BCP38 thread 93,871,738,435 + SPF

Gadi Evron ge at linuxbox.org
Sun Oct 29 18:30:27 UTC 2006

On Sun, 29 Oct 2006, Douglas Otis wrote:
> On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote:
> > On Sun, 29 Oct 2006, Douglas Otis wrote:
> > > 
> > > How would you identify and quell an SPF attack in progress?
> > 
> > Okay, now I understand.
> > 
> > You speak of an attack specifically utilizing SPF, not of how SPF
> > relates to botnets or attack traceback.
> > 
> > The same could be said for web servers, databases behind them, DNS-SEC
> > crypto calculations, etc.
> The described indirect SPF attack does not utilize packet source
> spoofing, and yet may achieve amplifications greater than 1000:1.  The
> resources to stage an SPF attack would be the ever present spam, where
> about 70% this is coming from Botnets.  In the case of spam related SPF,
> the attack itself can be virtually free.
> While also consuming an attacker's resources, a DNS reflective attack
> with spoofed source packets represents a far lower impact when compared
> to the SPF attack.  SPF represents a grave danger without means for
> mitigation.  The same can not be said for these other protocols.

There's a lot that can be done with DDoS techonology and amplification
that has not yet been done.

You are 100% right.

There is even more that can be done with current technology. If it takes
200 or so bots to generate ~10Gbps traffic using DNS amplification...

'New' ideas should remain quiet, thing is, they remain quiet and the bad
guys are all over them, long after this silence is harmful.
> -Doug


More information about the NANOG mailing list