[Asrg] Dictionary Attacks

John Leslie john at jlc.net
Tue Nov 18 15:05:48 PST 2008 

der Mouse <mouse at Rodents-Montreal.ORG> wrote:
> 
>>>> 4) there _could_ be value in an automated way to tell Earthlink
>>>> about abuse;
>>>> 5) any use of <abuse at earthlink.com> cannot serve that purpose;
>>> Why not?  I can't think why an "automated way" such as (4) mentions
>>> couldn't be carried on top of email to abuse at earthlink.com.
> 
>> 1) <abuse at anywhere> is spammed too heavily
> 
>> 2) <abuse at earthlink> necessarily has earthlink-specific processing
> 
> Neither is relevant, I believe.
> 
> (1) is irrelevant because random spam will not fit the format of these
> automated reports;

   Only true for _some_ formats...

> if spamming fake reports becomes attractive enough for it to be a
> problem,

   That's not the point, really: even without _any_ email intending
to fool the report parser, the <abuse@> account would have to parse an
arbitrarily large amount of junk looking for things which _intend_
to be a report. I don't know what Earthlink's daily load of <abuse>
email is, but I wouldn't be surprised if it exceeded 1,000,000.

> whatever other mechanism carries them will have exactly the same
> problem.

   Not "exactly", unless the design is foolish. It could, for example,
include a registration mechanism allowing packet filtering to regulate
the load...

> (If the reports are crypto-signed to deal with report forgery, this
> can be done over email just as much as it can over some other channel.)

   There are other methods to deal with forgery; and crypto-signing
to validate email is a heavier load even than crypto-signing of most
other protocols.

> (2) is necessarily true, since any abuse-report-recipient must
> necessarily be doing some kind of recipient-specific processing.
> But it's also irrelevant; there's no reason emailed automated
> reports can't be shipped off to whatever processing the putative
> other transport performs, rather than going into the main abuse@
> queue.

   If we were only ever implementing _one_ pairing of ISPs, this
is true enough. But for this to be useful to Earthlink, they must
be able to receive reports from more than one ISP.

   OTOH, for this to be useful to World, they need to be able to
report to more than one origin ISP. Does Earthlink define the format,
or does World?

>> For a reporting procedure to be practical, we need to avoid the
>> N * M problem.
> 
> I don't see why carrying them over email produces an N*M problem
> in any way that any other transport doesn't - that is, I don't
> think this (regardless of how true or false it is) has anything
> to do with using mail to abuse@ as the transport.

   The N * M problem is much the same with or without email being
the transport, true; but there are rather too many ISPs that decline
all <abort at domain> email. I see no reason to add "solving" that
issue to the task...

   But there's another issue entirely that makes <abuse at domain>
the wrong tool -- the Dictionary Attack comes from IP addresses,
not domains.

--
John Leslie <john at jlc.net>

More information about the Asrg mailing list