Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Toerless Eckert <tte@cs.fau.de> Mon, 26 October 2020 16:59 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98CC3A0D40 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 09:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ds6Yos7QlYpD for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2020 09:59:21 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E013A0D3B for <dnsop@ietf.org>; Mon, 26 Oct 2020 09:59:20 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 7873654843F; Mon, 26 Oct 2020 17:59:15 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 6F714440059; Mon, 26 Oct 2020 17:59:15 +0100 (CET)
Date: Mon, 26 Oct 2020 17:59:15 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Ted Lemon <mellon@fugue.com>
Cc: dnsop@ietf.org, kaduk@mit.edu
Message-ID: <20201026165915.GA40654@faui48f.informatik.uni-erlangen.de>
References: <20201025192456.GG48111@faui48f.informatik.uni-erlangen.de> <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <539093D8-97C4-448F-A9C4-288C2586BC51@fugue.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8BgFeTJpYRmQCdS4g48hAEZAtF8>
Subject: Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 16:59:24 -0000

Thanks, Ted.

I agree with your overall assesment, but the question was what
an implementation should do in the face of a particular pre-existing
condition: Aka: With mDNS or GRASP as they both stand today
(me of course right now primarily interest in GRASP< but if
 implementation/operational guidance for mDNS existed, i could simply
 point to that).

The networks where i am worried are not home networks,
but something like an office park network, where supposedly each
tenant (company) should have gotten their disjoint L2 domains, ... and then
they didn't. And one of the tenants has a "funny" network engineer/hacker.

So, eliminate for your assessment the option of better
protocols. Now, why would this heuristic then still be
"very bad" ? To me it just eliminates the benefits of
dynamic port signaling when there is an attack. And has no
impact under no attack.

Cheers
    Toerless

On Sun, Oct 25, 2020 at 03:41:26PM -0400, Ted Lemon wrote:
> That would be a very bad heuristic. The whole point of SRV records is to eliminate the dependency on reserve ports. 
> 
> Really this is a non problem. We are not seeing this on home networks at present, because it???s just not an interesting attack. But supposing that we wanted to do something about it, the way to do so would be twofold. 
> 
> First, use protocols that allow for establishment of trust so that an on link spammer???s offered service can???t mimic a trusted service. E.g., use self signed certs and TOFU to prevent spoofing. 
> 
> Second, switch away from Multicast to DNSSD over DNS, and establish trust that way. If services register using DNSSD Service Registration Protocol, FCFS naming prevents spoofing of trusted services. 
> 
> Of course there always has to be a trust establishment process, like BRSKI. 
> 
> I???m sure that something similar can be done with anima. 
> 
> > On Oct 25, 2020, at 15:25, Toerless Eckert <tte@cs.fau.de> wrote:
> > 
> > ???Ben Kaduk (SEC AD) was wondering about the appropriateness of a hardening suggestion
> > in draft-ietf-anima-autonomic-control-plane-29. Let me translate this into
> > mDNS, even though its about GRASP, but IMHO for the purpose of this issue
> > its equivalent:
> > 
> > Node wants to discover on a LAN a particular service and unfortunately, attackers
> > on the LAN want to spam it.  For example by sending out a significant number
> > of false mDNS messages claiming the service is available on a variety of 
> > of ports (lets keep attacks against other serive parts like the I address
> > out of this). And in effect, the node will attempt a lot of service instantiations
> > to bogus ports.
> > 
> > Now, in one case, the service may have an IANA registered well-known TCP or UDP
> > port number. So the hardening recommendation in our draft text is that if a lot
> > of answers are received AND the node knows that there is a well-known port, then
> > it should prioritize trying the service over that well known port.
> > 
> > Any reason why this would not be a good obvious heuristic ?
> > Has this been considered for mDNS alreay anywhere (rfc ?).
> > 
> > Of course, if there is no well known port, this does not help. And if
> > the non-attacker can only offer a service with a well-known port number only
> > on a non-well-known port number, than it actually hurts, but i think those
> > are unavoidable limitations. And it easily spells out that one of the
> > key benefits of getting a well-known port number for something is to
> > be able to avoid having to guess in the face of such attacks, when discovery
> > of port number can not be secured.
> > 
> > Aka: In our case we have one potential upcoming service over DTLS, and
> > this text could help decide later on if we wanted to apply for a
> > well-known port number for this service if we get operational experience
> > that that could help in conjunction with this hardening recommendation.
> > 
> > Cheers
> >    Toerless
> > 
> > P.S.: for original text in subject draft look for "Attackers on a subnet may be able to inject malicious"
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop

-- 
---
tte@cs.fau.de