-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Radu
Hociung
Sent: Thursday, March 24, 2005 10:37 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Re: DNS load research
Scott Kitterman wrote:
One virus infected (say it is in Russia) machine connects to ohmi.org.
It sends the the following 60-byte packet to port 25 at ohmi.org, and
goes on to the next target, without waiting for a response, or closing
the connection.
The packet reads:
"ehlo u
mail from: <a(_at_)kitterman(_dot_)com>
rcpt to: <radu(_at_)ohmi(_dot_)org>"
Lets go back to this premise and make sure it's correct. I'm not sure it
is...
I went back and looked over RFC 2821 some more:
http://www.ietf.org/rfc/rfc2821.txt
Particularly the first half of chapter 3 and appendix D.
From my reading of 2821, an RFC compliant SMTP server would discard that
packet and move on. Now that doesn't mean that your scenario
can't happen,
just that it would be considerably more complex. Something like:
S: 220 ohmi.org Simple Mail Transfer Service Ready
C: EHLO u {Now at this point you could bail out, but in reality you
can't}
S: 250-ohmi.org greets u
S: 250-8BITMIME
S: 250-SIZE
S: 250-DSN
S: 250 HELP
C: MAIL FROM:<a(_at_)kitterman(_dot_)com>
S: 250 OK
C: RCPT TO:<radu(_at_)ohmi(_dot_)org>
S: 250 OK
Now he ought to go to at least RCPT TO: because SPF checks can be done
anytime before DATA and since RCPT TO: checks are much less
expensive than
SPF checks, it makes sense to do them first.
Now at this point, he's had to build a TCP/IP connection, and
not just UDP
that we're using almost exclusively in DNS. We know where he
came from and
there's been a lot more than 60 bytes expended.
Now, what's the amplification factor for that?
That's for you to calculate and tell the rest of us. Make sure you state
all your assumptions, like I did.
Thanks.
OK. Based on my understanding of how SMTP works (I could be wrong). Given
your scenario, the amplification factor is 0. I get your 60 byte UDP packet
and throw it on the floor. End of problem.
Your amplification factors:
Bandwidth amplification factor: 60X
Time amplification factor: 72X
are flat out wrong. If there is an amplification factor, it's no where near
that bad.
I'll go back to I don't think that there is a major SPF related issue here.
You say there is, but have yet to give a valid scenario for your threat.
The entire discussion is really irrelevant because it's not based on how
SMTP works.
So, we are back to is there a major DDoS threat from SPF?
I say no, and it's been discussed over and over on this list. You say yes.
OK. What's the scenario?
No, it's not for me to calculate. You are the one claiming there is a major
threat here.
Scott Kitterman