Monday, August 6, 2012

Human Denial of Service using One Time Spam

The Krebs on Security blog reports of a new service offered by hackers. The service floods an individual with garbage communications in an effort to prevent the victim from being able to receive and process valid communications. Such an attack is effectively a Denial-of-Service attack on humans - or an HDoS attack. One possible goal of such an attack is to prevent a person from receiving notification of some other action that the attacker has done, such as resetting the person's password, which in many systems causes an email to be sent to that person.
This new form of attack is interesting in many ways, but I'd like to focus on the usage of one-time spam as the mechanism used to flood the target's email account.

Contemporary spam filters are quite good in filtering out spam. Yet these hackers are able to get thousands of junk emails through the best spam filters. Krebs and other commentators wondered if these hackers have found some way to circumvent the spam filters.

The answer is no. These HDoS hackers don't need to circumvent the spam filters because the junk email they're sending isn't really spam.

Spam is a situation where a single message is sent to many email addresses. The email used to deliver the message may be personalized, but the message must be the same because the goal of spam is to offer a single product or service to many people.

Spam filters rely on the fact that the same spam email (with possibly minor changes) gets sent to many email accounts.  When the spam filters recognize a pattern for a large amount of email being sent to email accounts monitored by the spam filter they decide this is spam and filter it for all email accounts (unless the mails are from a white listed source).

The junk email used by the HDoS hackers isn't spam – it’s a targeted attack against a single user.  So the Junk email generator used here can generate truly unique emails that are not sent to any other user – and there’s no way for the spam filters to recognize this as spam. Such unique junk emails can be called "One-Time Spam" - and much like one-time pads [Wikipedia], they are invincible.

We've discussed variants of the classic Turing test in previous posts. The classic Turing test is interactive - the evaluator presents various challenges and uses the responses to identify if the responder is a human or a machine. But one can define a non-interactive Turing test in which the evaluator doesn't present any challenges and receives a single message - and needs to evaluate if the source of the message is human or a machine.

It is not difficult to create a machine that can pass a non-interactive Turing test - and this is all a one-time spam generator needs to do.

Alternatively the HDoS hackers can use crowd sourcing - simply intercepting real emails being sent over the internet and using each such email once as a junk email. This is no longer strictly one-time spam, but the chances of a spam filter identifying such a mail as a spam are close to zero - and the HDoS hacker only needs some of his junk emails to pass the filter.

HDoS attacks can't be prevented based on the content of the junk email, but there are other methods that can be used to identify such an attack and filter out the offending mail. The most trivial technique is checking if a mail account is receiving a very large number of emails from a single source address. This is the main technique used to prevent classic DoS attacks - and can similarly be circumvented by using multiple source computers for a distributed denial of service (DDoS) attack. 

HDoS and One-Time Spam are nonregistered trademarks of the Good Enough Security blog :-)

1 comment:

  1. If the emails are generated by an algorithm can they really be called "one-time"? Presumably to be truly one-time they would need to be based on a true random number generator and hence be recognizable based on the nonsense and then fail your non-interactive Turing test. In any case, ever since I was a kid I wondered why criminals and terrorists don't use these kind denial of service attacks. If I'm going to rob a bank, why not have an accomplice make multiple calls to the police to notify that all of the banks in the city are being robbed at the same time?