Re: [spoofing-tf] Source Address Validation Architecture (SAVA), BOF proposal @ IETF

  • To: Pekka Savola pekkas@localhost
  • From: Rob Beverly rbeverly@localhost
  • Date: Thu, 14 Sep 2006 11:05:30 -0400
  • Cc: "Barry Greene (bgreene)" bgreene@localhost, Jaap Akkerhuis jaap@localhost, spoofing-tf@localhost, sava@localhost

On Thu, Sep 14, 2006 at 05:13:37PM +0300, Pekka Savola wrote:
> >Sure, but again, consider the recent DNS amplifier attacks and
> >filter circumvention attacks (using spoofing to send UCE).
> 
> I'd be interested in seeing more references on the SPAM-spoofing.  I 
> assume you refer to hijacking an address space (possibly a bogon, 
> possibly in use), sending spam, and switching the prefix continously. 
> This is quite different than 'traditional' spoofing because above also 
> requires propagation of false routing information instead of simply 
> sending bogus packets.

Actually, I wasn't referring to prefix hijacking.  Spammers like
to use botnets.  To combat botnets, providers started filtering
outbound port 25 SYN to everywhere but the provider's MTA(s).  To
combat these filtered hosts, spammers are now doing the following:
  1. find a connection that allows spoofing (e.g. dialup).  Assume
     a host D is on that dialup and under control of spammer.
  2. control a compromised host H on a network that filters outbound tcp 25 SYN
  3. Use the dialup host D to send a SYN to a victim MTA with the source
     address of H
  4. D communicate the initial sequence number to H so that H can
     properly ACK the incoming SYN-ACK (and complete the 3-way
     handshake).

There are other variations of such triangular routing (and attacks)
There have been a few conversations on NANOG about this; the first
one I can find readily is:
  http://www.cctec.com/maillists/nanog/current/msg09179.html

Regards,

rob