/may 8, 2019

On Abusing Email Validation Protocols for Distributed Reflective Denial of Service

By Benjamin Brown

Denial of Service (DoS) attacks are still very much in vogue with cybercriminals. They are used for extortion attempts, to attack competitors or detractors, as an ideological statement, as a service for hire, or simply “for teh lulz.” As anti-DoS methods become more sophisticated so do the DoS techniques, becoming harder to stop or take down by turning into distributed (DDoS) among stolen or hacked end-points. Some DDoS methods even use distributed, public systems that aren’t hacked or stolen, but still offer a means for a reflected attack (DrDoS) such as the widespread Network Time Protocol (NTP) DrDoS attacks seen over the past several years.

In the spirit of discovering and exposing potential future cybercrime methods, this research focuses on determining the viability of DrDoS attacks using public-facing email validation protocols. With knowledge of attack anatomy white hats can better understand the threat landscape while building their unique threat models, and if need be, build and configure defenses against such potential protocol abuses. Fortunately, or unfortunately, depending on your reference point, the findings of this research conclude that these types of attacks are likely not to be a widespread threat given the current sets of in-the-wild email server configurations; though this may change in the future as more systems come online and configuration habits shift.

We know what sort of returns we can get for DDoS leveraging SPF in large part through the work of Douglas Otis. However, given other DDoS vectors available (DNS, NTP, etc.) using SPF alone doesn’t have much of a bite. The idea here was to try and also leverage other email validation protocols that may be configured for a mail server also employing SPF, a stacked attack. Following a review of the DomainKeys Identified Mail (DKIM) protocol RFC it was discovered that there are instances where the specification suggests using reply codes: 4xx, 451/4.7.5, and 550/5.7.x specifically. This suggests mail server configurations that may reply to messages that meet, or fail, certain criteria.

However, of the 20 in-the-wild sample servers (located in the United States, France, Germany, Hungary, and Taiwan), zero responded to invalid DKIM headers. As with the DKIM RFC, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol RFC has a configuration suggestion for issuing a 5xy reply code for failed messages as well as a security discussion for External Reporting features of DMARC. Both of these vectors seemed promising for possible exploitation. Of the 20 in-the-wild servers tested, (located in the United States, the United Kingdom, France, Canada, and Switzerland) only four replied with a failure code and zero offered External Reporting services.

While subject to future change, these findings suggest that the current, real-world landscape does not lend itself to leveraging these validation protocols for any serious volume of DrDoS.

Related Posts

By Benjamin Brown

Benjamin Brown’s current research focuses on emerging technology areas where security research is novel such as IoT, AI/ML, cryptocurrencies, the dark web, and new underground digital economies. This leads to speaking engagements, publications, and media interaction to assist in generating new and expanded security insights and knowledge stores. He currently works at Veracode integrating his anthropology and international relations degrees with security research into large-scale, internet-level problems. Hobbies include blacksmithing, competitive axe throwing, Software-defined radio (SDR), and hiking.