spf-discuss
[Top] [All Lists]

Re: Re: DNS lookup limit?

2005-02-27 12:43:12
Hi Nico,

Nico Kadel-Garcia wrote:
  If implementing SPF would require them to observe a 3700%
  increase in maximum load of those machines, that would be a

What? Where are you getting this number? The DNS lookups is one of the lightest weight parts of the whole SMTP transaction. While the SPF lookup and processing are a real load, one can reasonably expect much of the DNS lookup space to be already cached locally. The bandwidth load of actually receiving and transmitting the message, and the CPU and disk loads of managing the received messages and delivering them, is far, far larger. Those dominate that "50% load", not the DNS transactions.

Your assessment is largely correct for normal conditions. I should have defined maximum load:

The maximum load is that which under the worst case conditions can be sustained due to input stimulus characteristics.

Suppose the mailer receives an attack from the following worm routine:

function attack(target)

    for (i = 0 to 1,000,000)
       sendmail(FROM: "hell" @ "a" i .iburnu.com"
       TO:{(_dot_)(_dot_)(_dot_)(_at_)target})
    end for

end function

suppose that the DNS of the attacker is organized like this:

ouch.iburnu.com TXT "v=spf1 {expensive recursive lookup with many
timeouts} -all"

a0.iburnu.com TXT "v=spf1 redirect=ouch.%{2d}"
a1.iburnu.com TXT "v=spf1 redirect=ouch.%{2d}"
...
a1000000.iburnu.com TXT "v=spf1 redirect=ouch.%{2d}"


For such an attack, the machine at the receiving end, which
accepts up to say 100 concurent connections will have much memory
tied up waiting for the recursive lookups with timeouts. Perhaps
it will even start thrashing the swap space.

If its resolver timeout is set to 2 seconds, it will be tied up
about 222 seconds for each of the 1,000,000 mails the attack
sends. Even with the fastest solid state disks, and fast CPU's
the limit is still the amount of memory available in that
machine. So the ouch.iburnu.com TXT will be in the cache, but
does that help at all?

So, I'm not talking about maximum load for normal conditions,
where the DNS queries can be cached, but those ingeniously
crafted to not be easily cacheable. I think queries that timeout
cannot be cached and will be repeated until resolved.

In this case, the a0,... a100000 will not even be blacklisted,
since they all end with TempError. The maximum load is largely
a memory load, not a disk or CPU load.

You noticed correctly, both the mail and the DNS infrastructure
will be upgraded to deal with this scenario.


I should mentioned that I'm not an expert in terror techniques,
but I'm sure that an even more evil worm can be thought up, which
neither requires many resources from the attacker, nor makes it
easy to trace the attack back to an individual. I'm sad to say,
but this is the awful truth of our internet.


<Prev in Thread] Current Thread [Next in Thread>