DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

IP Warming Overview and Implementation Using Eloqua.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
Sender ID Drafts Jim Lyon Microsoft Corporation 4 August 2004.
1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Spam May CS239. Taxonomy (UBE)  Advertisement  Phishing Webpage  Content  Links From: Thrifty Health-Insurance Mailed-By: noticeoption.comReply-To:
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Sender policy framework. Note: is a good reference source for SPFhttp://
Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Spam Reduction Techniques Using greylisting and SpamAssassin.
1 RedIRIS Reputation Block List September RedIRIS Reputation Block ListPágina 2 RedIRIS and mail services At the beginning, RedIRIS was directly.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Identity Based Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.
DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.
Defending DKIM IETF 65 Threats and Strategies Douglas Otis
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Using Traffic Shaping to Combat Spam David Cawley, Senior Engineer December 12th, 2007.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
IPv6, the Protocol of the Future, Today Mathew Harris.
SPF/Sender-ID DNS & DDoS Threats Operations Analysis and Research Center for the Internet Douglas Otis November 3, 2007
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.
Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.
Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,
SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Sender policy framework. Note: is a good reference source for SPFhttp://
X-ASVP Technical Overview eXtensible Anti-spam Verification Protocol X-ASVP Committee Technical Working Group July 22, 2007.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
DNS64 draft-bagnulo-behave-dns64-01 m. bagnulo, P. Matthews, I. van Beijnum, A. Sullivan, M. Endo IETF 73 - Mineapolis.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
ADDRESS INTERNATIONALIZATION ( EAI ) ICANN-55 Mar 06, 2016 TF-AIDN Member 35+ Min : 10- Min ( Q & A )
Fighting Spam in an Exchange Environment Tzahi Kolber IT Supervisor - Polycom Israel.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
sender policy framework
Sender ID: An Overview for Registrars ICANN Vancouver December 1, 2005
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Defending Against DDoS
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
SmartWhoIs SmartWhois runs on Windows. Both 32- and 64-bit versions are supported. An evaluation version is available in the Download Area.  SmartWhoIs.
Slides Credit: Sogand Sadrhaghighi
How We Fight Against Scam
The Unintended Consequences of Spam Prevention
Presentation transcript:

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

2 How does SPF/Sender-ID utilize DNS? SPF/Sender-ID use TXT (16) or SPF (99) RRs The SPF records may chain 10 or 11 times using Redirect, Include, and Exp macro mechanisms May publish as many IPv4 & 6 CIDRs that fit Each chained set may contain 10 macro-expanded mechanisms with domain name & CIDR overlays Mechanisms may resolve A, AAAA, MX, r-PTR or test existence of A or AAAA using Exist macro Mechanisms for MX or r-PTR may require 10 additional DNS transactions each. (10 x 10 = 100)

3 What names are checked? SPF records checks SMTP clients against both: –RFC 2821 EHLO hostname –RFC 2821 MAIL FROM -address The scope for Sender-ID adds one: –RFC 2822 Resent-Sender -address –RFC 2822 Resent-From -address –RFC 2822 Sender -address –RFC 2822 From -address Some propose checking DomainKey/DKIM domains

4 SPF amplification (prior canvassing assumed) ~8k bits per message (small message) 2304 bit q a = 5088 bits (example attack) 5088 bits x 100 = 508 kbits / name evaluation 508 kbits / 8kbits = SPF op baseline amplification = 64:1 1-~3 names evaluated per message 1-~20 recipients per message 1-~3 evaluation points per recipient Low (64 kByte x 1 x 1 x 1) = 64:1 for 508 kbits/msg Med (64 kByte x 1 x 2 x 2) = 320:1 for 2032 kbits/msg High (64 kByte x 3 x 20 x 3) = 11,430:1 for 91.4 mbit/msg

5 Estimating SPF related DDoS Potentials Each second a session is blocked per 16,400 mailboxes Each second a message is tagged per 7,040 mailboxes Each second an untagged message per 27,400 mailboxes Millions of compromised systems send > 70% of spam > 80% of is spam Bot-nets campaigns commonly operate 50k Bots in concert 230 kbit/sec In & 278 kbit/sec Out per SPF script op (29 kBytes In & 35 kBytes Out per SPF script op) > 4 SPF script operations per received message 100k Bots at 2 SPF ops with average of 10 recipients can produce 8 Gb/s In and 10 Gb/s Out at 1 msg/min at 0 cost Congestions avoidance is also circumvented in SPF libraries

6 DNS Label Components from SPF Macros %{symbol | rev-label-seq | # of right-most labels | chars to “.” } rev-label-seq = “r” chars to “.” = “-” | “+” | “,” | “/” | “_” | “=” # of right-most labels = symbols : s = -Address or EHLO l = left-hand side -address o = right-hand side of -address d = -address domain or EHLO i = SMTP client IP address decimal octet labels p = r-PTR domain validated with IP address v = "in-addr" IPv4, or "ip6" if IPv6 h = EHLO hostname

7 SPF/Sender-ID deployment ~3% of domains with MX RR publish SPF Fortune 100 & Top 20 domains: –72% / 70% offer no SPF records – 6% / 10% SPF records fail Neutral –13% / 10% SPF records fail Softfail – 9% / 10% SPF records fail Fail Abusive sources: –77% offer no SPF records –0.2% SPF records Pass –14% SPF records offer Neutral results – 6% SPF records offer Softfail results –2.6% SPF records offer Fail results

8 Hard to detect SPF enabled attacks Flood of DNS traffic from highly distributed sources Sources are within otherwise well managed domains Queries may exhibit large random names for: –Wildcard SPF RRs –Invalid address records Packet source/destination addresses are all valid logs do not explain the high level of DNS traffic Traffic originates from DNS serving access points & MTAs Concurrent with legitimate DNS traffic Could also be concurrent with suspicious poisoning traffic Could also be concurrent with a high level of DNS timeouts

9 Ideas for preventing SPF attacks Establish AUPs prohibiting use of SPF script libraries Return 0 answers for all SPF records Promote safe techniques with deterministic DNS overhead Authenticate the client before evaluating message content Avoid running scripts directly from unknown DNS or clients

10 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.