[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with Sender Authentication

To: "william(at)elan.net" <william@xxxxxxxx>
Subject: Re: Trouble with Sender Authentication
From: Douglas Otis <dotis@xxxxxxxxxxxxxx>
Date: Thu, 9 Nov 2006 16:11:45 -0800
Cc: Scott Kitterman <scott@xxxxxxxxxxxxx>, IETF MARID WG <ietf-mxcomp@xxxxxxx>
In-reply-to: <Pine.LNX.4.62.0611091507100.21374@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <20061108181038.A6A165CC01E@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <24200D2D-5669-47F0-9BCD-6F0CE88877EC@xxxxxxxxxxxxxx> <200611082330.47971.scott@xxxxxxxxxxxxx> <2DADCC01-CB88-4168-8621-1997BBDA1B75@xxxxxxxxxxxxxx> <Pine.LNX.4.62.0611091239520.13673@xxxxxxxxxxxxxx> <2A2F5D7E-084E-4810-969B-A107D6C3207A@xxxxxxxxxxxxxx> <Pine.LNX.4.62.0611091507100.21374@xxxxxxxxxxxxxx>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx



On Nov 9, 2006, at 3:15 PM, william(at)elan.net wrote:

Doug, I don't have time for long discussion. But I'm telling youthat SPF has nothing to do with it and I can use either of "MX","SRV" or "NS" to generate similar amplification scenarios as you'vedone with SPF using the same method.

Multiples of 100s of crafted DNS transactions directed toward avictim by each message can not be compared against transactionsneeded to obtain an MX, SRV, or NS resource record. The MX, SRV, orNS resource records provide access to a service prompted by theclient and not an attacker. SPF scripts allow an attacker toorchestrate hundreds of transactions at millions of recipients. Thegain of this exploit is large and essentially free for an attackeralso wanting to spam. For what other exploit would is be true?

In fact CSV (as far as I remember it) would cause highier amount ofamplification then SPF when bad guy controls domain put in EHLO anddecides to play special dns games with that name.

CSV specified that a single target be used. When associated withDKIM per DOSP, an address literal or a single A record offerssufficient validation. Validating the EHLO simply does not offer anygain; nor is this gain is not multiplied by subsequent stages ormultiple recipients. SPF script transaction amplification is not10:1 but more than 100:1. The gain executing SPF script ismultiplied by recipients and stages of delivery, such as MTAs and MUAs.

And in exactly the same way as you did it would generate 10:1 DNStraffic amplification (SPF scenarios are basicly 10:1 amplificationafter throwing away all the extras).

Some SPF scenarios are much larger than 10:1. SPF scripts can causehavoc by additional 10 or 11 TXT wildcard resource recordtransactions, but I'll leave that to your imagination. Any SPFscript exploit bypasses protections offered by DNS ACLs and BCP38. : (


-Doug

Follow-Ups:
- Re: Trouble with Sender Authentication
  - From: william(at)elan.net

References:
- Re: Trouble with Sender Authentication
  - From: Scott Kitterman
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: Scott Kitterman
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: william(at)elan.net
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: william(at)elan.net

Prev by Date: Re: Trouble with Sender Authentication
Next by Date: Re: Trouble with Sender Authentication
Previous by thread: Re: Trouble with Sender Authentication
Next by thread: Re: Trouble with Sender Authentication
Index(es):
- Date
- Thread