spf-discuss
[Top] [All Lists]

[spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)]

2006-10-31 22:38:48
Scott Kitterman wrote:

Is the idea that some bad actor can cause a third party to have their DNS
DOSed by sending mail to receivers that check SPF and have them do a bunch
of lookups against the 3rd party?

Yes.  You need a list of receivers checking SPF, or you'd just fire blindly
hoping to hit SPF checkers.  You need a nameserver for the policy and the
bogus MX records.  All those MXs claim to have names like {random}.kitterman
and the reply doesn't contain their IPs in the additional section.

Therefore the SPF clients start to query you for {random}.kitterman hosts.
100 queries per client triggered by one mail.  The setup needs to be more
convoluted if the same client asks you again, maybe using various policies
for subdomains and/or MX records depending on local parts.  Obviously the
attacker gets about 1/11 of the queries, 10/11 go to the victim.

If we'd limit "indirect" A-queries (triggered by "mx" or "ptr") to 30 per
evaluation we'd get 1/4 (attacker) vs. 3/4 (victim), a factor 3 instead of
10.  I've no clue how Doug arrived at factors like 2000.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com