North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP38 thread 93,871,738,435 + SPF
On Sun, 29 Oct 2006, Douglas Otis wrote: > On Sat, 2006-10-28 at 00:52 -0500, Gadi Evron wrote: > > > > If you believe SPF prevents you from doing it, can you elaborate how? > > Spam referencing malicious SPF scripts can result in PASS or NEUTRAL, > where the message and message rates may be normal. Recipients will not > notice the role they are playing in an ongoing attack. There would be > few clues, and BCP38 or ACLs will not prevent an SPF attack. > > >From a victim's perspective, there could be tens or hundreds of > thousands of attack sources. No source represents an address of a > Botnet. An attack could be composed of A-record transactions for hosts > not seen in any message, or related to the domains of any SPF script. > These SPF scripts might also later morph to frustrate forensic analysis > or real-time blocking. > > SPF scripts add indirection from what is within a message. An attacking > transaction would pass through DNS from one of the hundred thousand > recipients. Finding a recipient will not link a DNS transaction to a > message. The source of the message may also be a reputable provider. > The recipient would need to trace the targets of all associated SPF > scripts. A particular SPF script might be one of a hundred other > scripts targeting the same victim, however. Analysis designed not to > add to an attack can also be seen by the attacker. > > Nothing in the experimental SPF or Sender-ID RFCs explain how such > catastrophic attacks are avoided. Their recommended premature > termination of SPF scripts ensures there is no congestion avoidance as > well. > > How would you identify and quell an SPF attack in progress? Okay, now I understand. You speak of an attack specfically utilizing SPF, not of how SPF relates to botnets or attack traceback. The same could be said for web servers, databases behind them, DNS-SEC crypto calculations, etc. > -Doug Gadi.
|