IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

"Dixon, Hugh" <Hugh.Dixon@sky.uk> Thu, 12 September 2019 11:25 UTC

Return-Path: <Hugh.Dixon@sky.uk>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3391200CD for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 04:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sky.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVjSzNHQU1Pn for <add@ietfa.amsl.com>; Thu, 12 Sep 2019 04:25:31 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130070.outbound.protection.outlook.com [40.107.13.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A049E120091 for <add@ietf.org>; Thu, 12 Sep 2019 04:25:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WXX6n1ymW47DoASrNiP7e85/frBR6ktzN7HjUVtX/M92+D+/JDlg6jJz1bH/hbXP4iyeIT8VYmG7ic+AtdxLhgXuu9NxW7JVo/GMJsdYue3+yqD73x7oCM//4coZOUJklO8/LQCeybBXp/SCkwcwC266zZ1/g9O1/5DM96o8aAUwdZ580pSsjXdLXjwGaa/+PUUg0lxhHfXqh/NEwcVsVnpqGs6BRWCSYlv8CpMgI9C8LNYvpQDfnNlgOXPdTJvKQleZ/UzFtL1xgRm7BzxAOQwItHWWHHyvqmT7la8WxQT3HWTSK/0pdeMioub+O94IDpwg/cg9GydXWAiqPn4FnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hg/Twg4y5wTZyrWd0Wld2aHgUfRCklXjVqQvQ5sJBD8=; b=SJix7q4PyWbdwar7sf+s8XQjdkxjzynpZzfdRhUemMxEnIpXFXYeqQ1El9C12TYUp+nOgSn8dTmtYz/jBkpdGDfMArJ5LwD4r4ZkKLhdHC1Xom20Fvr8OYRj/cF71+vn93XTXwF+It06NrwxEejAPFHxq73mfUjsJci5PwPmAHyhLMCITxV7Wyabq6iMDv13+vWSEx6ALgaRvd8hjqfrUFht893bsrGoJIuaflenZpqTKs0jaok4SUnjsJ8Pw0xm/htCZKvtaujRXU8oFGN/zMU7CWcNWjVAoYfiAITmz0BqLlzY/honBR1hcVFGyjwv6OVnxUVjpoQ44j24GSGChQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sky.uk; dmarc=pass action=none header.from=sky.uk; dkim=pass header.d=sky.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hg/Twg4y5wTZyrWd0Wld2aHgUfRCklXjVqQvQ5sJBD8=; b=gEHC9yE+sNqIknm+YSZS8g+JTkFYu/weDTTXs7hDtstykpkn8kOwngsFwXXSCAzDXoIAhBCokrP1764eeraJwpi1YyCqdoLymmlYRL4M4lSxmCkRTSSBNqxcnJNkSCWh2+K9bHNhjj1cDN1CLKS67wfPhOH9GWucaM8K05ghprU=
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com (10.172.248.15) by DB6PR0602MB3254.eurprd06.prod.outlook.com (10.170.209.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.15; Thu, 12 Sep 2019 11:25:27 +0000
Received: from DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::d840:f837:af78:87fa]) by DB6PR0602MB2805.eurprd06.prod.outlook.com ([fe80::d840:f837:af78:87fa%2]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019 11:25:27 +0000
From: "Dixon, Hugh" <Hugh.Dixon@sky.uk>
To: ADD Mailing list <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] Malware adopting DoH
Thread-Index: AQHVaVzHIm4w+p1fqkejBKcXwQH7tA==
Date: Thu, 12 Sep 2019 11:25:27 +0000
Message-ID: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190830
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hugh.Dixon@sky.uk;
x-originating-ip: [94.193.198.219]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 345f2318-bff5-49b6-17f7-08d73773e9bd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DB6PR0602MB3254;
x-ms-traffictypediagnostic: DB6PR0602MB3254:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6PR0602MB325442C3876ED47AABB055A5E3B00@DB6PR0602MB3254.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(376002)(366004)(39860400002)(346002)(189003)(199004)(486006)(6486002)(316002)(8676002)(99286004)(476003)(102836004)(58126008)(26005)(66446008)(64756008)(66476007)(6506007)(53546011)(66556008)(66946007)(186003)(6436002)(6116002)(7736002)(25786009)(3846002)(14454004)(6916009)(53936002)(236005)(6512007)(54896002)(6306002)(2616005)(606006)(6246003)(86362001)(478600001)(14444005)(33656002)(81156014)(71200400001)(66574012)(71190400001)(5660300002)(256004)(5024004)(966005)(8936002)(81166006)(229853002)(2906002)(91956017)(76116006)(36756003)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0602MB3254; H:DB6PR0602MB2805.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: sky.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YbE+zKMv3hn++lotHSLcSMCLLpSyyMj6Hf7ERQUwk8gr6h6rRlQmxfq6/Y+F/cIfJKn4A9YpjABCbOYiL/NiPEpAOrMzHcz6CKWcxh++KRlSFMnK/TWLxA6v/eYUCN0M9LxVsrLVjVYYBprB0ufY8C4vuhImwFLIoWxUUES0RtVccxOYbSzTG9BJtYmTmO2IMx1Q9WBcaolxpSoHVzqNxG7+AM5yXfcov87YGytOZM34OYo1m8OiOjuVLR2cFnEyMKHVLS0Bgn5oxQ10nLmZo8O19J2yeJHDptZqqFtvgIqja+jUAnzROW4E6IaPZCddRTSELPWxa6NgRuGnQveQeQaJhweu1OQcnxuYwwDzanXy3S4Yi4EQd+f2wkrUl6WXxtZ9eG0Z9sE9sQ5Ac6fP8Td57xrO/pIKWTenVsfu5Rw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_66DC417B23BC4AF7916B5BAE7E5D9635skyuk_"
MIME-Version: 1.0
X-OriginatorOrg: sky.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 345f2318-bff5-49b6-17f7-08d73773e9bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 11:25:27.7205 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68b865d5-cf18-4b2b-82a4-a4eddb9c5237
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X1RkeenWQ19+/TJg/nNOZX0SeaoDMdVjw1LsyQKXyznjCKgMeqFoFprHCryj746HFrrvZPZH6YaNeJrOvZCFNA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0602MB3254
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/n3ETo7pSRUZkyR78GvKCjrchONc>
X-Mailman-Approved-At: Thu, 12 Sep 2019 08:46:06 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 11:25:35 -0000

