Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis

Published byClyde Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis"— Presentation transcript:

1 SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis Doug_Otis@trendmicro.com http://tools.ietf.org/html/draft-otis-spf-dos-exploit-01 http://tools.ietf.org/wg/dkim/draft-otis-dkim-dosp-02.txt

2 Copyright 2007 - Trend Micro Inc. 2 How SPF/Sender-ID uses DNS SPF/Sender-ID first passes initial parameters to a script parser SPF/Sender-ID stores scripts in TXT (16) or SPF (99) RRs SPF scripts might chain as many as 11 RRs using Redirect, Include, & Exp script based macro-expanded mechanisms SPF scripts may also contain any number of IPv4 or IPv6 inclusionary or exclusionary addresses using CIDR notation Each chained set may contain 10 macro-expanded mechanisms with domain name & CIDR overlays Mechanisms may resolve A, AAAA, MX, r-PTR or test the existence of A or AAAA using the Exist macro Mechanisms for MX or r-PTR may require 10 additional DNS transactions each. (10 x 10 = 100)

3 Copyright 2007 - Trend Micro Inc. 3 Initial parameters supplied to SPF scripts IP Address of SMTP client EHLO host-name (when not for Sender-ID) MAIL FROM email-address (when not for Sender-ID) Sender-ID replaces MAIL FROM with either: –RFC 2822 Resent-Sender email-address –RFC 2822 Resent-From email-address –RFC 2822 Sender email-address –RFC 2822 From email-address Some propose also checking DKIM domains

4 Copyright 2007 - Trend Micro Inc. 4 SPF amplification (prior canvassing assumed) SMTP ~8k bits per message (small message) DNS 2304 bit q + 2784 a = 5088 bits (example attack) DNS 5088 bits x 100 = 508 kbits / name evaluation 508 kbits / 8kbits = SPF op baseline amplification = 64:1 a: 508 kbit for ~ 64 kByte baseline b: 1-~3 names evaluated per message c: 1-~20 recipients per message d: 1-~3 evaluation points per recipient a x b x c x d Low (64 kByte x 1 x 1 x 1) = 64:1 for 508 kbits/msg Med (64 kByte x 1 x 2 x 2) = 320:1 for 2032 kbits/msg High (64 kByte x 3 x 20 x 3) = 11,430:1 for 91.4 mbit/msg

5 Copyright 2007 - Trend Micro Inc. 5 Estimating SPF related DDoS Potentials Each second: –An SMTP session is blocked per 16,400 mailboxes –A message is tagged per 7,040 mailboxes –A message is not tagged per 27,400 mailboxes Millions of compromised systems send > 70% of spam > 80% of email is spam 230 kbit/sec In & 278 kbit/sec Out per example SPF attack script 100k Bot campaign at a msg rate of one per minute and just 2 SPF ops/msg sent to an average of 10 recipients, delivers spam, and will reflect an attack at 8 Gb/s In and 10 Gb/s Out The attack is virtually free to the bad actors The victim may have had nothing to do with SPF or even email Congestions avoidance is circumvented in SPF libraries Millions of domains are added and deleted every day

6 Copyright 2007 - Trend Micro Inc. 6 Label Components created from SPF Macros %{symbol | rev-label-seq | # of right-most labels | chars into “.” } rev-label-seq = “r” chars into “.” = “-” | “+” | “,” | “/” | “_” | “=” # of right-most labels = 1 - 128 symbols = s = email-address or EHLO (initial parameter) l = left-hand side email-address (initial parameter) o = right-hand side of email-address (initial parameter) d = email-address domain or EHLO (initial parameter) i = SMTP client IP addr decimal octet labels (initial parameter) p = r-PTR domain with IP addr validated (not initial parameter) v = "in-addr" IPv4, or "ip6" if IPv6 (auto generated) h = EHLO host-name (initial parameter)

7 Copyright 2007 - Trend Micro Inc. 7 SPF/Sender-ID Deployment Increases Risk ~3% of domains with MX RR publish SPF Fortune 100 & Top 20 domains: –72% / 70% offer no SPF records – 6% / 10% SPF records fail Neutral –13% / 10% SPF records fail Softfail – 9% / 10% SPF records fail Fail Abusive sources: –77% offer no SPF records –0.2% SPF records Pass –14% SPF records offer Neutral results – 6% SPF records offer Softfail results –2.6% SPF records offer Fail results

8 Copyright 2007 - Trend Micro Inc. 8 Hard to detect SPF enabled attacks Flood of DNS traffic from highly distributed sources Sources within otherwise well managed domains Queries may exhibit large random names for: –Wildcard SPF RRs –Wildcard MX RRs –Invalid address records Packet source/destination addresses are valid Email logs do not explain the high level of DNS traffic Traffic originates from DNS serving access points & MTAs Attack concurrent with legitimate DNS traffic Might also be concurrent with suspicious poisoning traffic Might also be concurrent with a high level of DNS timeouts

9 Copyright 2007 - Trend Micro Inc. 9 Preventing SPF attacks Authenticate the client before evaluating message content Avoid processing scripts referenced from unknown clients If one must publish SPF for white-listing: –Publish just IP addresses –Terminate SPF scripts with '+all' to nullify advantage in using SPF script libraries When SPF/Sender-ID becomes widely deployed & exploited: –Establish AUPs that prohibit use of SPF script processing –Return 0 answers for records containing SPF scripts

10 Copyright 2007 - Trend Micro Inc. 10 Providers Hiding their Role in Spam Sender-ID may require more than 100 DNS transactions just to allow the SMTP client to remain nameless A safer approach: –Confirm SMTP client by the IP address –Associate the host-name (even an IP address literal) with originating domains within 1 small DNS transaction DKIM's unnecessary limitation on linking identities will force customers into giving provider's their private-keys or access to their DNS... Why? –Obscuring SMTP client domains avoids complaints. –Spam is someone else's problem, never the one sending it. –Customers are causing the problem, not us. –Providers don't care if MTAs become a major security risk.

11 Copyright 2007 - Trend Micro Inc. 11 DKIM (done just a little differently) DKIM still allows message replay, but Sender-ID does not offer a good fix. DKIM also expects providers to have use of their customer's keys which also greatly increases risks. A solution: Allow the identity within the signature to indicate on who's behalf the message is signed, even when domains differ. Provide a small single DNS lookup mechanism to associate originating domains with the signing domain (i.e. isp.com). isp.com as a sha1/base32 reference within example.com: hgssd3snmi6635j5743vdjhajkmpmfif._DKIM-F.example.com.

Download ppt "SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis"

Similar presentations

1 Eloqua Providing Industry-Leading Management Tools May 2009.

1 Eloqua Providing Industry-Leading Management Tools May 2009.
Email Deliverability @ Eloqua Providing Industry-Leading Email Management Tools.

Eloqua Providing Industry-Leading Management Tools.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
IP Warming Overview and Implementation Using Eloqua.

IP Warming Overview and Implementation Using Eloqua.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Permission Keys in five easy steps Adrian McElligott

Permission Keys in five easy steps Adrian McElligott
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis

DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao

EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
Reporting Module for Gateway Yvonne Yao. Recap: What is the Gateway? Web-base e-mail system Create, schedule, send mailings Statistics collected and presented.

Reporting Module for Gateway Yvonne Yao. Recap: What is the Gateway? Web-base system Create, schedule, send mailings Statistics collected and presented.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
0 EMAIL 5000 Series DATA MANAGEMENT. 1 Why Email? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Similar presentations

Ads by Google