On May 26, 2004, at 3:36 PM, Seth Goodman wrote:
I didn't ask if anyone ever did a CBV on your site, I asked if you
know of
any instances where CBV's were used as a DDoS mechanism. If you know
of
any, please say so. Since at least two large providers have the
necessary
"attack engines" in place for quite some time, why hasn't this been
used
this to propagate an attack?
No. My description of a DDoS involved several thousand independent
entities running CBV. "two large providers" isn't sufficient to
perform a DDoS.
My whole argument is that it shouldn't be deployed because it can. But
I'll take the liberty of dropping a 'D'. We have one managed client
that has been DoSed by Verizon's CBV. And another that has been DoSed
quite regularly by AOL's DSNs.
AOL sees the errors in their bounce architecture. They are correcting
it. Why? It is exploits innocent victims. Verizon's use of CBV
doesn't make it okay. They are wrong.
It's an open internet and no one has to answer any connection request
if
they don't care to. On the other hand, if I were a large provider, I
could
say that I require all senders to answer a CBV if they want me to
accept
their mail. Some CBV's will go to third parties that did not
originate the
messages, that is true. If those parties object, they can refuse to
answer
CBV's from my service. The reason that this hasn't happened, at least
in
any significant way, is that the only salient objections to this _are_
philosophical, not practical, and we are dealing with a huge practical
problem. If you really object to CBV's, I encourage you not to issue
any
and to not accept any.
They can't refuse CBV's without refusing real mail. Not accepting
CBV's is quite challenging as they are "disguised" as normal SMTP
transaction initiations. If it were possible to not allow CBVs in a
straight forward way, the problem wouldn't be what it is.
You misrepresent what I am saying. I am arguing that it is a useless
DDoS
mechanism because it is trivial to terminate by refusing any MAIL
FROM:<>
connection request. Terminating those connections does take some
resources,
but it's not crippling.
Terminating those connections is quite expensive and on a large scale
can cripple a system. And rejecting MAIL FROM:<> is not RFC compliant.
I shouldn't have to break the RFC to protect myself from CBV attacks.
// Theo Schlossnagle
// Principal Engineer -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
// Ecelerity: fastest MTA on Earth