nanog mailing list archives
Re: BCP38 thread 93,871,738,435 + SPF
From: Gadi Evron <ge () linuxbox org>
Date: Sun, 29 Oct 2006 09:40:25 -0600 (CST)
On Sun, 29 Oct 2006, Douglas Otis wrote:
On Sat, 2006-10-28 at 00:52 -0500, Gadi Evron wrote:If you believe SPF prevents you from doing it, can you elaborate how?Spam referencing malicious SPF scripts can result in PASS or NEUTRAL, where the message and message rates may be normal. Recipients will not notice the role they are playing in an ongoing attack. There would be few clues, and BCP38 or ACLs will not prevent an SPF attack.From a victim's perspective, there could be tens or hundreds ofthousands of attack sources. No source represents an address of a Botnet. An attack could be composed of A-record transactions for hosts not seen in any message, or related to the domains of any SPF script. These SPF scripts might also later morph to frustrate forensic analysis or real-time blocking. SPF scripts add indirection from what is within a message. An attacking transaction would pass through DNS from one of the hundred thousand recipients. Finding a recipient will not link a DNS transaction to a message. The source of the message may also be a reputable provider. The recipient would need to trace the targets of all associated SPF scripts. A particular SPF script might be one of a hundred other scripts targeting the same victim, however. Analysis designed not to add to an attack can also be seen by the attacker. Nothing in the experimental SPF or Sender-ID RFCs explain how such catastrophic attacks are avoided. Their recommended premature termination of SPF scripts ensures there is no congestion avoidance as well. How would you identify and quell an SPF attack in progress?
Okay, now I understand. You speak of an attack specfically utilizing SPF, not of how SPF relates to botnets or attack traceback. The same could be said for web servers, databases behind them, DNS-SEC crypto calculations, etc.
-Doug
Gadi.
Current thread:
- Re: BCP38 thread 93,871,738,435, (continued)
- Re: BCP38 thread 93,871,738,435 Florian Weimer (Oct 26)
- Re: BCP38 thread 93,871,738,435 Steven M. Bellovin (Oct 26)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 26)
- Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Michael . Dillon (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Chris L. Morrow (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Gadi Evron (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 29)
- Re: BCP38 thread 93,871,738,435 + SPF Gadi Evron (Oct 29)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 29)
- Re: BCP38 thread 93,871,738,435 + SPF Gadi Evron (Oct 29)
- Re: BCP38 thread 93,871,738,435 + SPF Randy Bush (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Florian Weimer (Oct 27)
- Re: BCP38 thread 93,871,738,435 + SPF Douglas Otis (Oct 27)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Patrick W. Gilmore (Oct 26)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Don (Oct 26)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) william(at)elan.net (Oct 26)
- Re: BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Michael Painter (Oct 26)