|
An ISP Attacks Its Users |
Author: Michael Miora
Published in Carolina Computer News, June, 1997
Many of us are avid users of email. For some of us, it is just plain fun. Others of us even rely on it for personal and business communications. Some of us even depend upon it to earn a living. For that reason, we select our Internet Service Provider (ISP) carefully. This article is about one ISP that recently launched an attack against its own users.
Before describing the attack itself lets first define what an ISP does. Many think that their ISP just gives them access to the Internet - a phone number to call so you can hop on the net. An ISP does that. However, your ISP provides you with a host of Internet services, some of which may be almost invisible to you. Your ISP provides you with access to Internet services such as the newsgroups, Internet mail, and others.
Lets take a closer look at Internet mail. Sending and receiving mail via the Internet requires several components. You must have software on your PC to perform the mail functions. You must have a service provider that gets you on the Internet. You need a mail server - which is a computer that functions as a platform or holding area for your mail until you log into it to pick up your mail and a computer that you use to send mail to others. These functions may be performed by one server or two servers. The receiving server is called a POP server, derived from the phrase point of presence. The sending server is called an SMTP (Simple Mail Transfer Protocol) server. Some services, such as Sprynet, combine these two servers into one host. In the case of Sprynet, that host has a name like m4.sprynet.com.
Think of these two servers as two types of mailboxes. The POP server is the mailbox at home where you receive mail. The SMTP server is the mailbox on the corner where you drop letter you are mailing out.
Most home users take advantage of the ISP's POP and SMTP servers. Therefore, is you subscribe to Sprynet, your address be your_name@sprynet.com. If you subscribe to AOL, your address will be your_name@AOL.com. Your_name is something you select when you first subscribe to the service. The result is that if you change ISP's, your email address will change, thereby requiring you to notify your email partners of your new address much as you issue change of address notices to your snail mail partners. If you install the software provided by your ISP, this setup will be configured for you automatically.
If you change your home address with regularity, you may consider using a separate address for your snail mail. Some choose Post Office Box addresses so that when they move from 123 Main Street #104 to 654 First St. #2, their PO Box address remains the same. Similar services have become available for email. One service even uses the PO Box metaphor, so that addresses look like your_name@pobox.com. In this case, you will not want to use your ISP's address as your email address, you will want to use this third party address instead. You can accomplish this easily: you tell your software how you want your return address to appear when you send email and the rest is automatic. You also tell your software which POP server, SMTP server and ISP you want to use in your email connection.
This flexibility is an integral part of the Internet email system. There are other Internet services that have this type of flexibility. For example, access to the Internet Newsgroups is accomplished using a server provided by the ISP. The user accesses the server which connects automatically to all the Newsgroups to which your ISP subscribes. If your ISP does not subscribe to a specific group, you will be unable to see that group using your ISP's server.
Until last month, I used Sprynet as my ISP. They provided me with SMTP services - I have my own POP server - and Newsgroup services. This means that instead of using an address like mmiora@sprynet.com, I used the address mmiora@miora.com. My own POP server collects my mail addressed to my domain name. However, I still used Sprynet's SMTP server to send mail.
Sometime last month, at a time and date nobody at Spry could or would divulge, Spry instituted a new policy: server access would be denied to anybody using a non "@sprynet.com" return address. This included SMTP and Newsgroup servers, along with unspecified other servers. In other words, the fact that I used mmiora@miora.com instead of mmiora@sprynet.com as my return address caused the Sprynet systems to deny me service even though my account was in good standing and I was doing nothing different from what I had done regularly and successfully in the past.
The result of this unannounced policy change was that anyone with either his/her own domain name or using other external, ISP-independent addresses lost e-mail, newsgroup, and other unspecified services. We received unintelligible error messages from the Newsgroup servers. We received occasional e-mail returns with the message, "External server access denied." Not all e-mail was returned this way, some was simply discarded. In all cases, the time-to-return was unpredictable, in some cases exceeding 12 hours.
It is important to note that this denial of email system use was suffered by people who were Sprynet subscribers in good standing, using their mail system in normal ways. The users who were cut off from email made no changes to their systems; the changes were made by Sprynet. Many people had no idea how to solve their problems - some were not even aware that their mail was not sent.
When the errors began occurring regularly, I tried contacting Spry technical support and customer service. The long distance numbers had wait times estimated at 20-30 minutes, with real wait times often exceeding 45 minutes. I connected to the IRC "chat.sprynet.com#spryhelp" and learned of this new policy. There was no policy announcement and no opportunity for users to find alternative methods. The policy had simply been changed.
When I explained the implications, the online customer service or technical support personnel replied: "Sorry, those are the rules. We are not responsible."
They are quite correct, they were not acting responsibly. This unannounced change on a system was a de facto denial of service attack on many legitimate users. Spry's explanation was that their SMTP and Newsgroup servers were being used by non-Sprynet subscribers and that this rule-based authentication was their only way of eliminating unauthorized use, given that these servers did not support log in protocols.
Their attempt to authenticate users caused the loss of email services to legitimate users. Denial of service is one of the three basic security risks (along with compromise and spoofing, a topic for another article). Spry, in effect, launched a denial of service attack against its own customers. When informed of this, they refused to stop the attack.
Spry has made its decision. The point here is not to simply decry Spry's policy, the idea is to bring to highlight the potential for security breaches even when hackers and crackers are not involved. In this case, the ISP was the problem. In other cases, the ISP may be the solution. In all cases, the user must be aware of the risks and be ever vigilant - Caveat Emptor on the Information Superhighway.
|
|
 |
|
|
 |
 |
 |
 |
 |