Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources

William Leibzon <william@completewhois.com> Mon, 27 February 2006 11:51 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDguH-0001aH-5O; Mon, 27 Feb 2006 06:51:13 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDguG-0001a0-3U for crisp@ietf.org; Mon, 27 Feb 2006 06:51:12 -0500
Received: from [216.151.193.226] (helo=cwhois1.completewhois.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FDguE-0007Ey-K4 for crisp@ietf.org; Mon, 27 Feb 2006 06:51:12 -0500
Received: from cwhois1.completewhois.com (localhost.localdomain [127.0.0.1]) by cwhois1.completewhois.com (8.13.4/8.13.4) with ESMTP id k1RDddFi028044 for <crisp@ietf.org>; Mon, 27 Feb 2006 05:39:40 -0800
Received: from localhost (william@localhost) by cwhois1.completewhois.com (8.13.4/8.13.4/Submit) with ESMTP id k1RDddRK028041 for <crisp@ietf.org>; Mon, 27 Feb 2006 05:39:39 -0800
X-Authentication-Warning: cwhois1.completewhois.com: william owned process doing -bs
Date: Mon, 27 Feb 2006 05:39:39 -0800
From: William Leibzon <william@completewhois.com>
To: CRISP WG <crisp@ietf.org>
Subject: Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources
In-Reply-To: <Pine.LNX.4.64.0602270503580.9385@cwhois1.completewhois.com>
Message-ID: <Pine.LNX.4.64.0602270532250.9385@cwhois1.completewhois.com>
References: <Pine.LNX.4.64.0602270503580.9385@cwhois1.completewhois.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
X-BeenThere: crisp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Cross Registry Information Service Protocol <crisp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:crisp@ietf.org>
List-Help: <mailto:crisp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=subscribe>
Errors-To: crisp-bounces@ietf.org

BTW - Don't assume that this is quite as much an issue for IRIS as it is
for DNS. While the problem is basicly the same, the number of IRIS servers
that are going to be run around this world is likely going to be several
orders of magnitude smaller then number of dns servers so really number of 
targets for miscreants to abuse would be very small and they would have to 
send lots of requests to each server to accomplish something.

So the issue would be for IRIS server operators is to know that spoofed 
pockets are possibility and this is something that miscreants can use for
amplification attack (so don't send too large a response to anonymous udp 
request) and deploy mechanisms that stop sending responses if too many
requests appear from particular source through IRIS-LWZ.

On Mon, 27 Feb 2006, William Leibzon wrote:

> There have been a lot of discussions going on in the last few days
> at NANOG and other dns operations lists that are related to issue of
> public recursive dns servers being used way to amplify an attack:
> http://www.gossamer-threads.com/lists/nanog/users/89657
> http://lists.oarci.net/pipermail/dns-operations/2006-February/thread.html
>
> The general description of the problem is that bad guys are sending
> spoofed udp packets to servers in a way so that the servers would send data 
> (to spoofed source) that is considerably larger then the original request - 
> thus the amplification. For more information, you may want to read 
> http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
>
> Now it occurs to me that the same problem may also happen with those
> using IRIS-LWZ UDP method as IRIS response is very likely to be larger then 
> original request and thus there is a possibility of amplification.
>
> So before its too late and IRIS-LWS draft is published as an RFC,
> I think we need to have this possiblity documented in the Security 
> Considerations section (which is rather small right now...) and try
> to come up with some suggestions on how to deal with the problem when people 
> want to run public IRIS server.
>
> ---
> William Leibzon
>  mailto: william@completewhois.com
> Anti-Spam and Email Security Research Worksite:
>  http://www.elan.net/~william/emailsecurity/
> Whois & DNS Network Investigation Tools:
>  http://www.completewhois.com
>
> _______________________________________________
> Crisp mailing list
> Crisp@ietf.org
> https://www1.ietf.org/mailman/listinfo/crisp
>

_______________________________________________
Crisp mailing list
Crisp@ietf.org
https://www1.ietf.org/mailman/listinfo/crisp