Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources
William Leibzon <william@completewhois.com> Mon, 27 February 2006 11:51 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDguH-0001aH-5O; Mon, 27 Feb 2006 06:51:13 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FDguG-0001a0-3U for crisp@ietf.org; Mon, 27 Feb 2006 06:51:12 -0500
Received: from [216.151.193.226] (helo=cwhois1.completewhois.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FDguE-0007Ey-K4 for crisp@ietf.org; Mon, 27 Feb 2006 06:51:12 -0500
Received: from cwhois1.completewhois.com (localhost.localdomain [127.0.0.1]) by cwhois1.completewhois.com (8.13.4/8.13.4) with ESMTP id k1RDddFi028044 for <crisp@ietf.org>; Mon, 27 Feb 2006 05:39:40 -0800
Received: from localhost (william@localhost) by cwhois1.completewhois.com (8.13.4/8.13.4/Submit) with ESMTP id k1RDddRK028041 for <crisp@ietf.org>; Mon, 27 Feb 2006 05:39:39 -0800
X-Authentication-Warning: cwhois1.completewhois.com: william owned process doing -bs
Date: Mon, 27 Feb 2006 05:39:39 -0800
From: William Leibzon <william@completewhois.com>
To: CRISP WG <crisp@ietf.org>
Subject: Re: [Crisp] IRIS-LWZ and security issues due to spoofed sources
In-Reply-To: <Pine.LNX.4.64.0602270503580.9385@cwhois1.completewhois.com>
Message-ID: <Pine.LNX.4.64.0602270532250.9385@cwhois1.completewhois.com>
References: <Pine.LNX.4.64.0602270503580.9385@cwhois1.completewhois.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
X-BeenThere: crisp@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Cross Registry Information Service Protocol <crisp.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:crisp@ietf.org>
List-Help: <mailto:crisp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/crisp>, <mailto:crisp-request@ietf.org?subject=subscribe>
Errors-To: crisp-bounces@ietf.org
BTW - Don't assume that this is quite as much an issue for IRIS as it is for DNS. While the problem is basicly the same, the number of IRIS servers that are going to be run around this world is likely going to be several orders of magnitude smaller then number of dns servers so really number of targets for miscreants to abuse would be very small and they would have to send lots of requests to each server to accomplish something. So the issue would be for IRIS server operators is to know that spoofed pockets are possibility and this is something that miscreants can use for amplification attack (so don't send too large a response to anonymous udp request) and deploy mechanisms that stop sending responses if too many requests appear from particular source through IRIS-LWZ. On Mon, 27 Feb 2006, William Leibzon wrote: > There have been a lot of discussions going on in the last few days > at NANOG and other dns operations lists that are related to issue of > public recursive dns servers being used way to amplify an attack: > http://www.gossamer-threads.com/lists/nanog/users/89657 > http://lists.oarci.net/pipermail/dns-operations/2006-February/thread.html > > The general description of the problem is that bad guys are sending > spoofed udp packets to servers in a way so that the servers would send data > (to spoofed source) that is considerably larger then the original request - > thus the amplification. For more information, you may want to read > http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf > > Now it occurs to me that the same problem may also happen with those > using IRIS-LWZ UDP method as IRIS response is very likely to be larger then > original request and thus there is a possibility of amplification. > > So before its too late and IRIS-LWS draft is published as an RFC, > I think we need to have this possiblity documented in the Security > Considerations section (which is rather small right now...) and try > to come up with some suggestions on how to deal with the problem when people > want to run public IRIS server. > > --- > William Leibzon > mailto: william@completewhois.com > Anti-Spam and Email Security Research Worksite: > http://www.elan.net/~william/emailsecurity/ > Whois & DNS Network Investigation Tools: > http://www.completewhois.com > > _______________________________________________ > Crisp mailing list > Crisp@ietf.org > https://www1.ietf.org/mailman/listinfo/crisp > _______________________________________________ Crisp mailing list Crisp@ietf.org https://www1.ietf.org/mailman/listinfo/crisp
- [Crisp] IRIS-LWZ and security issues due to spoof… William Leibzon
- Re: [Crisp] IRIS-LWZ and security issues due to s… William Leibzon
- Re: [Crisp] IRIS-LWZ and security issues due to s… Shane Kerr
- Re: [Crisp] IRIS-LWZ and security issues due to s… Andrew Newton
- Re: [Crisp] IRIS-LWZ and security issues due to s… Andrew Newton
- Re: [Crisp] IRIS-LWZ and security issues due to s… William Leibzon
- Re: [Crisp] IRIS-LWZ and security issues due to s… William Leibzon