[93175] in North American Network Operators' Group
Re: BCP38 thread 93,871,738,435 + SPF
daemon@ATHENA.MIT.EDU (Douglas Otis)
Sun Oct 29 12:29:43 2006
From: Douglas Otis <dotis@mail-abuse.org>
To: Gadi Evron <ge@linuxbox.org>
Cc: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>,
nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0610290938170.30647-100000@linuxbox.org>
Date: Sun, 29 Oct 2006 09:28:39 -0800
Errors-To: owner-nanog@merit.edu
On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote:
> On Sun, 29 Oct 2006, Douglas Otis wrote:
> >
> > How would you identify and quell an SPF attack in progress?
>
> Okay, now I understand.
>
> You speak of an attack specifically utilizing SPF, not of how SPF
> relates to botnets or attack traceback.
>
> The same could be said for web servers, databases behind them, DNS-SEC
> crypto calculations, etc.
The described indirect SPF attack does not utilize packet source
spoofing, and yet may achieve amplifications greater than 1000:1. The
resources to stage an SPF attack would be the ever present spam, where
about 70% this is coming from Botnets. In the case of spam related SPF,
the attack itself can be virtually free.
While also consuming an attacker's resources, a DNS reflective attack
with spoofed source packets represents a far lower impact when compared
to the SPF attack. SPF represents a grave danger without means for
mitigation. The same can not be said for these other protocols.
-Doug
