ietf-mailsig
[Top] [All Lists]

Re: Question about fenton-identified-mail-01

2004-10-25 08:34:59

Cullen Jennings writes:
Consider an attacker that harvested say 10^4 email address from the
cisco.com domain. The attacker then generated 10^4 fake emails from each of
these users and sent them to 10^3 email lists. This attack could be done in
a few minutes from a compromised typical web server. If each of these lists
multiplied to 10^3 different people and I make the big assumption that these
lists were well chosen on different topics such that only 10% of the people
only were on more than one of the lists.

This leads to 10^4*10^3*10^3*0.1 = 10^9 hits on the server over a few
minutes. This may be no big deal, it is only a magnification of 100 over the
attackers requests. However, any magnification at all is concerning.

Note that it would only be true if they were:

1) Unique requestors
2) Not going through a web cache.

Both of these seem sort of unlikely (especially the first).
Mail has a tendency to be handled by pretty big inbound
gateways these days, not individual users listening to SMTP.
But honestly if you really wanted to crater a KRS or DNS,
why bother going through all of this trouble? Just get your
zombie army to take it out directly, just like it can take
out any servers it wants to today?

        Mike


<Prev in Thread] Current Thread [Next in Thread>