BCP38 thread 93,871,738,435 + SPF
ge at linuxbox.org
Sun Oct 29 18:30:27 UTC 2006
On Sun, 29 Oct 2006, Douglas Otis wrote:
> On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote:
> > On Sun, 29 Oct 2006, Douglas Otis wrote:
> > >
> > > How would you identify and quell an SPF attack in progress?
> > Okay, now I understand.
> > You speak of an attack specifically utilizing SPF, not of how SPF
> > relates to botnets or attack traceback.
> > The same could be said for web servers, databases behind them, DNS-SEC
> > crypto calculations, etc.
> The described indirect SPF attack does not utilize packet source
> spoofing, and yet may achieve amplifications greater than 1000:1. The
> resources to stage an SPF attack would be the ever present spam, where
> about 70% this is coming from Botnets. In the case of spam related SPF,
> the attack itself can be virtually free.
> While also consuming an attacker's resources, a DNS reflective attack
> with spoofed source packets represents a far lower impact when compared
> to the SPF attack. SPF represents a grave danger without means for
> mitigation. The same can not be said for these other protocols.
There's a lot that can be done with DDoS techonology and amplification
that has not yet been done.
You are 100% right.
There is even more that can be done with current technology. If it takes
200 or so bots to generate ~10Gbps traffic using DNS amplification...
'New' ideas should remain quiet, thing is, they remain quiet and the bad
guys are all over them, long after this silence is harmful.
More information about the NANOG