Maybe the sky is only falling a little bit

There was quite a bit of breathless reporting last week about the DoS against Spamhaus and how it was large enough to break the Internet. As the postmortem has gone on, a few things are becoming clear.

  1. There was a lot of traffic, enough to swamp some major transit points.
  2. Most people, particularly in the US, saw no problems.
  3. Network engineers had more than a few sleepless nights trying to route around the DoS.
  4. Open DNS resolvers are evil and should be closed.

The Open DNS resolvers are, I think, a big issue. These are machines working as intended (ie, not infected with any software) that can be used to amplify traffic and maliciously attack other machines. It’s not the first time standard configurations of machines facilitated abuse (see smurf attack or open relay as examples). In those cases, though, there was considerable response by the Internet and security community to prevent abuse from those machines. Large providers instituted ingress filtering to stop their networks (and their customer networks) from participating in smurf attacks. List of open relays were published and prevented from mailing to large networks.
Overall, neither the number of smurf amplifiers nor the number of open relays have been brought to zero, their numbers have been reduced sufficiently so they are no longer major attack vectors.
I expect to see the  number of open resolvers decrease in the future as well. And if open resolvers aren’t closed, they may be isolated so they can’t hurt the rest of us. This may cause network problems for folks using open resolvers. But I can’t feel too sorry for them, when closing a resolver is simple and the price of leaving it open is so high for the rest of us.

Post-mortem on the Spamhaus DOS
Marketo files for IPO

Related Posts

Troubleshooting tools

There have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot these issues, and am able to take on new clients to solve authentication problems. Contact me for more information.
Of course, many of these issues can be solved with access to the right tools. Steve’s been working on a number of tools that may help the troubleshooting process and we’ve recently launched them on Emailstuff.org. The website itself contains a number of DNS and data related tools we use for investigations and thought we’d share with the public at large.
One of the really useful tools is the SPF record expander. Plug in any domain, like google.com, and see what IP addresses they authorize to send mail.

Read More

Collaboration key to fighting crime on the internet

The Pittsburg Post Gazette has a good article on the DNS Changer Working group and how it can serve as a model for future collaboration against cyber crime.

Read More

Open Relays and Mail Sinks

Email is a “store and forward” protocol. The sender doesn’t connect directly to the recipient to send the mail with just one network hop, rather the sender connects to a mailserver (usually referred to as an “MTA”, short for Mail Transfer Agent) and sends the message there. Once that MTA has received the message it sends it on to another MTA, and so on until it reaches the recipient.
Mail clients typically don’t have any intelligence built in to them to decide which MTA to send an email to. Instead they’re configured to blindly send every message to one particular local MTA, the smarthost, which then does all the proper SMTP work to decide where to send it on to.

Read More