Transcript Registry01 - University of Arizona

Registry of Public Email Senders™
–A Secure DNS Database
Dr. David MacQuigg, President
Open-mail.org
University of Arizona
ECE 596c – Cyber Security
November 2006
1
T
Agent
User
• Who is a Public Email Sender?
– A domain-name owner
– Authorizing an Internet Transmitter
– To send email to unrelated Receivers
Agent
R
User
• What does the Registry Provide?
–
–
–
–
Authentication Data – Does the sender authorize this transmitter?
Reputation Data – How likely are messages authorized by this sender to be spam?
A simple, effective whitelisting method that works well with exiting anti-spam methods
The first non-proprietary database of Public Email Senders
• Typical Registry Record
amazon.com.s-id.net. 86400 IN
TXT "opt=df:5 svc=X1:B
ip4=207.171.160.0/19,87.238.80.24/29,87.238.84.24/29"
Registry
• Other Authentication/Reputation Systems
– Senderbase™, Bonded Sender™, Gossip™, many others
– Many private systems operated by large ISPs for their own recipients, or by “spam
appliance” companies for their own customers
April 7, 2016
2
DNS Database
Fast
Efficient
Secure?
April 7, 2016
3
Registry DNS Architecture & Security Threats
Threat
April 7, 2016
Area
Vulnerability
Solution
1
File Storage
Loss or corruption of data
Encrypted backup copies with
journaling. Unix system security.
Physical security.
2
Dynamic updates to zone files
Stolen admin password. IP address
spoofing.
Secure admin’s computer & network
connection. Use Transaction
Signatures (TSIG).
3
Incremental zone transfers.
IP address spoofing.
TSIG with unique key for each
connection. Private IP addresses.
4
Incremental zone transfers.
IP address spoofing. DoS.
TSIG with unique key for each
connection. IP addresses in reserve.
5
Queries from client’s DNS
server.
Cache poisoning. Man in middle. DoS.
DNSSEC. IP addresses in reserve.
6
Queries from client.
Cache poisoning. Man in middle.
DNSSEC. Local network security.
4
Testing the Registry
Dynamic Update from Admin
[root@open-mail dave]# python dnsupdate.py 48
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:
0
;; flags: ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test1.s-id.net.
0
ANY
ANY
test1.s-id.net.
1800
IN
TXT
"Test_Record_48"
... a few seconds later on one of our public servers
[macquigg@box61 ~]$ dig @ns1.rimuhosting.com txt test1.s-id.net +short
"Test_Record_48"
April 7, 2016
5
Pieces of Python
# dnsupdate.py
DMQ 11/4/06
...
# Start an nsupdate client process & connect file pointers to its
# input and output pipes.
fi,fo = popen2('nsupdate')
...
# Commands to nsupdate:
header = '''\
local 127.0.0.1 953
server 207.210.221.26
key updatedns 1M92TYO2dznMK0M2N/q62Q==
zone %(ZONE)s
''' % VARS
template = '''\
update delete %(NAME)s.%(ZONE)s
update add %(NAME)s.%(ZONE)s %(TTL)s %(TYPE)s %(VAL)s
''' % VARS
trailer = '''\
show
send
quit
'''
text = header + template + trailer
...
April 7, 2016
6
Other Systems Facing Similar Threats
• Root Servers
– 13 IP addresses, IP multicast
– TTL = 518400 ( 6 days )
• IP Blacklists ( Spamhaus, et. al.)
– 30 servers
– One record per IP, TTL only a few hours
• Attacker Motivations
– Vandalism (script kiddies)
– Profit (spammers)
– Tort (anger, revenge, politics, …)
– Denial of Service
– Defamation
April 7, 2016
7
Bibliography
A short list of the most useful books and articles on the technology behind the Registry.
• Pro DNS and BIND, Ron Aitchison, 2005. – Best book for learning DNS.
Excellent examples. Thorough discussion of security.
• DNS and BIND, 4th ed., Albitz & Liu, 2001. – The DNS “Bible”.
• TCP/IP Illustrated, vol. I, The Protocols, W. Richard Stevens, 1994.
Very thorough, yet readable. Good illustrations.
Project Links
• https://www.open-mail.org – Current status of our Authentication and
Reputation System
• http://purl.net/macquigg/email – Articles and notes from early
development.
April 7, 2016
8
April 7, 2016
9
Precise Terminology
Border MTA – Mail Transfer Agent at the border of an Administrative Domain. If we exclude Open
Relays, which are banned by most Receivers, all MTA’s, including the Forwarder above, can be
associated with either the Sender or the Receiver, and the border is clearly defined.
Administrative Domain – includes all MTA’s that have some pre-arrangement to exchange email.
An Administrative Domain may include servers using many different domain names. The two uses of
“domain” are unrelated.
Sender – poorly defined. Should mean the outgoing Border MTA, but can mean the original sending
domain or even an author. Use only when the context is clear or precision doesn’t matter.
Receiver – The incoming Border MTA, not including MTA’s that are internal to the Receiver’s
Administrative Domain. Authentication should always be done at the border.
Forwarder – An MTA that relays mail from one MTA to another.
Transmitter – MTA that is the source for the current “hop”, and whose IP address appears in the
Source field of the IP packets. Can include Senders and Forwarders.
Return Address – The address in the MAIL FROM command, used by the mail system for Delivery
Status Notifications (DSN’s).
MUA, MSA, MDA – Other types of mail agents - Mail User Agent, Mail Submission Agent, Mail
Distribution Agent.
April 7, 2016
10
Identities in an Email Session
1
2
3
4
$ telnet open-mail.org 25
220 open-mail.org ESMTP Sendmail 8.13.1/8.13.1; Wed, 30 Aug 2006 07:36:42 -0400
HELO mailout1.phrednet.com
250 open-mail.org Hello ip068.subnet71.gci-net.com [216.183.71.68], pleased to meet you
MAIL FROM:<[email protected]>
6 Network Owner
250 2.1.0 <[email protected]>... Sender ok
RCPT TO:<[email protected]>
250 2.1.5 <[email protected]>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: Dave\r\nTo: Test Recipient\r\nSubject: SPAM SPAM SPAM\r\n\r\nThis is message 1 from our test
script.\r\n.\r\n
250 2.0.0 k7TKIBYb024731 Message accepted for delivery
QUIT
221 2.0.0 open-mail.org closing connection
RFC-2821
1 Helo Name
Envelope Addresses:
2
Return Address
Recipient Addresses
3
April 7, 2016
RFC-2822
Header Addresses:
From Address
4
Reply-To Address
5
11
Border Patrol™ MTA
April 7, 2016
12
Forgery is the Critical Factor in Email Abuse
Crooks hide their IP addresses by using a forwarder.
Signature-based Authentication (DKIM):
Sender provides a Public Key via a secure channel.
Messages are signed with the related Private Key.
End-to-end protocol works independently of forwarders.
Slow but secure.
IP-based Authentication (SPF, SenderID, CSV):
Sender provides a list of authorized transmitter addresses.
Fast but requires a “chain of trust” with forwarders.
April 7, 2016
13