On Tue, Jun 2, 2009 at 1:02 AM, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
...
Defensive solutions for TCP can not cope with the attack levels that might
be created by a small bot-net. TCP quickly suffers from resource
exhaustion. DNS over UDP avoids this propensity. However, the brute
strength of DNS over UDP can be leveraged to attack other network
infrastructure, and perhaps overwhelm resource capacity. This is especially
a concern when an MTA authorization protocol ignores UDP exponential
back-off and then prematurely initiates additional transactions. This is
made even more destructive when message recipients generate an order of
magnitude more transactions transformed by message local-parts directed
toward any victim from fully cached DNS records. This provides for free
DDoS attacks while spamming. These attacks might also be used to instigate
DNS cache poisoning.
Right. Furthermore... I think the discussion began, when Doug mentioned the
concerns with abuse of SPF validation by receiving MTA/MDA/MUAs (in fact,
suggesting I'll expand on this risk, which I mentioned in my review article,
but I agree, not in sufficient detail). These abuses involved DDoS as well
as DNS poisoning (a la Kaminski).
I think it is important to remember that all these solutions discussed later
in this thread (DNS-sec, DNS over TCP, DNS over SCTP, etc.), are long-term
solutions; i.e., as long as most of the Net continues using DNS over UDP (at
least as one or even default option), and not yet adopting DNS-sec, these
risks remain- I refer to the risks due to fully RFC compliant SPF validation
by MTA/MDAs (and MUAs, although I'm not sure this qualifies as RFC
compliant).
--
Amir Herzberg
Associate Professor, Dept. of Computer Science
Bar Ilan University
http://AmirHerzberg.com
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg