On Tue, 2004-06-29 at 03:53, Hallam-Baker, Phillip wrote:
80,000 spambots? Possible yes. Easy no way.
At 50 attacks a second this attack has revealled the ip addresses of the
entire cluster in half an hour.
How? You make this assertion but provide no methods as to how these
machines are to be identified. The attack would not exist without also
legitimate machines also making requests. How do you go about
separating the wheat from the chaff?
It would be much easier to simply ddos the recipients public dns and make
them unreachable. That would require far fewer bots and would not require
the bots to use tcp and thus reveal their location. I doubt that many dns
servers outside core dns can survive a ddos atack from a hundred or so
broadband bots.
That is not the purpose of the attack however.
Even under these assumptons the attacker can only ddos 800 sites at once
with this cluster.
More machines will be offline for non attack reasons.
Is this your way of saying it does not matter?
<snip>
So a DDoS attack on your own ability to send email. this can
be addressed by a security consideration. If you have to resolve
more than X records then consider the data spurious and reject
the mail.
Let me ask this again regarding the number of record indirections. Do
you see a problem if there are on average 1.1 record indirections? How
about 1.6, 2.1? With these average indirections, what is the recursion
limits to resolve a permitted transversal path? What algorithm defines
loop detection, tree pruning, etc? What is the result if the tree is
pruned?
Exactly. The goal would be to slow reception and thereby allow greater
distribution to a larger array of servers. What is this limit? What is
the average number of references to other domains?
<snip>
-Doug