[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Doug attack scenarios without SPF
Hi,
While Doug has particular issue with SPF, the problem he points to has
little to do with SPF. In fact the attack is general dns attack that
will work with several other records (MX, SRV, NS, most likely PTR and
NAPTR and possibly CNAME [John Levine suggested it, but I don't
immediately see using it by itself]). The issue that certain
applications (including DNS resolver itself) by means of special DNS
records can be directed to do several additional lookups. The idea of
the attack is to direct those lookups to somebody else who would have
to answer that it does not know about this name. Those answers if
original name is large can themselves be quite large so you get
amplification even though the answer i NXDOMAIN.
So specially for Doug I'm going to give example of using NS and EHLO
for this attack [note that my regular mail server and system with
actual data is currently down, so I'm trying to give an example from
head; I tested this yesterday], at the end I'll also explain why CSV is
even better case for launching this attack.
Lets assume that an attacker controls some domain
big.bad.domain.example.net (for good amplification the name needs
to be pretty long; for better view in email I'm not doing it). He sends
email with SMTP session starting as
EHLO big.bad.example.net
and he previously set up the following in DNS:
$ORIGIN bad.example.net
big IN NS victim-dns1.example.com
big IN NS victim-dns2.example.com
big IN NS victim-dns3.example.com
big IN NS victim-dns4.example.com
big IN NS victim-dns5.example.com
big IN NS victim-dns6.example.com
big IN NS victim-dns7.example.com
big IN NS victim-dns8.example.com
If victim does not have enough dns servers, it can actually be done so
as to direct attack againt the same server - its more complex and I
don't want to go into it right now.
Now lets assume that as per Doug's scenario the email is sent using
botnet to many mail servers and we'll assume that those email servers
are going to try to resolve EHLO name (some would some would not - both
CSV and SPF would require it but many others do it anyway too). Now
what happens is that each mail server that received the email would try
to resolve big.bad.domain.example.net and as part of that would come to
bad.domain.example.net and would be by means of NS directed to victim
DNS. Victim servers would each answer that they are non-authoritive but
would have to include large domain (i.e. imagine big.bad.example.com
being close to maximum DNS label size) and that is where amplification
comes from, i.e. the attacker only responded with one packet which
include big.bad.example.com once in that packet and smaller size
victim-dns (which since NS supports label compression can be even
smaller) where as the response include that entire large name and comes
from each and every NS server listed. The above attack can be architect
ed to be more then 10:1 with certain additional tricks.
Now I promised to explain why CSV makes it easy and is worse then SPF.
That is due to the suggestion of having to walk the dns tree which as
far as I remember it CSV specification has. Lets imagine that EHLO name
is actually bad1.bad2.bad3.bad4.example.com. What happens is that CSV
specifies to do lookups first to
_client._smtp.bad1.bad2.bad3.bad4.example.com. Using above system you
cause multiple lookups due to lame delegation at
bad1.bad2.bad3.bad4.example.com that cause victims to respond they
don't know how to find _client._smtp.bad1.bad2.bad3.bad4.example.com.
Next per CSV (as far as I understood it), the application would have to
try _client._smtp.bad2.bad3.bad4.example.com and similarly attacker can
setup lame delegation but this time at bad2.bad3.bad4.example.com zone.
And so this way you can easily cause many lookups for the same email
session from the same system - that is why it is worse then with
SPF. But in reality if you look into it deeper, the actual
amplification factor would be the same as in all those cases you do one
lookup for bad?.example.com and cause to do 10x responses. It is
exactly the same with SPF but in that case Doug has used mx operator -
he causes requests for MX hosted at attacker side and several requests
from victim for addresses pointed out but MX. This all comes down to
something like 10 amplification factor and not like 100 or more like
Doug says.
Again this is general issue that can be replicated using different DNS
records - its cause is that several DNS record types cause application
(or dns resolver) to do additional lookups to list of names specified
in that record [and SPF is not something new to this field, nor is it
some type of script like Doug says]. Another example of the same issue
is when you send email such that it would bounce (you can do it
although now days email systems are smarter) and you setup bad MX (like
Doug did) which would cause lookups to victim. It would be the same
type of attack and amplification. I can provide several more examples
(email offers great choices since anti-spam systems do a lot of lookups
when trying to decide if its good or bad email and if you use lots of
domains for various victims like in URL then you often cause some type
of lookup to find if that name exists) as well as examples in non-SMTP
field (SNMP for example).
I hope this helped you all to understand it. Note that I'll probably
not be able to respond for a while (not only due to mail server problem
which should get fixed later today hopefully but largely because I'm
still going to in San Diego and expect not to spend my weekend
connected to Internet and answering emails).
William