s-o-1036 June 1994

11.2. Attacks

Although the limitations of the medium restrict what can  be
done  to  attack  a host via news, some possibilities exist,
most of them problems news shares with mail.

If reading  agents  are  careless  about  transmitting  non-
printable  characters  to  output devices, malicious posters
may post articles  containing  control  sequences  ("letter-
bombs")  meant to have various destructive effects on output
devices.  Possible effects depend on the  device,  but  they
can  include  hardware  damage  (e.g. by repeated writing of
values into configuration memories that can tolerate only  a
limited number of write cycles) and security violation (e.g.
by reprogramming function keys potentially  used  by  privi-
leged readers).

A  more  sophisticated variation on the letterbomb is inclu-
sion of "Trojan horses"  in  programs.   Obviously,  readers
must  be  cautious  about  using software found in news, but
more subtly, reading agents must also exercise  care.   MIME
messages  can  include  material  that is executable in some
sense, such as PostScript documents (which  are  programs!),
and letterbombs may be introduced into such material.

Given  the  presence  of finite resources and other software
limitations,  some  degree  of  system  disruption  can   be
achieved  by  posting  otherwise-innocent  material in great
volume, either in single huge articles (see section 4.6)  or
in  a stream of modest-sized articles.  (Some would say that
the steady growth of Usenet volume constitutes a subtle  and
unintentional  attack  of  the latter type; certainly it can
have disruptive effects if administrators are  inattentive.)
Systems  need some ability to cope with surges, because sin-
gle huge articles occur occasionally as the result of  soft-
ware error, innocent misunderstanding, or deliberate malice,
and downtime at upstream hosts can cause droughts,  followed
by floods, of legitimate articles.  (There is also a certain
amount of normal variation; for example, Usenet  traffic  is
noticeably  lighter  on  weekends and during Christmas holi-
days, and rises noticeably at the start of the  school  term
of  North  American  universities.)   However,  a  site that

INTERNET DRAFT to be        NEWS                   sec. 11.2


normally receives little traffic may be quite vulnerable  to
"swamping" attack if its software is insufficiently careful.

In general, careless implementation may open doors that  are
not  intrinsic  to  news.   In particular, implementation of
control messages (see sections 6.6  and  7)  and  unbatchers
(see section 8.1 and 8.2) via a command interpreter requires
substantial precautions to ensure  that  only  the  intended
capabilities  are  available.   Care must also be taken that
article-supplied text is  not  fed  to  programs  that  have
escapes to command interpreters.

Finally,  there  is considerable potential for malice in the
sendsys, version, and whogets control  messages.   They  are
not  harmful  to  the hosts receiving them as news, but they
can be used to enlist those  hosts  (by  the  thousands)  as
unwitting  allies  in a mail-swamping attack on a victim who
may not even receive news.   The  precautions  discussed  in
section  7.5  can reduce the potential for such attacks con-
siderably, but the hazard cannot be eliminated  as  long  as
these control messages exist.