Re: [Shutup] [ietf-smtp] Levels of proposals

Ted Lemon <mellon@fugue.com> Fri, 04 December 2015 02:39 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA33E1B2A32; Thu, 3 Dec 2015 18:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XE69xXVUsXrC; Thu, 3 Dec 2015 18:39:39 -0800 (PST)
Received: from fugue.com (mail-2.fugue.com [IPv6:2a01:7e01::f03c:91ff:fee4:ad68]) by ietfa.amsl.com (Postfix) with ESMTP id 30F711B2A2D; Thu, 3 Dec 2015 18:39:38 -0800 (PST)
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----sinikael-?=_1-14491967752630.3112983494065702"
From: Ted Lemon <mellon@fugue.com>
To: shutup@ietf.org
In-Reply-To: <87k2ov7xly.fsf@hope.eyrie.org>
References: <CABa8R6vfT-9=51B32++eUAVeq5xuhTNUuv62yeO+W6AErRFnDQ@mail.gmail.com> <5660F3A1.7060807@mustelids.ca> <1449195108085-9ef6f394-96f931b3-20b99bd2@fugue.com> <87k2ov7xly.fsf@hope.eyrie.org>
Date: Fri, 04 Dec 2015 02:39:35 +0000
Message-Id: <1449196775597-73137a19-d32873ba-cad85c2a@fugue.com>
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/XHgOngMZNpvs7pkm35lZiVCou_g>
Cc: ietf-smtp@ietf.org
Subject: Re: [Shutup] [ietf-smtp] Levels of proposals
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 02:39:41 -0000

Thursday, Dec 3, 2015 9:31 PM Russ Allbery wrote:
> Standard practice for attackers these days is to automate attacks on any
> sort of password-protected system, whether that be web pages,
> authentication providers, or anything else that takes a password.  Usually
> this is done by taking some list of common passwords and some list of
> account names and just brute-forcing combinations, although some attackers
> do more sophisticated things.
> 
> Obviously, that sort of brute force approach is easy to detect and
> throttle, so the next step in the arms race was for attackers to use large
> networks of compromised machines, usually home machines behind DSL and
> cable modem links, each of which tries a small number of passwords against
> a variety of targets to stay below the radar.  Those machines were
> generally compromised via malware of some kind and are part of a botnet,
> without the knowledge of the user of the machine.

Thanks for explaining!

I am still a bit puzzled: how does increasing the number of attackers help to bypass the throttling mechanism?   Why isn't the throttle per id/password pair, rather than per ip-address/password/id triple?

Secondarily, if distributed processing makes throttling per id/password pair difficult, why is it hard to do the botnet IP address matching at the authentication point?   This seems like it would avoid a _lot_ of extra processing.


--
Sent from Whiteout Mail - https://whiteout.io

My PGP key: https://keys.whiteout.io/mellon@fugue.com