Re: Re: DNS load research

Andy Bakun wrote:

On Wed, 2005-03-23 at 16:27 -0500, Radu Hociung wrote:
I forgot one thing:
After a few minutes of thinking how to fix this, admins figure out thatby setting their servers to not respond to TXT queries makes the problemgo away in seconds. UDP queries are not long lived, so if all TXTrecords disapeared at the same time, it would take only a few secondsfor the storm to go away.
In other words, take SPF away, and the internet is back on its feet.

So how do you explain that SPF is not do blame?
Removing the SPF check stopped the virus from spreading?  Seems all
you've done is greased the channel it was using to propagate, since it
takes less time to use the same amount of bandwidth.


What I explained above was not the propagation mechanism of the virus.
It was only the attack mechanism.

The virus would propagate like any other, and there is (almost) nothingSPF-specific in the propagation part. Only that if it discriminatesbetween the domains it picks for the "MAIL FROM". But once you removethe DNS server's response TXT queries, it becomes just as costly of avirus as any other.

But note that since the main victim of the attack is the DNS system, allother services that depend on DNS will be affected. A common virusmostly attacks the mail server's queues and so on. While that causessome network congestion, it is not a significant load on the DNS, so aslong as the network is not saturated, DNS responses will still gothrough and the other services will be unaffected, especially thelow-bandwidth ones (like NTP)

I seriously hope that the admins that are doing the above thinking think
a little bit longer than you've suggested they would.

I think the amount of time spent thinking will be inversely proportionalwith the seriousness of the symptom. It's human nature to react quickerto more serious problems. Anyway, that's how it's always been done inthe past. I have no reason to hope that we will suddenly become rationalwhen this virus hits ;)



Radu.