spf-discuss
[Top] [All Lists]

Re: *****SPAM***** Re: *****SPAM***** Re: SPF is not usable as legal measure against spammers.

2004-07-16 14:56:27

----- Original Message ----- 
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, July 16, 2004 3:35 PM
Subject: *****SPAM***** Re: *****SPAM***** [spf-discuss] Re: SPF is not
usable as legal measure against spammers.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 15 July 2004 02:23 pm, Nico Kadel-Garcia wrote:
Modifying ones that aren't yours is a separate story. That's partially
done by breaking into DNS servers (which is often feasible at poorly
secured, small sites), or even playing routing games by publish
mutilated
BGP routing tables to route requests for certain DNS servers IP
addresses
to your fake server, allowing you to create a fake DNS site unbeknownst
to the clients who've never bothered to examine the results of
traceroute. It's even more fun, and tougher to trace, if you can
blackhole the master server of a set of NS servers and get the other NS
servers to pull their slave zones from your fake master for a zone.


I won't comment on the BGP exploitation, I don't know enough about it.

However, I don know that securing your servers is your responsibility and
that's that. If your DNS servers are vulnerable, and you get H4X0R3D, then
it's your fault for leaving it open. Sure, the H4X0R gets a visit from the
police, he'll serve time when he gets caught, but you still have to
protect
yourself and be vigilant, just like you have to do in the real world. IE,
you don't leave your car unlocked, you don't leave the keys in the
ignition, and you use measures appropriate to the neighborhood to protect
yourself - from Karate to mace or pepper spray,  even to a sidearm or an
escort of highly-paid ex-US Marines.

Jonathan, I'm afraid that your understanding of both the difficulty of
properly securing a DNS server and of the consequences is not that of harsh
experience. In a modest environment, with only a few cycles available to the
admins in the face of the rest of their workload, truly robust securing of
the DNS servers is simply not a high enough priority over convenience of
administration or limitation of hardware resources and the need to keep such
a core service stable to justify itself. Sad, but true.

Second, the odds of your average script kiddie or spam-zombie-vendor being
visited by police authorities is about the chance of kittens floating out of
their ears due to quantum tunneling. The federal authorities refuse to get
involved in small cases, the local authorities defer to the federal
authorities and are generally unwilling to go across state lines or other
jurisdictional lines on their own, getting the subpoenas to trace the
cracker's dialup records is legally difficult and quite expensive in court
costs and lawyer time, etc.

I suggest you take a look at the actual results of raids on crackers: The
Steven LaMacchia case at MIT where a student was running a pirate bulletin
board and the Robert Morris worm of the late 1980's are instructive, and
typical, of law enforcement screwing up.

Last: I've dealt with a few physical attacks in my time, including weapons.
Your enthusiasm and confidence and "everybody should just carry a gun"
approach to security hints that you've never actually faced a deadly weapon
and had to deal with the repercussions.

It is inherent to modern implementations of BGP that the tables can be
hand-manipulated, allowing the big ISP's to hand-route things over
preferred connections for security or switchover planning reasons. This
capability carries with it the risk of falsely published routing
information: such routing is sometimes done, even by large ISP's for
political reasons such as blackholinig the www.samspade.org website
because its well-organized tools for tracking spammer's host and
upstream
connectivity information leads to too many complaints against those
ISP's
for them to tolerate, so they blackhole it.


I see. So the hacker has to gain control of a core internet router, and
then
publish his own BGP records. If the hacker can get a hold of one of those
routers, we have bigger problems than spam.

Well, yes. And they already have repeatedly demonstrated such power. In this
case, with some money involved, it becomes even more likely.

DNS itself can be implemented in relatively secure ways to prevent this
kind of attack, but few sites actually go to the extra work.


It is my understanding that there have been no large-scale and successful
DNS attacks in recent history.

If it is still vulnerable, then we have bigger problems than spam.

There have been plenty of large scale attacks: I suggest you take a look at
the recent Akamai/Google/Hotmail failures and what little has gotten into
the news about them.

This, however, would not constitute a large scale attack. It only takes a
*small* attack, to pretend to be somebody else's IP address, and no attack
is even necessary to simply lie about a PTR and point it to an authorized
PTR for a domain you want to forge SPF-allowed email from, such as aol.com.

Control over PTR's resides with the ISP's and businesses and personnel
assigned such spaces by ARIN, not directly with the arbitrary domain a PTR
may point to.


<Prev in Thread] Current Thread [Next in Thread>