On Wed, 13 Apr 2005, at 09:25, David MacQuigg wrote:
Todd,
Thanks for your very informative reply, and again, sorry for using rr.com
as the hypothetical example. You have one of the best setups I've seen for
a large domain, so that is why I keep coming back to it.
My scenarios below assume the perpetrator's objective is spamming, not
DoS. A DoS attack might be devilishly different.
The one big departure from your current setup is my Scenario E2, which
assumes you are using CSV, not SPF. With CSV you must authorize each and
every server with its own SRV record. Hence, my assumption of 1000 unique
DNS records filling the cache at each of 150,000 MTAs (including negative
responses). I have also assumed that a query for SRV records from a
purported server like serv138.austin.rr.com would be handled by a slave at
rr.com, or the number of queries would actually be even larger.
Okay, in your CSV example then, you'd have 100,000 domains
issuing 11,111,111.11 queries for non-existent records (we don't
publish SRV records) to each of our 18 authoritative servers
((2,000 zombies * 100,000 targets) / 18 authoritative servers) if
I read the CSV implementation bits correctly. The DNS servers at
the 100,000 recipient domains would cache the NXDOMAIN answer for
however long they're configured to cache such answers, and would
provide subsequent answers to their local mail servers from their
caches, and the zombie attack would likely be over in short
order, given that any site requiring CSV would reject all email
from the zombies.
What were we talking about, againg? :-)
--
Todd Herr
Senior Security Policy Specialist/Postmaster V: 703.345.2447
Time Warner Cable IP Security M: 571.344.8619
therr(_at_)security(_dot_)rr(_dot_)com AIM:
RRCorpSecTH