IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

Andrew Campling <andrew.campling@419.consulting> Fri, 13 September 2019 19:51 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B7C12011F for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 12:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13wB2mbUgBXc for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 12:51:40 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100061.outbound.protection.outlook.com [40.107.10.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E978C120116 for <add@ietf.org>; Fri, 13 Sep 2019 12:51:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OsDrt8xdt5xmww8HEyXetwpis5Qf0wUfqHmWAmHLjBMMqulR3AUm6IdCHTwAOiDrjJht9evNqIoaQ9KbNBHYGWMi9/jiF7DASiElCpUeBVq1+R2xNxntkoVTlCl7tEZTXslppKaKf2qhzm/VvLIBRjOFRS2PzFn4jTSg2oQPxSFQ5vSYk6YUaUl0zLZAy6Lo1/BTS/kV//h0SjHBHUdlJC/1L+O596A6ZdF3jeX+ofmP/DAHdhCdPo3WgAGfpIppXtv5mNimmMSl7ljdfBqh6/wYm1PFnRCdVPUSJuOsSFhkJ4dr3P+b9n3gTFVrEewlQWEkqEXnjl5M7sAx8W0dqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dofvKwh46KfXAvPjfTfUmLMT0bUwMc2ud8iFMM+ws6w=; b=HahUBiFmyMcbSwlLr+/8ryo+ZuXZGixv7Y2vMNBKsD5Otm7m7+eOreLgp9zlnJ8Ko1pYiUeEo2TFnxxB77b27pDgByKyfci+Gv78UOO0OL3qXN5dUirP8nLN4XEDTFzu901vufSStJ+6UVVMeeAYL85jy2mTMSgXUwjz4xDHOzBQa6V8fNmLSH/pU9oI03qYoKj1+2UTvkxD2aATi7jRe+Z14cjedN7BofSVoQwwY3mAkYYwrRXWLcgdwglNlIUzr/yTIJn1NF5SwfsSjaUAdyKK8gdRbNoFVJw4vDxjFs093wnrHx6DfRiomg9Gia4NmIykATc8TAyhMPe6y+jN/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dofvKwh46KfXAvPjfTfUmLMT0bUwMc2ud8iFMM+ws6w=; b=JUnkWkTFBECdMm1WnnNc9/Iq2nc2BQl8b5L4WxIMr79wM+Hh45aY4Ed9xKqZwZX7Eu1vsWDGCvxGucX35IIBz2a+QveztiwDc7FkR3ERSwQ5gsGpkRdBhrOyD3SlxfIcNpHoFBhgh5MdUZl4QBQlwiP8ppD2iNUFo9FQMEhVKE8=
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM (20.176.138.146) by LO2P265MB0912.GBRP265.PROD.OUTLOOK.COM (20.176.138.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.17; Fri, 13 Sep 2019 19:51:37 +0000
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3]) by LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3%5]) with mapi id 15.20.2263.021; Fri, 13 Sep 2019 19:51:37 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: Ted Lemon <mellon@fugue.com>, "Dixon, Hugh" <Hugh.Dixon=40sky.uk@dmarc.ietf.org>
CC: ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] [EXTERNAL] Re: Malware adopting DoH
Thread-Index: AQHVamym1ek/1cmmNUOYQWmnV41F6w==
Date: Fri, 13 Sep 2019 19:51:37 +0000
Message-ID: <LO2P265MB1327B019F7A2F6004F275C31C2B30@LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM>
References: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk> <ED3464BD-37A7-4B6F-8327-508B0CB76A3E@fugue.com>
In-Reply-To: <ED3464BD-37A7-4B6F-8327-508B0CB76A3E@fugue.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=andrew.campling@419.consulting;
x-originating-ip: [81.141.74.184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6c61b198-14a6-4812-162d-08d73883c9ec
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2P265MB0912;
x-ms-traffictypediagnostic: LO2P265MB0912:
x-microsoft-antispam-prvs: <LO2P265MB091201D39B48780A05F210AEC2B30@LO2P265MB0912.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0159AC2B97
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(366004)(396003)(39830400003)(376002)(189003)(199004)(6436002)(446003)(486006)(229853002)(26005)(11346002)(6506007)(53546011)(102836004)(99286004)(86362001)(316002)(76176011)(186003)(33656002)(508600001)(476003)(76116006)(66574012)(66446008)(64756008)(4326008)(66946007)(66476007)(66556008)(52536014)(4744005)(54896002)(14454004)(25786009)(6306002)(55016002)(44832011)(6246003)(9686003)(110136005)(53936002)(66066001)(81156014)(8676002)(2906002)(81166006)(5660300002)(74316002)(256004)(7736002)(8936002)(7696005)(71190400001)(71200400001)(790700001)(6116002)(3846002)(46492003); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2P265MB0912; H:LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: 419.consulting does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: nah0Eg0ldlae6CC1HzTQa/NNyMcEmMJDpF4xDtUCPAfqnGz8dSRdmDzPAOvSUuNgwO/pSWCTrvGaG8EWpH4bOPJFlkj894GbkpqfK4zXLVC4z9fLmB/XOk17qMFprfOz4Pq3toZxBrTB3SPTbZGTOLxHt2sXmhZe4PKT/ATzsBVzDnzUD0VwSfacIPD/XNw4dXBLU3JeeU2sFHzTaFJJGNZ/In8iK6+KHd/SLkAyicVxiOvysv6eskg/4nOjsB3Tb4yLyNwWcEXdyHO6ENqZGWYx9L1EbNyp9BQVDjM/Sn3zPhQoDPSF4EeoBqNCrz6TFpUSq4GuINq7lvNm/Elsry2rg8N2MHlEjNhxmyr0hlALJZOYpXJN79BtPhcKE9rwZsrTj+OJ3EZKteJGQmMmKgBy8pA82mpgg2CH92rRuyE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P265MB1327B019F7A2F6004F275C31C2B30LO2P265MB1327GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-Network-Message-Id: 6c61b198-14a6-4812-162d-08d73883c9ec
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Sep 2019 19:51:37.4529 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RHd/sa+tL00sBTszN8M3SMKEbjC0vOF3FY/hh4/cqvknQAK4UqZRG1EWH7JUGGAqr8DVgBC+xj/iRAJSiOyfbFD/hO4NZXFD6InBBYRv9vg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB0912
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/-qrySYeoO8nDTvPv0IQ-_fGrsp4>
X-Mailman-Approved-At: Sat, 14 Sep 2019 08:43:38 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 19:51:43 -0000

On Sep 12, 2019, at 17:03, Ted Lemon <mellon@fugue.com> wrote:
A question you might ask is, “how do we know that this malware is using DoH?”  Also, now that it is doing DoH, what new opportunities exist for stopping it?  Is it easier or harder to trick it?

It’s all very well and good to point out that it’s using DoH and that this blocks certain mitigation strategies, but eg if Google can mitigate it centrally we might be better off, not worse off, as a whole.


If the centralisation potential of DoH takes effect as some anticipate, this would leave Google (and Cloudflare and other resolvers to a lesser extent) with significant control of the cybersecurity “market”, both in terms of protection capability and also cyber intelligence gathering, crowding out specialist provision.  Much as I respect people in Google, from an antitrust perspective, as well as when considering innovation etc, I would urge people to be careful what they wish for!


Andrew

v2.23.0 | Report a Bug | By Email