Posts Tagged ‘DNS

Web Spoofing: Threat Models, Attacks and Current Defenses

The initial design of  Web protocols and Internet assumed benign environment, where servers, clients and routers cooperate and follow the standard protocols, except for unintentional errors. However, as the amount and sensitivity of usage increased, concerns about security, fraud and attacks became important. In particular, since currently Internet access is widely (and often freely) available, it is very easy for attackers to obtain many client and even host connections and addresses, and use them to launch different attacks on the network itself (routers and network services such as DNS) and on other hosts and clients. In particular, with the proliferation of commercial domain name registrars allowing automated, low-cost registration in most top level domains, it is currently very easy for attackers to acquire essentially any unallocated domain name, and place there malicious hosts and clients. We call this the unallocated domain adversary: an adversary who is able to issue and receive messages using many addresses in any domain name, excluding the finite list of already allocated domain names. This is probably the most basic and common type of adversary.

Unfortunately, we believe, as explained below, that currently, most web users are vulnerable even against unallocated domain adversaries. This claim may be surprising, as sensitive web sites are usually protected using the SSL or TLS protocols, which, as we explain in the following subsection, securely authenticate webpages even in the presence of intercepting adversaries (often referred to as Man In The Middle (MITM) attackers).Intercepting adversaries are able to send and intercept (receive, eavesdrop) messages to and from all domains.Indeed, even without SSL/TLS, the HTTP protocol securely authenticates web pages against spoofing adversaries, which are able to send messages from all domains, but receive only messages sent to unallocated (adversary-controlled) domains. However, the security by SSL/TLS (against intercepting adversary; or by HTTP against spoofing adversary) is only with respect to the address (URL) and security mechanism (HTTPS, using SSL/TLS, or ‘plain’ HTTP) requested by the application (usually browser). In a phishing attack (and most other spoofing attacks), the application specifies, in its request, the URL of the spoofed site. Namely, web spoofing attacks focus on the gap between the intentions and expectations of the user, and the address and security mechanism specified by the browser to the transport layer.

 

Tags : , , , , , , , , , , , , , , ,

E-mail Connection Management Settings

The following settings help prevent spam, viruses, directory harvest attacks, and other threats from entering your network. SurfControl recommends that you enable the following pre-screening options as directed below.

Note: These features require that you deploy E-mail Filter upstream from an anti-virus or other receiving mail server. In order to use the following features:

  1. Blacklist: A blacklist is an administrator-defined anti-spam tool that blocks e-mail from specified sources.Use this area to enter or import domains or e-mail addresses of sources from whom you do not want to receive e-mail. This is an effective way to block unwanted messages as soon as they enter E-mail Filter. You can also provide exclusions to your blacklist. For example, if the domain xyz.com is on your blacklist, but you still want to receive e-mail from user1@xyz.com, you can enter user1@xyz.com on the Exclusions list and still receive e-mail from that user.
  2. Reverse DNS Lookup: The Reverse DNS Lookup feature can help detect spoofed e-mail by confirming that the sender’s PTR record matches the IP address included in the header. SurfControl recommends that you enable this option and leave the default action of Log Only. This allows you to take advantage of the Reverse DNS Lookup feature, but does not deny e-mail from sources that may have mis-configured DNS settings or have no PTR record. The Log Only option generates a log if there is a mismatch between the IP address and the domain name, but does not reject e-mail; this option lets you keep track of e-mail sent from illegitimate addresses.
  3. Realtime Blackhole List (RBL): This feature allows E-mail Filter to handshake with third-party “realtime blackhole lists,” (RBLs) which are externally hosted lists of known spammers. When RBL lookups are enabled and set to Deny Connection, E-mail Filter checks the sending host’s IPaddress against the RBL, verifying that the IP address is not on the spam list. If the IP address is on the list, E-mail Filter drops the connection. If not, E-mail Filter continues to process the e-mail. If you have enabled this option, you can enter domains, e-mail addresses, or IP addresses in the Exclusions list. This list contains senders for whom you do not want to perform the RBL lookup.
  4. Directory Harvest Detection: This feature protects your network from directory harvest and phishing attacks, and stops a significant amount of e-mail-based threats from entering your network. By integrating with your LDAP server, the Directory Harvest Detection feature ensures that incoming e-mail is addressed to users who are currently in your Active Directory structure.
  5. Denial of Service Detection: This feature detects attempts to use all your system resources. SurfControl recommends that you enable this feature, and increase the setting of 5 maximum incomplete sessions from each IP per hour to 50. At these default settings, E-mail Filter detects a denial of service attack if there are five incomplete sessions from one IP address per hour. If E-mail Filter detects a denial of service attack, E-mail Filter blocks all connections from that IP address for the next 24 hours.

Tags : , , , , , , , , , , , ,