Re: [Add] [EXTERNAL] Re: Malware adopting DoH
Ted Lemon <mellon@fugue.com> Thu, 12 September 2019 16:03 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46AE412012A for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 09:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTIgWofAJfkF for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 09:03:19 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8BED120122 for <add@ietf.org>; Thu, 12 Sep 2019 09:03:18 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id v11so30136062qto.13 for <add@ietf.org>; Thu, 12 Sep 2019 09:03:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=mndzq53/fbYbDQOOeFKFebdeezgHjlgVs3ER9/pjoIM=; b=XfqY4JPeKWJn0QrTH7OymAgupDtmpdct3QLmOyOoIpFKHsY0F7DehvOgWSJ+ljcrnP iOD8sxH0a6Hl2CMivukY6Ld33jbLr7bofiar28A4UyB5qLfDlHpMn1z3VEhQPVlEX+AA MH1IvRc+DmS+9DHq1fnMMj0ErNroGfQiVzp3+7AaGNlrwDT+7oUHHCdnQeuDMmfO9gJ2 liKgFYNMvVWI9oJELvkZOlvjO03Km1fJQPyFEmR2oTjHQV19VJNAhSTJ0wOgXU1FLsr/ QSX5Eizx1KCXbOQ8pOFi34pzSde3V+sVoUio418b8h0eyOXp19KT7TFNUpFzlgLHYNQz J5lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=mndzq53/fbYbDQOOeFKFebdeezgHjlgVs3ER9/pjoIM=; b=mms3k3sapRAuc0ochja5SaktZ00xUrIwXfSd5PeS9KRmhh9W85ZEofrXEbG/+EtHDo psWth26YqvcVukypHmvsPM7h+kU/Ko86HdP4NvcQ4d2+dP20gWUBC1jOrvPRgQ9Pj5/3 C9F/yqYN+FUdK8GzKvCN6E/tewXfZ5qNC0P6tB6Ta/TMy4MhPd+Aa0towb7COYVPo6h+ RDJAE0y5ml+PZl9s+3KFnzj3SqWjpq0pe/8iJxJbpPRjmpYACiiH4hIzxL4O3KU836dG RIX0DuLCFWEMrPLg7Kkt7gR8wLdzFmgDI/GWLRQAkw8WtMYBFfEF8InNnTtEC82k5Cuv Hd0Q==
X-Gm-Message-State: APjAAAW0lkcTQRfir/Ac2JNEt6oQ7mwmSPzRTyiBJrjHL52eGi0fr8kf ItWaEMlpXxT6KIsaxpt73keJWX+cWmxv9g==
X-Google-Smtp-Source: APXvYqwViN5JNzKRk32n7dumYC4aWb1DbdO7dNhnuN/kMZD0K4JFkCEDI/+eLhqi02e0mQgvru/pFg==
X-Received: by 2002:ac8:700d:: with SMTP id x13mr19067997qtm.25.1568304197340; Thu, 12 Sep 2019 09:03:17 -0700 (PDT)
Received: from [10.0.100.56] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id b1sm6567183qkk.72.2019.09.12.09.03.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Sep 2019 09:03:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-CAD75CA8-4B15-42A6-B6E3-A6A21E0723C0"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 12 Sep 2019 12:03:15 -0400
Message-Id: <ED3464BD-37A7-4B6F-8327-508B0CB76A3E@fugue.com>
References: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk>
Cc: ADD Mailing list <add@ietf.org>
In-Reply-To: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk>
To: "Dixon, Hugh" <Hugh.Dixon=40sky.uk@dmarc.ietf.org>
X-Mailer: iPhone Mail (17A836)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/87xns3AYipm7OT5CFCIusScJcBQ>
X-Mailman-Approved-At: Fri, 13 Sep 2019 07:06:47 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 16:03:21 -0000
A question you might ask is, “how do we know that this malware is using DoH?” Also, now that it is doing DoH, what new opportunities exist for stopping it? Is it easier or harder to trick it? It’s all very well and good to point out that it’s using DoH and that this blocks certain mitigation strategies, but eg if Google can mitigate it centrally we might be better off, not worse off, as a whole. > On Sep 12, 2019, at 11:46, Dixon, Hugh <Hugh.Dixon=40sky.uk@dmarc.ietf.org> wrote: > > > While tis true that there have always been other methods than Do53 for Malware C&C and exfil, the thing is that the existence of DoH services from Google (and other very large-scale internet entities) is (IMHO) quite a distinct change in the availability of > *the combination of* : > Conventionally-encrypted (as opposed to stick-out-like-a-sore-thumb custom/obscure) > Unauthenticated but via “public” infrastructure > Globally anycast-by-design (i.e. not trivially IP-detected-and-blocked like static IPs) > A wide spread of steady-flow “genuine” traffic (e.g. 24h peak-to-mean of ~ 2 for example for DNS) in which to hide > > And possibly other things. > > That doesn’t mean DoH isn’t a good thing as a DNS-on-the-wire-privacy and recursor-authentication protocol (as of course all these features are also what make it a great protocol for attempting to prevent downgrade attacks by what The Internet would call bad (network/nation-state) actors). However, it does beg the question of (all) operators of DoH infrastructure as to whether they are delivering “a better internet” if they ignore the assistance to criminals that they offer if they don’t actively take a role against them. > Of course there’s an argument that a crook-enabling DoH server is better than an NXDOMAIN-hacking ISP DNS. And a lot of ISPs don’t do any actively-bad stuff with DNS data/responses but do apply malware mitigation. > > To address the question, perhaps the “what can we do about mitigating the opportunities for harm generated through innovation?” is the better end point? > H > > On 10/09/2019, 16:14, "Add on behalf of Alec Muffett" <add-bounces@ietf.org on behalf of alec.muffett@gmail.com> wrote: > > On Mon, 9 Sep 2019, 22:16 Bret Jordan, <jordan.ietf@gmail.com> wrote: > Just making sure people here have seen this.. > > https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module > > > One can only wonder how rapidly they adopted HTTPS to evade the "content fingerprinting" of anti-malware in the late 90s and early 2000s, and how the adoption curves compare? > > Similarly for adopting Tor, also, of course. > > And WebRTC and Skype. > > Not to mention those clever malware authors who hardcode IP addresses - that was a tremendous innovation in cyber badware. > > Or were you suggesting that "innovation happens and bad people adopt it as well as good" somehow constitutes and argument towards some end? > > -a > > > > > > -------------------------------------------------------------------- > This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you > -------------------------------------------------------------------- > > Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence. > > Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ted Lemon
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Andrew Campling
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Jim Reid
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ralf Weber
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ted Lemon
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Jim Reid
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ted Lemon
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Andrew Campling
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ted Lemon
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Robert Mortimer
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Ted Lemon
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Robert Mortimer
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Rob Sayre
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Dixon, Hugh
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Rob Sayre
- Re: [Add] [EXTERNAL] Re: Malware adopting DoH Brian Dickson