IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

Andrew Campling <andrew.campling@419.consulting> Thu, 12 September 2019 19:44 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FAE120220 for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 12:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUzVvpwM0JNX for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 12:44:21 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100084.outbound.protection.outlook.com [40.107.10.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577FA12021C for <add@ietf.org>; Thu, 12 Sep 2019 12:44:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I9W98aq3f1L8aJed9M9B5dVnfoQSjSCVchdNJmwqx4urcWauMxxDSYT6v+PjVI03rVrGloTT/FKqgxS072GjQqQws7SLnjli6l3LiXX/fV26JLhKPRT25VHo3NMGzQFbzY07Ti+FMbaSIvRwBr7ruH13hfcqE6606uEAwqWS9IE62xcWyskYzor7EPfgOaP/1vlv/Xtejz6fpUCG+UapvvdcGSo4VPVBt2H2BTr31nGLaAg7X/yAECmck0IuX56kIHMmLa9JhVqfIUPxSQ7TFNXHV3fEItoOnJDvzj9g1WvPf2xzgRx8sUB0xcw9SLGPe6UwtdmHrPi7HmTAkZqRog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s7gaycVZXDJQ0n7Y+dwGwVt7oelHCvlDbFzgMqI63ew=; b=brRqi35yMMJMa2CoR1fvJZOFXn6qXVahDQ+IiS7RDDlIsqpNK5FoPvFbrNKBC5YoZWgq8m37geZgevaGLbZCdSzTLmX6pZeVKLOzB0Xf2g/D0JTGmvx9qH42sQYFaLe0q0RRNWRrcdJ1shugaagIzzw7g8cOKF4enmYfU6fd+XpxtNihi1+CCB9VNqDne2HqzVSImQoHQr5xf4GILr1FVQEjnAEkRIS93mt9/33Weu6Kr0RHB+1lnw/p4vXYwbnP3U54us8vREkLAY4hP0JeGDIO8ITL44Jv9gHBit9amze31zJ2JxE/iRtbjbYmBFpUstfX2tYZ1RFua/3YayqbPg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s7gaycVZXDJQ0n7Y+dwGwVt7oelHCvlDbFzgMqI63ew=; b=A98s7bHsMkiR/Ir98mpc6EWsN9NHBi5ytM59wmfimFheUkMpfscA2S9BlEqlFLmT5Y5zDU2DfGeg0xlC+geUWJoKFWClPilmdM+8weguLmzKxuuw2cDqKJN+Zckzh1nbfrDjgRt73gU1T84CDP1Hx0muacgfXe6avFC9aI9Uweo=
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM (20.176.138.146) by LO2P265MB1567.GBRP265.PROD.OUTLOOK.COM (20.176.145.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.18; Thu, 12 Sep 2019 19:44:19 +0000
Received: from LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3]) by LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM ([fe80::b1cd:296c:1fbe:45c3%5]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019 19:44:19 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: "Dixon, Hugh" <Hugh.Dixon@sky.uk>, ADD Mailing list <add@ietf.org>
Thread-Topic: [Add] [EXTERNAL] Re: Malware adopting DoH
Thread-Index: AQHVaYE41ek/1cmmNUOYQWmnV41F66cobDsQ
Date: Thu, 12 Sep 2019 19:44:19 +0000
Message-ID: <LO2P265MB13277CE10804912F9A7A02EDC2B00@LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM>
References: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk>
In-Reply-To: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=andrew.campling@419.consulting;
x-originating-ip: [81.141.74.184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 99b95954-5472-49ba-1014-08d737b99a2c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2P265MB1567;
x-ms-traffictypediagnostic: LO2P265MB1567:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <LO2P265MB156762D9D4B3D0EC95ADFC39C2B00@LO2P265MB1567.GBRP265.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(396003)(376002)(39830400003)(136003)(189003)(199004)(508600001)(76176011)(53936002)(54896002)(7696005)(9686003)(6306002)(229853002)(6246003)(99286004)(76116006)(186003)(486006)(476003)(11346002)(8936002)(81156014)(2906002)(102836004)(236005)(110136005)(3846002)(44832011)(7736002)(71190400001)(71200400001)(81166006)(446003)(74316002)(790700001)(6116002)(66066001)(256004)(14444005)(6506007)(8676002)(26005)(14454004)(6436002)(86362001)(316002)(606006)(52536014)(66574012)(5660300002)(66946007)(66446008)(64756008)(66476007)(55016002)(25786009)(966005)(33656002)(66556008)(46492003); DIR:OUT; SFP:1101; SCL:1; SRVR:LO2P265MB1567; H:LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: 419.consulting does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QY7OKwb2Fwr6YIL5MUNq9LNhgkfgBgQAtHEdjonF4NjPIiF6IkW+qlZpnZId0OMwsUvVXOoAlvn1mZezfNUWagLk9IzhAP82FP0vy2WkzPycDlIGd+9qEkzLZ1f2H+b55+d7vK+BpFQ+io2xRaqzCHDuXgx5ewNCtBqDGduUOuA468ePum1HHvEeLMuxDUVKfvEcFDTrHjVBXsXIKIFlh5Z60Lgdeb2E9Q55qiuD5sl6ceewrTV5MHYIrAXlt9RizKulz/fQsxQf5ysARUaXYVxRVE9nozfQR/RPYUBaCyc9k0xq4XQzD6vsdSgq5krg+i7HWo+y21D1k/rC5VejP2ecQMmoOP/5RhOANY36x0mzKum18Je1BWzduLwoWwFpEPYm+pazGQD1dMOOcrBmXX04WsdyOzPAYK/jMAAFJt4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO2P265MB13277CE10804912F9A7A02EDC2B00LO2P265MB1327GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-Network-Message-Id: 99b95954-5472-49ba-1014-08d737b99a2c
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 19:44:19.0661 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9CluplgTy95ocIlhjr5mXI/YXNSaxe+4NS2nHyN4yIDMWrpUg1bw6DzbjquXJaD7TaO9lwp7gAvJDRaSJXcYCnkxErik8zv7nUBA3/izj8I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P265MB1567
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/dT10rxwhU49A_8dEAlz-VbNFBDU>
X-Mailman-Approved-At: Fri, 13 Sep 2019 07:07:37 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 19:44:25 -0000

