On May 26, 2004, at 3:10 PM, David Brodbeck wrote:
On Wed, 26 May 2004, Theo Schlossnagle wrote:
If I sent two email to each from:
MAIL FROM:<user(_at_)victimdomain1(_dot_)com>
and
MAIL FROM:<user(_at_)victimdomain2(_dot_)com>
it would cause 50,000 CBV checks against each domain all coming from
different mail servers. That qualifies as a DDoS.
Sure. And if you did the same with 50,000 sites that check SPF, you'd
cause 50,000 DNS requests against each domain, all coming from
different
mail servers. Does that mean SPF should be rejected as an evil tool
that
can be used in DDoS attacks?
If you are a fundamentalist, perhaps. And many people have argued this
point. Here's my defense of SPF: part of RFC2821 spec is that the
domain part of the envelope sender be valid. In order to check that
one must perform a DNS request and ensure the response is not NXDOMAIN.
It is possible to perform a TXT question in that payload and act the
same way on the NXDOMAIN error. At that point _NO_ additional network
activity is triggered to assess the basic requirement of SPF
participation and RFC2821 domain validity.
From that point, the domain in question (the alleged victim) can choose
not to participate in SPF. Now we have the elegance of SPF. People
_choose_ to publish SPF records and accept the costs associated with
their publication.
On a more practical note... Even if it did require additional network
traffic, DNS requests are single UDP packets and are occurring anyway.
The do not require addition allocated state in my kernel (for a TCP
session) and are drastically cheaper resource-wise to accommodate. CBV
validation requires me to actually do full account validation by
looking up the proposed user and checking their account status, their
quota and other local policies that may allow or disallow sending to
that address.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth