| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Sep 2003 15:14:10 -0400 (EDT) From: "Greg A. Woods" <woods@...rd.com> To: Chris Brenton <cbrenton@...isbrenton.org> Cc: bugtraq@...urityfocus.com Subject: Re: Permitting recursion can allow spammers to steal name server resources [ On Tuesday, September 9, 2003 at 22:52:50 (-0400), Chris Brenton wrote: ] > Subject: Permitting recursion can allow spammers to steal name server resources > > _Executive Summary_ > The default configuration of many domain name servers (DNS) can leave > you vulnerable to cache spoofing attacks Note such attacks can still come from within your "trusted" networks so I'm not sure there's too much point to discussing this problem in relation to allowing global recursion. Often those same servers which are the target of spammers will also be specifically designed to supply recursive caching DNS for vast numbers of customer machines, some of which may already be "owned" by spammers who have employed cracker tools for this very purpose. The real problem here of course lies with the registrars, just as you've described. All registrars really must make 100% certain that they're not being fooled by what may only be in a server's cache when they check that a server is authoritative for the zone being delegated to it. Perhaps this can be done by instituting a policy to revoke registrar licenses when they fail to implement such checks properly. After all this is a much more important security issue than it is an anti-spam issue. > as well as allow spammers to > steal resources from your servers. No kidding! ;-) > Next the spammer seeks out name servers on the Internet that have been > mis-configured to act recursively for anyone. Unfortunately, this > appears to be a fairly easy task as testing we performed showed that an > overwhelming majority of the exposed name servers on the Internet act > recursively. This is because there is tremendous utility in allowing arbitrary persons to query a cache -- the lack of this ability makes debugging certain kinds of DNS related problems very difficult since it turns a two-second job into something that can stretch into days while people play telephone tag and such. As I'll show below I don't think there's any need to employ such drastic measures as completely disabling recursive lookups from public networks -- only limiting their impact. Note that spammers will also simply (ab)use third party open DNS servers to resolve MX records for the domains they are spamming to. This is happening on an increasing frequency and while it's usually very easy for the operators of the abused server(s) to block the offending spammer, such things to take time to discover and diagnose and may trigger customer complaints and dissatisfaction in the mean time. I've been hoping to find time soon to implement response rate limiting for BIND such that only a very limited number of queries per minute will be answered for all non-trusted networks. In the mean time it may be sufficient to use traffic shaping mechanisms to limit the amount of abuse to open cache servers while still allowing normal debugging efforts to procede un-hindered. Of course all this depends on the registrars implementing better checks to guarantee that their domains are only ever delegated to truly authoritative nameservers. As I point out at the beginning this really has to happen somehow regardless. Thank you very much for raising this issue in such a well written report! -- Greg A. Woods +1 416 218-0098 VE3TCP RoboHack <woods@...ohack.ca> Planix, Inc. <woods@...nix.com> Secrets of the Weird <woods@...rd.com>
Powered by blists - more mailing lists