On Mon, 12 Sep 2019, 12:25 Dixon, Hugh <Hugh.Dixon@sky.uk>  wrote:

While tis true that there have always been other methods than Do53 for Malware C&C and exfil, the thing is that the existence of DoH services from Google (and other very large-scale internet entities) is (IMHO) quite a distinct change in the availability of
*the combination of* :
Conventionally-encrypted (as opposed to stick-out-like-a-sore-thumb custom/obscure)
Unauthenticated but via “public” infrastructure
Globally anycast-by-design (i.e. not trivially IP-detected-and-blocked like static IPs)
A wide spread of steady-flow “genuine” traffic (e.g. 24h peak-to-mean of ~ 2 for example for DNS) in which to hide

And possibly other things.

That doesn’t mean DoH isn’t a good thing as a DNS-on-the-wire-privacy and recursor-authentication protocol (as of course all these features are also what make it a great protocol for attempting to prevent downgrade attacks by what The Internet would call bad (network/nation-state) actors).  However, it does beg the question of (all) operators of DoH infrastructure as to whether they are delivering “a better internet” if they ignore the assistance to criminals that they offer if they don’t actively take a role against them.
Of course there’s an argument that a crook-enabling DoH server is better than an NXDOMAIN-hacking ISP DNS. And a lot of ISPs don’t do any actively-bad stuff with DNS data/responses but do apply malware mitigation.

To address the question, perhaps the “what can we do about mitigating the opportunities for harm generated through innovation?” is the better end point?
H

I agree with the closing comment that the “opportunities for harm generated through” DoH needs to be addressed, starting with information sharing on those harms as they are identified.  Is anyone aware of other examples to add to the one that prompted this thread?

In terms of getting better information sharing, I wonder whether the proposed SMART research group could help here (see https://github.com/smart-rg/drafts for more information)?


Andrew

v2.23.0 | Report a Bug | By Email