Spam Leveraged in Attack against DNS infrastructure

The 6th International Scientific Conference that was held in the Czech Republic saw a presentation that explored the use of botnets to conduct DDoS (Distributed Denial of Service) attacks against Domain Name Servers (DNS).  While the topic of DDoS or attacks against DNS servers are nothing new, the research by Jakub Alimov from the Sez​nam​.cz and minor from Zone​-​h​.org explored how the MAIL FROM specification of the SMTP protocol is being exploited to malicious target DNS infrastructure.

System administrators or those interested in the technical analysis can read the full article entitled “New attack vector in DDoS observed“.  Because our interest on AllSpammedUp pertains to spam and ridding ourselves of this scourge, I will also briefly explore potential actions that administrators can implement to protect themselves against this malice – or at least how not to contribute to it.

Using Spam to attack other Internet infrastructure

As mentioned, the new attack technique relies on the use of a botnet to exploit a specification in SMTP that specifies the allowable address that can be set using the MAIL FROM command.  Under Section 3.6 of the RFC2821 which can be found on the IETF website:

Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or A RRs (as discussed in section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or A RRs. Local nicknames or unqualified names MUST NOT be used.

The attacker must first register a domain – foo-domain.com for example, and update its NS record with the IP address of the target DNS server.  While some registrars or hosting providers prohibit this, sufficient number of them allows this to make it doable.  After allowing for sufficient time for the erroneous records to propagate across the Internet, a spam campaign is then initiated via botnet.

The difference here is that each spam will be sent with its MAIL FROM field containing varying subdomains such as james@​subdom1​.​foo-​domain.​com and james@​subdom2​.​foo-​domain.​com.  To ensure maximum damage, outgoing mail is also channeled out via “white horse” email servers with large amount of bandwidth – such as those from Google, Yahoo and Hotmail.  As the spam emails pour in, the white horse systems will proceed to check whether the sender’s domain resolves to the domain MX or at least resolves to an A record.

The target DNS server will hence receive lots of “regular” DNS requests for the bogus subdomain records:

Since the NS record is set to the tar­get DNS server, the DNS requests will be performed to the target DNS server… Since the DNS server does not have the records for the foo​-domain​.com, it has to respond negatively to the request. If the spam campaign is successful, the white horse systems flood the DNS server with multiple valid DNS requests.

The authors say that with 14,000 botnets sending a total of more than 100,000 spam messages, the operation of a single DNS server was successfully disrupted for more than a day at the cost of only one registered domain.

Here do we go from here?

As you must have deduced by now, the irony of this technique is that normal spam can be sent out even while a victim’s DNS infrastructure is pulverized by a torrent of what appears at first glance to be legitimate DNS queries.  However, there is no method that works well; even blacklisting is not practical as it could result in a domain being completely blocked.

The only viable solutions that were ultimately suggested would be to either tighten the rules for registering domains, or updating the protocols for SMTP and DNS to specifically deflect such abuse of the system.  Finally, upsizing one’s DNS server or putting it into the cloud where computational resources can be scaled up quickly was also suggested.

What I think this case illustrate well is how spammers and hackers are exploiting weaknesses in existing protocols in order to wreak havoc on infrastructure that makes up the Internet.  Given that there is no simple solution to combat this problem, what can businesses do to combat this problem?  I have always advocated that the fight against spam is one that must be conducted not only via the use of smarter filters, but by ensuring that the computing resources of a corporation aren’t harnessed by spammers for their nefarious deeds.  Given the potential for all mail servers  to be used as white horses; the use of traditional spam defenses such as inbound rate limiting controls or tarpitting has now become a necessity.