In <[EMAIL PROTECTED]> "Fergie" <[EMAIL PROTECTED]> writes:
> -- wayne <[EMAIL PROTECTED]> wrote: > >>I'm afraid you have almost completely missed the point of Williams >>"HELO attack". > > Sorry to burst everyone's bubble, but DNS has been on the 'Top 20' > vulnerability report for the past 7 years. get over it. > > Seven years in a row: > > http://www.sans.org/top20/?ref=1814 Yeah, but that just mentions DNS reflector attacks and cache poisoning. William's attack is different. All you have to do as an attacker is publish "valid" records and get people to do normal DNS lookups on it. Lots of people publish NS records that cause lame delegations. Lots of people have broken MX records. The only difference here is the quantity of these records and, of course, the intent. I just checked this morning when all my zones have propagated and caches have timed out. A *single* lookup on clinte.schlitt.net triggers 40 packets to and another 40 packets from a victim domain (the name servers for example.com, iana-servers.net), and another 40/40 packets involved a gtld-servers.net server. As the attacker, it put a 3/3 packet load on my name server. Checking the sizes of the packets, it looks like I could probably increase number of NS records in bad.schlitt.net and ugly.schlitt.net from 20 to maybe 30, and clinte.schlitt.net could easily be involved with more just "bad" and "ugly" with its NS records. (Yeah, this NS record attack uses just two levels of recursion on the attacker side.) Now, remember above where I mentioned that lame delegations are all too common? OK, right now clinte.schlitt.net gives a SERVFAIL, but if I add just *one* valid NS somewhere in there, it could be used for any normal purpose that any other domain could be used for. Put a bunch of web bugs into HTMLized spam or on free pr0n pages, and *poof*, a nice DoS attack. Heck, on the pr0n pages, you would probably put the real images on the domain name that triggers the DoS attack, that way you would be sure that the DoS was completely done. > Doesn't that tell you guys something? Yeah, it tells me that DNS was developed at a time when people were, at worst "having fun" in the compsci classes and abusive behavior could be caught and whacked pretty easily. Being liberal with what you accept only works if you know that everyone else is honestly trying to be conservative with what they send. :-< When I was involved with the development of SPF, I was concerned about DoS potentials and worked hard to make sure that limits were put into it. I'm not seeing any limits to prevent DoS attacks via DNS. As Stuart Gathman mentioned on an SPF list, maybe there needs to be a count of the number of lame delegations or broken MX records and only allow a few before declaring the whole thing as "filthy" and stopping. This kind of check needs to be put into *every* protocol that does any sort of indirection on DNS records. This includes all name servers (NS records), mail systems (MX lookups), anti-spam systems (verifying the HELO domain, SMTP callback verification, SPF, URL checks, etc.), anything that uses SRV or NAPTR records, etc. -wayne . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
