1 Dr. David MacQuigg, President Open-mail.org Registry of Public Senders™ –A Secure DNS Database University of Arizona ECE 596c – Cyber Security November 2006

July 15, Who is a Public Sender? –A domain-name owner –Authorizing an Internet Transmitter –To send to unrelated Receivers What does the Registry Provide? –Authentication Data – Does the sender authorize this transmitter? –Reputation Data – How likely are messages authorized by this sender to be spam? –A simple, effective whitelisting method that works well with exiting anti-spam methods –The first non-proprietary database of Public Senders Typical Registry Record amazon.com.s-id.net IN TXT "opt=df:5 svc=X1:B ip4= /19, /29, /29" Other Authentication/Reputation Systems –Senderbase™, Bonded Sender™, Gossip™, many others –Many private systems operated by large ISPs for their own recipients, or by “spam appliance” companies for their own customers T R Trust Boundary User Agent Registry DNS Database Fast Efficient Secure?

July 15, 20153

July 15, Registry DNS Architecture & Security Threats ThreatAreaVulnerabilitySolution 1File StorageLoss or corruption of dataEncrypted backup copies with journaling. Unix system security. Physical security. 2Dynamic updates to zone filesStolen admin password. IP address spoofing. Secure admin’s computer & network connection. Use Transaction Signatures (TSIG). 3Incremental zone transfers.IP address spoofing.TSIG with unique key for each connection. Private IP addresses. 4Incremental zone transfers.IP address spoofing. DoS.TSIG with unique key for each connection. IP addresses in reserve. 5Queries from client’s DNS server. Cache poisoning. Man in middle. DoS.DNSSEC. IP addresses in reserve. 6Queries from client.Cache poisoning. Man in middle.DNSSEC. Local network security.

July 15, Testing the Registry Dynamic Update from Admin dave]# python dnsupdate.py 48 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: test1.s-id.net. 0 ANY ANY test1.s-id.net IN TXT "Test_Record_48"... a few seconds later on one of our public servers ~]$ txt test1.s-id.net +short "Test_Record_48"

July 15, Pieces of Python # dnsupdate.py DMQ 11/4/06... # Start an nsupdate client process & connect file pointers to its # input and output pipes. fi,fo = popen2('nsupdate')... # Commands to nsupdate: header = '''\ local server key updatedns 1M92TYO2dznMK0M2N/q62Q== zone %(ZONE)s ''' % VARS template = '''\ update delete %(NAME)s.%(ZONE)s update add %(NAME)s.%(ZONE)s %(TTL)s %(TYPE)s %(VAL)s ''' % VARS trailer = '''\ show send quit ''' text = header + template + trailer...

July 15, Other Systems Facing Similar Threats Root Servers –13 IP addresses, IP multicast –TTL = ( 6 days ) IP Blacklists ( Spamhaus, et. al.) –30 servers –One record per IP, TTL only a few hours Attacker Motivations –Vandalism (script kiddies) –Profit (spammers) –Tort (anger, revenge, politics, …) –Denial of Service –Defamation

July 15, Bibliography Pro DNS and BIND, Ron Aitchison, – Best book for learning DNS. Excellent examples. Thorough discussion of security. DNS and BIND, 4th ed., Albitz & Liu, – The DNS “Bible”. TCP/IP Illustrated, vol. I, The Protocols, W. Richard Stevens, Very thorough, yet readable. Good illustrations. Project Links – Current status of our Authentication and Reputation Systemhttps:// – Articles and notes from early development. A short list of the most useful books and articles on the technology behind the Registry.

July 15, 20159

July 15, Precise Terminology Border MTA – Mail Transfer Agent at the border of an Administrative Domain. If we exclude Open Relays, which are banned by most Receivers, all MTA’s, including the Forwarder above, can be associated with either the Sender or the Receiver, and the border is clearly defined. Administrative Domain – includes all MTA’s that have some pre-arrangement to exchange . An Administrative Domain may include servers using many different domain names. The two uses of “domain” are unrelated. Sender – poorly defined. Should mean the outgoing Border MTA, but can mean the original sending domain or even an author. Use only when the context is clear or precision doesn’t matter. Receiver – The incoming Border MTA, not including MTA’s that are internal to the Receiver’s Administrative Domain. Authentication should always be done at the border. Forwarder – An MTA that relays mail from one MTA to another. Transmitter – MTA that is the source for the current “hop”, and whose IP address appears in the Source field of the IP packets. Can include Senders and Forwarders. Return Address – The address in the MAIL FROM command, used by the mail system for Delivery Status Notifications (DSN’s). MUA, MSA, MDA – Other types of mail agents - Mail User Agent, Mail Submission Agent, Mail Distribution Agent.

July 15, Identities in an Session $ telnet open-mail.org open-mail.org ESMTP Sendmail /8.13.1; Wed, 30 Aug :36: HELO mailout1.phrednet.com 250 open-mail.org Hello ip068.subnet71.gci-net.com [ ], pleased to meet you MAIL FROM: Sender ok RCPT TO: Recipient ok DATA 354 Enter mail, end with "." on a line by itself From: Dave\r\nTo: Test Recipient\r\nSubject: SPAM SPAM SPAM\r\n\r\nThis is message 1 from our test script.\r\n.\r\n k7TKIBYb Message accepted for delivery QUIT open-mail.org closing connection RFC-2821 Helo Name Envelope Addresses: Return Address Recipient Addresses RFC-2822 Header Addresses: From Address Reply-To Address Network Owner

July 15, Border Patrol™ MTA

July 15, Forgery is the Critical Factor in Abuse Crooks hide their IP addresses by using a forwarder. Signature-based Authentication (DKIM): Sender provides a Public Key via a secure channel. Messages are signed with the related Private Key. End-to-end protocol works independently of forwarders. Slow but secure. IP-based Authentication (SPF, SenderID, CSV): Sender provides a list of authorized transmitter addresses. Fast but requires a “chain of trust” with forwarders.