A denial-of-service attack depends on asymmetry between attacker and victim. This is the leverage: when bad guys can expend a small amount of effort to cause the good guys to spend large amounts of resources, there is leverage that can lead to a DoS vulnerability. Any feature that creates such leverage increases risk for the system.Distribution lists are a prime example of leverage. One email from the sender morphs into hundreds or even thousands of messages destined for unsuspecting recipients’ inboxes. That is partly the reason Exchange allows controlling the users authorized to send email to a given DL. It is a good idea to restrict this to a small number of users in the case of large distribution lists. What happens when you don’t will be remembered as the infamous “Bedlam 3” debacle in Microsoft lore dating back to the late 1990s. (No wonder the old-timers who were around Bedlam– and it was remarkable enough to inspire its own tshirt with the slogan “I survived Bedlam 3”– were having a deja vu moment with the Blue Hat announcement.) As recounted in this entry from the Exchange team blog, Bedlam resulted from the interaction of an unrestricted DL with predictable human reactions to respond to spam with more spam commentary, some of it even urging other users to stop spamming the alias.
A distribution list with N users gives the attacker a leverage factor of N. For 1 message sent by the attacker, the system works N times as hard, using up roughly N times the storage space. (Interesting enough, the bandwidth requirements within one enterprise do not scale linearly because the system is intelligent enough to optimize delivery across different servers using a single copy.) That is not a bad starting point for a DoS attack: imagine sending a sizable message– perhaps containing an attachment such as image or video– to a very large DL with thousands of users, assuming you can find that misconfigured DL. But it does not work; in most cases only a single instance of that large attachment is stored for all the users sharing the same Exchange server.
But the experiment on Thursday proved one can do substantially better. Sending a message from the alias itself and requesting recall notifications– which are going to be delivered to the same alias, of course– broke new ground. Every one of those N users on the distribution list are going to get a status message for every one of the other N users. That’s N-square or quadratic leverage, achieved at a remarkable economy with only two messages. And 2K * 2K == 4 million messages is exactly what would have been exchanged if it were not for the fact that IT department stepped in after the backlogs grew out of control, legitimate email traffic slowed to a crawl and one of the Exchange servers pegged its memory.
Wreaking havoc on the enterprise scale with 2 messages ? Now that is an accomplishment worthy of its own Black Hat session.