| /Attack /EXPLOITATION /Introduction /V Deployment /shared_IP |
Contents
/shared_IP には使い物にならない。-- ToshinoriMaeno 2024-02-28 22:13:09
NDSS2024 2/26-3/1 https://www.ndss-symposium.org/ndss2024/attend/registration-information/
2/28 11:20 - 12:40 Session 6A: Network Protocols
1. BREAKSPF
BREAKSPF: How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet
Chuhan Wang †, Yasuhiro Kuranaga †, Yihang Wang †, Mingming Zhang ‡, Linkai Zheng †, Xiang Li †, Jianjun Chen †‡ , Haixin Duan †‡§, Yanzhong Lin ¶, and Qingfeng Pan ¶ †Tsinghua University, ‡Zhongguancun Laboratory, §Quan Cheng Laboratory, ¶Coremail Technology Co. Ltd
1.1. Abstract
Email spoofing attacks pose a severe threat to email systems by forging the sender’s address to deceive email recipients.
Sender Policy Framework (SPF), an email authentication protocol that verifies senders by their IP addresses, is critical for preventing email spoofing attacks.
However, attackers can bypass SPF validation and launch convincing spoofing attacks that evade email authentication.
This paper proposes BreakSPF, a novel attack framework that bypasses SPF validation to enable email spoofing. Attackers can actively target domains with permissive SPF configurations by utilizing cloud services, proxies, and content delivery networks (CDNs) with shared IP pools.
We leverage BreakSPF to conduct a large-scale experiment evaluating the security of SPF deployment across Tranco top 1 million domain names. We uncover that 23,916 domains are vulnerable to BreakSPF attacks, including 23 domains that rank within the top 1,000 most popular domains.
The results underscore the widespread SPF configuration vulnerabilities and their potential to undermine the security of email systems. Our study provides valuable insights for detecting and mitigating SPF vulnerabilities and strengthening email system security overall.
1.2. XI. CONCLUSION
In this paper, we analyzed the systemic risks associated with SPF configurations in the network.
We proposed the BreakSPF attack framework, which enables attackers to efficiently and accurately discover domains with SPF vulnerabilities and launch email spoofing attacks.
We conducted a largescale BreakSPF experiment based on the Tranco top 1 million domains and found that 23,916 domains were affected by the BreakSPF attack.
Furthermore, we proposed novel crossprotocol attacks that amplify the impact of SPF vulnerabilities.
Our work highlights the vulnerabilities in the email authentication chain and demonstrates that shared infrastructure can magnify these weaknesses.
The current email authentication chain establishes trust based on IP addresses, which may not be an optimal choice.
Therefore, we need to explore better approaches to address the issue of email spoofing.
With the emergence of cloud services, an increasing number of services are being deployed on shared infrastructure, leading to a shift in the trust model and potentially challenging previously established security mechanisms.
We hope this research will raise awareness in the technical community regarding the security of the email authentication chain and the issue of shared infrastructure.