IETF Logo Mail Archive

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

Florian Weimer <fw@deneb.enyo.de> Sun, 31 May 2009 09:32 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAC143A694D for <asrg@core3.amsl.com>; Sun, 31 May 2009 02:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.17
X-Spam-Level:
X-Spam-Status: No, score=-1.17 tagged_above=-999 required=5 tests=[AWL=0.479, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_34=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6UjzqFqOCJp8 for <asrg@core3.amsl.com>; Sun, 31 May 2009 02:32:18 -0700 (PDT)
Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by core3.amsl.com (Postfix) with ESMTP id A88FC3A6841 for <asrg@ietf.org>; Sun, 31 May 2009 02:32:17 -0700 (PDT)
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MAhQW-0008UE-R2 for asrg@ietf.org; Sun, 31 May 2009 11:34:00 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from <fw@deneb.enyo.de>) id 1MAhQW-0002in-G7 for asrg@ietf.org; Sun, 31 May 2009 11:34:00 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: asrg@ietf.org
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org> <200905251603.MAA16221@Sparkle.Rodents-Montreal.ORG> <CCE0A3E1-4BCB-460C-AEA0-6548BB4AE8FE@mail-abuse.org> <4A1D64C9.5060505@tana.it> <47BC2197-472E-4615-97D2-F7E42B8F3B7D@mail-abuse.org> <87d49rraqd.fsf@mid.deneb.enyo.de> <892F581E-BCE7-48D2-B6C3-429F56B3A3F5@mail-abuse.org>
Date: Sun, 31 May 2009 11:34:00 +0200
In-Reply-To: <892F581E-BCE7-48D2-B6C3-429F56B3A3F5@mail-abuse.org> (Douglas Otis's message of "Fri, 29 May 2009 16:24:21 -0700")
Message-ID: <873aal4nw7.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2009 09:32:18 -0000

* Douglas Otis:

> On May 29, 2009, at 12:05 PM, Florian Weimer wrote:
>
>> * Douglas Otis:
>>
>>>> Just using TCP would prevent most of the DNS poisoning attacks
>>>> that Amir's paper reports.
>>>
>>> TCP is prone to DDoS attack.
>>
>> Only when implemented naively.  If the client does not split the
>> query into two packets or artificially lowers the window size, you
>> can answer it without creating any state.
>
> Any modification to TCP that bypasses SYN/ACK handshakes for full-
> duplex data is not TCP.

>From the point of view of a compliant connection initiator, it is
hardly distinguishable from a more traditional implementation.

> This approach omits source verification, and therefore is unable to
> mitigate spoofed reflected attacks.

The packet count would not even be higher than ordinary TCP.  If you
send a spoofed SYN to a compliant TCP server, it sends back three to
five SYN+ACKs, until it receives an ACK or an RST.  Bandwidth is a
different matter, but that could be addressed by CNAME cookies
(although Cisco's patent may apply to that).

> The same effect could be achieved using EDNS0 options that extend
> both transaction-ids as well as packet size.

Not really, EDNS0 is not suitable for communicating support of an
extended query ID.

>> The argument against TCP is not the protocol.  It's just that you
>> have to upgrade both authoritative servers and resolvers to make it
>> work well.
>
> Huh? Why suggest radical changes to the TCP protocol, and then, in the
> same breath, say the problem is not the protocol?

A lot of this has already been tried and proven in the HTTP context.
Claims that "TCP doesn't scale" or that "TCP is vulnerable to DoS
attacks" always sound very hollow to me.  DNS handles a fraction of
the requests processed by HTTP and SMTP, and yet it can't be run on
TCP for protocol reasons?  Come on.

> Defending against DDoS attack was never a major consideration during
> early TCP or UDP development.  Bot-nets weren't the problem they are
> today.  Bastardizing TCP, rather than adopting properly designed
> protocols, is unlikely to provide a solutions, but instead likely to
> create new vulnerabilities.

It's already being done for HTTP, and maybe to a lesser extent, for
SMTP.

I'm not saying that it make sense to upgrade the DNS infrastructure so
that it can smoothly handle a TCP-centric load.  Such a massive
upgrade could be better used to roll out something different.  But TCP
itself is not the problem.  In fact, experience with DoS attacks
against TCP services means that you've got a portfolio of solutions to
deal with attacks, something that would have yet to be developed for a
hypothetical non-TCP transport.

v2.23.0 | Report a Bug | By Email