Re: Re: DNS load research
2005-03-23 15:41:40
Andy Bakun wrote:
On Wed, 2005-03-23 at 16:27 -0500, Radu Hociung wrote:
I forgot one thing:
After a few minutes of thinking how to fix this, admins figure out that
by setting their servers to not respond to TXT queries makes the problem
go away in seconds. UDP queries are not long lived, so if all TXT
records disapeared at the same time, it would take only a few seconds
for the storm to go away.
In other words, take SPF away, and the internet is back on its feet.
So how do you explain that SPF is not do blame?
Removing the SPF check stopped the virus from spreading? Seems all
you've done is greased the channel it was using to propagate, since it
takes less time to use the same amount of bandwidth.
What I explained above was not the propagation mechanism of the virus.
It was only the attack mechanism.
The virus would propagate like any other, and there is (almost) nothing
SPF-specific in the propagation part. Only that if it discriminates
between the domains it picks for the "MAIL FROM". But once you remove
the DNS server's response TXT queries, it becomes just as costly of a
virus as any other.
But note that since the main victim of the attack is the DNS system, all
other services that depend on DNS will be affected. A common virus
mostly attacks the mail server's queues and so on. While that causes
some network congestion, it is not a significant load on the DNS, so as
long as the network is not saturated, DNS responses will still go
through and the other services will be unaffected, especially the
low-bandwidth ones (like NTP)
I seriously hope that the admins that are doing the above thinking think
a little bit longer than you've suggested they would.
I think the amount of time spent thinking will be inversely proportional
with the seriousness of the symptom. It's human nature to react quicker
to more serious problems. Anyway, that's how it's always been done in
the past. I have no reason to hope that we will suddenly become rational
when this virus hits ;)
Radu.
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: Response to DDoS using SPF, (continued)
- Re: Re: DNS load research, Radu Hociung
- RE: Re: DNS load research, Scott Kitterman
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research,
Radu Hociung <=
- RE: Re: DNS load research, Guy
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, Andy Bakun
- Re: Re: DNS load research, Radu Hociung
- Re: Re: DNS load research, David MacQuigg
- DNS Query Format, David MacQuigg
- query format, load, and stunt servers, oh my, Andy Bakun
- New draft (was: query format, load, and stunt servers, oh my), Frank Ellermann
- Re: New draft (was: query format, load, and stunt servers, oh my), David MacQuigg
- Re: New draft, Frank Ellermann
|
|
|