Doug, I don't have time for long discussion. But I'm telling you that
SPF has nothing to do with it and I can use either of "MX", "SRV" or
"NS" to generate similar amplification scenarios as you've done with
SPF using the same method. In fact CSV (as far as I remember it) would
cause highier amount of amplification then SPF when bad guy controls
domain put in EHLO and decides to play special dns games with that name.
And in exactly the same way as you did it would generate 10:1 DNS traffic
amplification (SPF scenarios are basicly 10:1 amplification after throwing
away all the extras).
On Thu, 9 Nov 2006, Douglas Otis wrote:
On Nov 9, 2006, at 12:52 PM, william(at)elan.net wrote:
On Thu, 9 Nov 2006, Douglas Otis wrote:
to select an array of MX RR sets. The script defines the record set, but
in converse a record does not define the set comprising the script.
Processing the script includes initial parameters not found in any SPF
record as well.
I've examined this issue over last few days. This all has nothing to do
with SPF but with DNS in general in which Doug's SPF use is just an
example of range of similar attacks.
SPF script is able to target many DNS transactions per each distributed
message. The number of executions depends upon the number of names being
resolved, recipients, and instances within the path where an evaluation is
performed.
The underlying problem is really that if spammers have large collection of
zombies under their control they can either use them either directly to
launch an attack (and spam is form of DoS too!) or indirectly to get
others to to do something similar with some additional level or
amplification (about 1-20 depending on complexity of DNS scheme).
One execution of the SPF script can generate 64 kbytes of DNS traffic
without consuming the resources of an attacker. Few attack strategies offer
a scenario that is totally free to the attacker who is also interested in
sending spam. : (
They don't really need SPF for that at all.
When ACL restrictions on DNS and BCP38 becomes common, SPF still defeats
these protective strategies. : (
I need to work more on the numbers and examples and also unlike Doug I've
an issue with just publicly saying how to do all that - this would be just
way too useful for bad guys.
Providing details was done by request as there remained a lack of
understanding of the concern. Don't underestimate the sophistication of
those creating the Bot-nets now responsible for the major portion of the
current spam. A DDoS attack only needs to be done for a brief period of
time to enable yet other exploits.
It seems best not to confuse the term script with that of record. They
are truly different elements.
cert-test.mail-abuse.org. IN TXT "v=spf1
mx:0.%{l}.%{d} mx:1.%{l}.%{d} mx:2.%{l}.%{d}
mx:3.%{l}.%{d} mx:4.%{l}.%{d} mx:5.%{l}.%{d}
mx:6.%{l}.%{d} mx:7.%{l}.%{d} mx:8.%{l}.%{d}
mx:9.%{l}.%{d} ?all"
Could someone kindly point me to workable CSV library so that I could
provide Doug with an example of using CSV to generate higher amount of
amplification then his assertions about SPF?
An SMTP client is unique at each stage of delivery. Validating SMTP clients
requires one small DNS transaction using either A or CSV records. While
each recipient might perform this transaction, gain is less than 1. SMTP
client validation transactions can not be redirected to a victim and still
offer validation as can SPF. In addition, subsequent stages of delivery
will not provide amplification as it will for SPF evaluations, which
precludes gain related to multiple recipients. Multiple recipient gain
remains a concern for SPF.