On Apr 18, 2004, at 6:02 AM, Hector Santos wrote:
----- Original Message -----
From: "wayne" <wayne(_at_)midwestcs(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, April 18, 2004 1:30 AM
Subject: Re: [spf-discuss] Security Paper on forgery bounce DDoS
1) SES asks if a particular message originated from a designated
sender
for
the domain by doing a CBV to the MX for that domain.
Oh, good, right in the first sentence you show why SES is far more
expensive than SPF. So expensive that there are people who consider
CBV to be a DoS attack on the domain name that is being verified.
This has been mentioned many times.
And I don't know why because
B4 SPF - a SMTP receiver with N connections did 0 DNS lookups.
In all fariness, most SMTP servers perform a PTR and then an A lookup
on the connecting IP address.
AD SPF - a SMTP receiver with N connections now do 1-2 or more DNS
lookups.
And to more make your point, we see 1-6 or more.
So for an ISP hosting lets say 1000 SMTP servers with each SMTP server
with
an average of 100 messages per hour, will be getting slammed for
forwarded
DNS requests!
So are the ISPs going to scrutinize their customer SMTP operations
because
they are hitting their DNS server too much?
Are they? Well they have in the past, so I assume they will continue
to.
Any ISP that allows a customer to run their own mail server should both
allow and encourage them to run their own DNS server. If they are
worried about overall traffic, they can use it is a local caching name
server that is forwarding instead of recursive. I know of several ISPs
that have asked their customers to run DNS server for simply using two
many DNSBLs. The customers did, end of story.
Everyone keeps saying this is all negligible. No expense. Well, lets
wait
until we get it widely deployed and we'll see if that is still the case
The primary DNS servers are going to be shocked with all the failed
requests
with everyone and their grandma doing redundant SPF domain lookups
when the
odds are going to be very high the request will fail. I'm not a DNS
I have a test instance running that would lead me to believe otherwise.
o Running bind 8 locally
o sustains about 1,000,000 inbound message per hour
o regularly sustains in excess of 50k concurrent SMTP sessions
o commodity dual processor box.
without SPF, we see about 30MB of traffic, with SPF we see about...
30MBs of traffic.
The DNS network overhead compared to a single SMTP session is quite
negligible. We average a little more than 200 DNS queries per second,
and Bind 8 doesn't blink. While network traffic is negligible, there
are a lot of broken DNS servers out there that don't give answers back
quickly. The only negative effect we see from SPF is that SMTP
sessions take a bit longer -- but SMTP is not a user-interactive
protocol, so that doesn't matter too much.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// Postal Engine -- http://www.postalengine.com/
// Ecelerity: fastest MTA on Earth