While tis true that there have always been other methods than Do53 for Malware C&C and exfil, the thing is that the existence of DoH services from Google (and other very large-scale internet entities) is (IMHO) quite a distinct change in the availability of
*the combination of* :
Conventionally-encrypted (as opposed to stick-out-like-a-sore-thumb custom/obscure)
Unauthenticated but via “public” infrastructure
Globally anycast-by-design (i.e. not trivially IP-detected-and-blocked like static IPs)
A wide spread of steady-flow “genuine” traffic (e.g. 24h peak-to-mean of ~ 2 for example for DNS) in which to hide

And possibly other things.

That doesn’t mean DoH isn’t a good thing as a DNS-on-the-wire-privacy and recursor-authentication protocol (as of course all these features are also what make it a great protocol for attempting to prevent downgrade attacks by what The Internet would call bad (network/nation-state) actors).  However, it does beg the question of (all) operators of DoH infrastructure as to whether they are delivering “a better internet” if they ignore the assistance to criminals that they offer if they don’t actively take a role against them.
Of course there’s an argument that a crook-enabling DoH server is better than an NXDOMAIN-hacking ISP DNS. And a lot of ISPs don’t do any actively-bad stuff with DNS data/responses but do apply malware mitigation.

To address the question, perhaps the “what can we do about mitigating the opportunities for harm generated through innovation?” is the better end point?
H

On 10/09/2019, 16:14, "Add on behalf of Alec Muffett" <add-bounces@ietf.org<mailto:add-bounces@ietf.org> on behalf of alec.muffett@gmail.com<mailto:alec.muffett@gmail.com>> wrote:

On Mon, 9 Sep 2019, 22:16 Bret Jordan, <jordan.ietf@gmail.com<mailto:jordan.ietf@gmail.com>> wrote:
Just making sure people here have seen this..

https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.proofpoint.com%2Fus%2Fthreat-insight%2Fpost%2Fpsixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module&data=02%7C01%7Chugh.dixon%40sky.uk%7Cbe842998fe8f4078b46908d73601822c%7C68b865d5cf184b2b82a4a4eddb9c5237%7C0%7C0%7C637037252427909693&sdata=7V5bD7OSaLMqCAAqiL8oBg8F4HNgU8Qb2FnND9lWw9g%3D&reserved=0>


One can only wonder how rapidly they adopted HTTPS to evade the "content fingerprinting" of anti-malware in the late 90s and early 2000s, and how the adoption curves compare?

Similarly for adopting Tor, also, of course.

And WebRTC and Skype.

Not to mention those clever malware authors who hardcode IP addresses - that was a tremendous innovation in cyber badware.

Or were you suggesting that "innovation happens and bad people adopt it as well as good" somehow constitutes and argument towards some end?

-a





--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by sending them to phishing@sky.uk as attachments. Thank you
--------------------------------------------------------------------

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD

v2.23.0 | Report a Bug | By Email