works.  No DNS request will
be sent to 192.168.0.%{l}.  Only attacker.com's DNS server will be
queried, and it makes no difference whether it returns 192.168.0.xxx
or 127.0.0.2 (the standard DNSBL value).

I've pondered whether you can use other SPF mechanism to actually do
what you are trying to do, but I can't think of any.


I see no problem with this scenario.



Please keep thinking up malicious scenarios.  I hope you never find
one that works, but I certainly want *us* to find it rather than
someone else.

-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Unified SPF works in progress now in alpha, Frank Ellermann
Next by Date:  Re: Why TXT zone record location for SPF and Sender ID data are domain default ( @ TXT "data") ?, Andrew G. Tereschenko
Previous by Thread:  Curious to what applications your using for SPF, michael
Next by Thread:  Re: Additional security considerations, Andrew G. Tereschenko
Indexes:  [Date] [Thread] [Top] [All Lists]