spf-discuss
[Top] [All Lists]

Re: Re: DNS load research

2005-03-24 09:02:42
On Wed, 23 Mar 2005 20:51:35 -0500, Radu Hociung <radu(_at_)ohmi(_dot_)org> 
wrote:

I was thinking some more about the scenario, and I think that the
following conclusion did not came across very well:

The severity of the DDOS is a quadratic function of the query limit
implemented by the spf checkers.

Each of the two multiplication factors are linear functions of the query
limit. Since they get multiplied, the overal result is proportional to
the square of the query limit.

Indeed, if the query limit that ohmi.org would do were 10 queries, the
numbers would become (L=limit):

Traffic magnification: (2 * L * 100) / 60 = 33.33
Time magnification: (200ms * L) / 50ms = 40
Total amplification: 33.33 * 40 = 1,333
Aggregate DNS traffic: 1,333*1Mbit/s = 1.33Gbps


Radu,

I guess I have a couple quibbles with your logic (I'm assuming your
calculations are correct). How many DNS servers are sitting on a Gig
Pipe? If the trunk coming into the datacenter is gig or better, how
many of the DNS servers have 10/100 ethernet connections rather than
Gig?

It's great to do calculations but in the real world you would saturate
the connection on most (many?) DNS servers before you would come close
to your calculated number for bandwidth.

Does this make things more or less vulnerable? I guess that depends on
where you sit. OVerall disruption to the net would probably be less
than you imply. For the person getting targetted it would probably be
worse than you imply.

As usual, just my 2 cents.

Mike


<Prev in Thread] Current Thread [Next in Thread>