On Thu, 2006-10-26 at 13:03 -0400, Steven M. Bellovin wrote:
On Thu, 26 Oct 2006 17:07:32 +0200, Florian Weimer <fw@deneb.enyo.de> wrote:
* Steven M. Bellovin:
As you note, the 20-25% figure (of addresses) has been pretty constant for quite a while. Assuming that subverted machines are uniformly distributed (a big assumption)
I doubt this assumption about distribution is valid. At least over here, consumer-grade ISPs (think DSL with dynamic IP addresses) apply ingress filters, while real ISPs don't. If you're lucky, you get egress filters at some border routers, but it's not standard at all. Customer-facing interfaces are generally unfiltered.
Those are good points. It would be interesting to look at the raw AS data and see what classes of organizations were represented. Unfortunately, that data is not publicly available, according to the FAQ for that project.
Microsoft no longer demands licensing for Sender-ID. Executing SPF scripts may become increasingly popular for validating SMTP clients against MAILFROM, PRA, or perhaps DKIM domains. SPF scripts can be far more malicious than even spoofed source reflective DNS attacks. Dozens of TXT or hundreds of A record transactions might be invoked by the recipients of each message. In addition to MTAs processing SPF script, popular applications like SpamAssassin executes a different script after an elapsed timeout of 5 seconds. Such short timeouts eliminate congestion avoidance. SPF is analogous to a complex lock where there is no obvious place for a key. One must trust a stranger to operate their own unique DNS based mechanism. The macro capability of this script also allows any element of an email-address to randomize DNS queries against any unseen victim domain. SMTP logs may not indicate who initiated an attack, nor indicate when an attack was in progress. BCP38 filtering or ACLs on recursive DNS will not offer protection from this exploit, which can achieve gains much higher than spoofed source reflective DNS attacks. Spam being sent through Bot farms has already set the stage for untraceable DNS attacks based upon SPF. In addition to taking out major interconnects, these attacks can: a) inundate authoritative DNS; b) requests A records from anywhere; c) probe IP address, port, and the transaction IDs of resolvers; While not as bad as eavesdropping, it still places the network and the integrity of DNS at risk. All of this while the spam is still being delivered. What a productivity tool! How is this attack detected? How is this attack avoided? -Doug