On Nov 16, 2006, at 8:17 AM, william(at)elan.net wrote:
On Thu, 16 Nov 2006, Douglas Otis wrote:
So, name server records are actually worse than SPF. With SPF, I
made sure that there were some limits on the number of queries
that can be sent.
Wayne, you have missed the point as well. In addition to a
possible 100 victim targeted queries, SPF provides the attacker
more than 111 opportunities per execution of an SPF script to
introduce an NS chaining scheme as well. SPF makes an NS chaining
problem 111 times worse! In addition, early termination of an SPF
script coupled with initiation of another script defeats
exponential back-off.
Like I said in my original post on this subject it all comes down
to the timeout (either the one from SPF processor or the one from
resolver itself or application one) as there are enough
opportunities with & without SPF to do chaining and in the end the
end its going to be about same amplification.
In some SPF routines, a timeout is as short as 5 seconds and DNS
transaction potentials for SPF scripts remains at multiples of 100!
Attacks may leverage spam sent from bot-nets which represent more
than 70% of the sources. An SPF related attack demands little of the
bot-net's resources.
The thing I'm seriously afraid of are "advanced" libraries designed
for high-end multi-threaded systems that would try to send multiple
requests asynchronously.
When a victim is targeted by the distribution of messages referencing
malicious SPF scripts, then "advanced" libraries are not required
before abrupt timeouts become highly problematic.
For SPF that means multiple listed "exists" and/or "mx" instead of
trying first and then 2nd, etc - but I don't think there are any
doing it this way right now even though SPF allows for it in its
design. More serious issue maybe mail servers as there are some
that would try to get resolution for all listed MX in a
asynchronous manner. Lucky for us the number of such deployments
are few where as attack depends on great number of systems doing it.
There seems to be agreement an SPF exploit as described can be
constructed that exceeds the number of DNS transactions indicated in
the spf-dos-exploit draft. Your techniques simply increase this
number. Why quibble over the gains achieved by a difference between
the TTL of attacking records with that of negative caching? One day
MX record retention with 5 minute negative cache retention (which may
not be controlled by the victim) means 288 negative address
references might be made for each malicious MX record reference.
There are similar attacks that simply chain 11 wildcard SPF records
without relying upon negative caching. SPF record chaining removes
an ability to detect suspicious records as well. SPF scripts
introduce many avenues of attack. : (
The problem you are currently describing exists without "advanced"
SPF libraries. SPF script execution must be considered in
aggregate. Thousands of such libraries will be employed by an
attacker. SPF scripts can be used that completely flood a network
backbone interconnect.
P.S. I'm not sure this discussion is good to be held on public mail
list. Think about who it helps most when we publicly brainstorm
most useful way to accomplish this sort of attack?
In the spf-dos-exploit draft, this statement was made:
"Other techniques can further increase the severity of such an
attack, but are not reviewed."
Your efforts to point out other DNS weaknesses only strengthens
concerns related to SPF scripts. This is not a general problem
related to DNS. SPF scripts dramatically increase the impact
especially, when other weaknesses are also exploited.
-Doug
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
