[ietf-dkim] Attack scenario (was: New Version Notification for draft-ietf-dkim-ssp-05(fwd))
nobody at xyzzy.claranet.de
Thu Aug 7 08:38:58 PDT 2008
Charles Lindsey wrote:
Seconding all nits you found one quick remark:
>| ADSP checkers may perform multiple DNS lookups per Alleged Author
>| Domain. Since these lookups are driven by domain names in email
>| message headers of possibly fraudulent email, legitimate ADSP
>| checkers can become participants in traffic multiplication attacks.
> I am not at all clear just how such an attack would work.
You'd pick a victim domain, say example.org, and receivers known
to check ADSP. You send a huge amount of malicious mails to the
ADSP checkers (or to random receivers, hoping that some of them
check ADSP) using a botnet rented for the attack.
Each mail contains many From:-addresses at different subdomains
of example.org, preferably *long* random subdomains, the goal is
to overload the name servers for example.org with query traffic.
It's not clear if that actually works, but Doug claims for years
that it could work. He uses a convoluted SPF scenario, and does
not like limiting factors like "ten" in this case, but ignoring
such details there is a clear amplification in SPF or here ADSP.
IOW the attacker can get third parties (receivers) to flood the
victim with long DNS queries for non-existing subdomains.
More information about the ietf-dkim