spf-discuss
[Top] [All Lists]

RE: Re: DNS load research

2005-03-23 15:46:15


-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com [mailto:owner-spf-
discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of Andy Bakun
Sent: Wednesday, March 23, 2005 5:26 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Re: DNS load research

On Wed, 2005-03-23 at 16:27 -0500, Radu Hociung wrote:

I forgot one thing:

After a few minutes of thinking how to fix this, admins figure out that
by setting their servers to not respond to TXT queries makes the problem
go away in seconds. UDP queries are not long lived, so if all TXT
records disapeared at the same time, it would take only a few seconds
for the storm to go away.

In other words, take SPF away, and the internet is back on its feet.

So how do you explain that SPF is not do blame?

Removing the SPF check stopped the virus from spreading?  Seems all
you've done is greased the channel it was using to propagate, since it
takes less time to use the same amount of bandwidth.
 
That is not what Radu said!  He made no claim that the virus would stop,
just the DDOS attack.  In fact, he did not say the DDOS would stop, just
that the internet would be back on its feet.  Maybe not running, but
standing anyway.


I seriously hope that the admins that are doing the above thinking think
a little bit longer than you've suggested they would.

You give many admins and managers too much credit!!!

I can believe many would pull the SPF records, but only if they were to
determine it was SPF records being requested.  After that "fix", they notice
the virus checker is using all the CPU, they may stop that as well!


--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>

Guy