spf-discuss
[Top] [All Lists]

Re: DDoS attacks via SPF

2003-12-18 16:21:55

Proposed change to the RFC text:

  An SPF query may trigger subqueries due to includes and redirects.  If
  more than a total of 20 subqueries are triggered, an SPF client MAY
  abort the lookup and return an unknown result.

  Regular lookups such as A and MX queries do not count toward this total.

I like this. In this context does "subqueries" mean "exists-mechanism queries"? What other queries are there (A, MX, PTR, TXT for include:)

DNS queries are pretty lightweight (like 1 packet), compared to TCP connections like sendmail (which can be in the hundreds). Limiting to a total of 20 exists-or-include queries would help limit any outside chance. By the time sendmail gets to the MAIL FROM stage I would guess 10-20 TCP packets have already been sent.

The point about the caches is a good one... but the caches are on the receiver side so the effect would be spread over lots of different caches if the mail is going everywhere. If you are just attacking one mailer there are probably other DDOS methods that one could use to greater effect, but i'm not 100% sure of this.

gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>