[Asrg] Problems that make the RMX proposal infeasible
"Jonathan Wilkins" <jwilkins@microsoft.com> Thu, 06 March 2003 20:18 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10981 for <asrg-archive@odin.ietf.org>; Thu, 6 Mar 2003 15:18:07 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h26KTIK10755 for asrg-archive@odin.ietf.org; Thu, 6 Mar 2003 15:29:18 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h26KTHO10752 for <asrg-web-archive@optimus.ietf.org>; Thu, 6 Mar 2003 15:29:17 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10974 for <asrg-web-archive@ietf.org>; Thu, 6 Mar 2003 15:17:35 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h26KP0O10603; Thu, 6 Mar 2003 15:25:00 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h26KCFO09722 for <asrg@optimus.ietf.org>; Thu, 6 Mar 2003 15:12:15 -0500
Received: from INET-IMC-05.redmond.corp.microsoft.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09155 for <asrg@ietf.org>; Thu, 6 Mar 2003 15:00:32 -0500 (EST)
Received: from inet-vrs-05.redmond.corp.microsoft.com ([157.54.6.157]) by INET-IMC-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.6624); Thu, 6 Mar 2003 12:02:35 -0800
Received: from 157.54.8.23 by inet-vrs-05.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Thu, 06 Mar 2003 12:02:35 -0800
Received: from RED-MSG-06.redmond.corp.microsoft.com ([157.54.12.198]) by INET-HUB-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 6 Mar 2003 12:02:34 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5.6851.8
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <7695E2F6903F7A41961F8CF888D87EA809F0164F@red-msg-06.redmond.corp.microsoft.com>
Thread-Topic: Problems that make the RMX proposal infeasible
thread-index: AcLkG1MaziS4i+44RmG+zi4nN8Zn6g==
From: Jonathan Wilkins <jwilkins@microsoft.com>
To: asrg@ietf.org
Cc: Adam Back <adamback@microsoft.com>
X-OriginalArrivalTime: 06 Mar 2003 20:02:34.0685 (UTC) FILETIME=[54266ED0:01C2E41B]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by www1.ietf.org id h26KCFO09723
Subject: [Asrg] Problems that make the RMX proposal infeasible
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Thu, 06 Mar 2003 12:02:34 -0800
Content-Transfer-Encoding: 8bit
Content-Transfer-Encoding: 8bit
I've been tracking this discussion for a little while and thought that I'd finally de-lurk and give some comments. I'm going to summarize some points that Adam Back has made and add a little because it seems that some people have still not understood the problems. Firstly, the DNS protocol is subject to spoofing. This is a fundamental problem with the protocol and cannot be fixed without totally changing the protocol. This is due to the fact that the first answer with a matching request ID is accepted. Since the request ID is a 16 bit field, it is trivial for an attacker to send 65536 100 byte packets and provide this answer. This is bad in general, but somewhat mitigated by the fact that it is hard to determine when a given server will make a request and the fact that most important things are backed up with SSL. An attacker may know that you bank with Wells Fargo, but will find it difficult to predict exactly when you're going to try and log into their servers. Even if they manage that, you'll still be presented with a browser warning (or if they direct you to https://www.weelsfargo.com you stand a chance of noticing the unexpected URL) In the context of the RMX proposal, neither of these are true. The attacker knows roughly when you'll do the lookup. (Either when the MAIL FROM line is sent or when the message has been received.) Furthermore, since the attacker gets to choose the TTL, the value of this attack is greatly increased. Since the TTL is specified as an unsigned integer and given in seconds this means that they only have to succeed with this attack once per server. Furthermore, since they don't care whether you're reading spam from spammer@foo.com or spammer@bar.com, if they somehow fail the first attempt, they can retry over and over again with varying domains. As soon as they win once, they can spam for however long your DNS server actually caches the record. DNS IS NOT A VALID METHOD OF AUTHENTICATION!!!!!!!! Note: While it is possible to make this attack harder by varying the source port too (which DJBDNS does and BIND doesn't) the total search space is still too small to withstand a concerted attack. This is made worse by the birthday attack mentioned in the DNS Cache Poisoning - TNG paper) Papers to read: DNS Cache Poisoning - The Next Generation The old problem of DNS cache poisoning has again reared its ugly head. While some would argue that the domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16-bit transaction IDs, we cannot ignore the immediate threat while waiting for something better to come along. There are new attacks, which make DNS cache poisoning trivial to execute against a large number of nameservers running today. The purpose of this article is to shed light on these new attacks and recommend ways to defend against them. http://www.securityfocus.com/guest/17905 -------- Mike Schiffman (aka route, past editor of phrack) has done an analysis of the current state of the world's DNS infrastructure. Synopsis: DNS servers across the Internet running BIND are not up to date with security patches and software updates. As a result, a significant fraction of the Internet's DNS servers is vulnerable to compromise, subversion, denial of service, and general misuse. Considering that DNS is the lynchpin of the corporate enterprise, the impact of these vulnerabilities is significant and a successful attack could bring down any online business. http://www.packetfactory.net/DNS/ _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] Problems that make the RMX proposal infeas… Jonathan Wilkins
- RE: [Asrg] Problems that make the RMX proposal in… Jonathan Wilkins
- Re: [Asrg] Problems that make the RMX proposal in… Pierre BRUA
- RE: [Asrg] Problems that make the RMX proposal in… Sauer, Damon