Thinking about reputation services

One of the most popular methods of blocking spam these days is to use a device which implements a reputation service. Unfortunately, there is a significant issue with these types of services. With a little research, a spammer could effectively bypass this protection or pollute the reputations of so-called "good" hosts.

A short description of how reputation services work, and then a breakdown of the failure spot after the break.

Reputation services work on a simple principal: they keep a list of hosts and their respective reputations, and they perform actions based on the reputation of the connecting host. This system "trains" like a bayesian filter does--hosts can improve or decline in status over time. Typically this is augmented with a service which updates this host list.

The two important points to keep in mind here are that a) they track IP addresses, and b) they use training.

A brief sidebar to talk about the Internet Protocol (IP). IP packets can become fragmented for various reasons, including intentionally. The IP specification has a method to re-assemble these fragmented packets:

To assemble the fragments of an internet datagram, an internet
protocol module (for example at a destination host) combines
internet datagrams that all have the same value for the four fields:
identification, source, destination, and protocol. The combination
is done by placing the data portion of each fragment in the relative
position indicated by the fragment offset in that fragment's
internet header. The first fragment will have the fragment offset
zero, and the last fragment will have the more-fragments flag reset
to zero.

The important section there is "placing the data portion of each fragment in the relative position indicated by the fragment offset". In other words, each fragment gets to determine where it starts. By specially crafting packets, it is possible to forge the source and destination ip addresses, but this is only evident if the packets are re-assembled. If you are running at high volume, packet re-assembly is expensive.

Here's the potential problem: if you have a reputation service (which, by definition, needs to handle high volume), it could easily fall prey to clever spammers using IP fragmentation to bypass or pollute the reputation data. If they were truly evil, they would deliberately ruin the reputation of valid, non-spamming organizations.

Worse still, most of these reputation devices communicate back to a central reputation store, so it would be possible to create a denial of service against certain organizations: the ruined reputation now propagates out to other subscribers of the service.

Defense in depth is the only strategy that truly works long term.