On Thu, 16 Nov 2006, Douglas Otis wrote:
So, name server records are actually worse than SPF. With SPF, I made
sure that there were some limits on the number of queries that can be
sent.
Wayne, you have missed the point as well. In addition to a possible 100
victim targeted queries, SPF provides the attacker more than 111
opportunities per execution of an SPF script to introduce an NS chaining
scheme as well. SPF makes an NS chaining problem 111 times worse! In
addition, early termination of an SPF script coupled with initiation of
another script defeats exponential back-off.
Like I said in my original post on this subject it all comes down to
the timeout (either the one from SPF processor or the one from
resolver itself or application one) as there are enough opportunities
with & without SPF to do chaining and in the end the end its going
to be about same amplification.
The thing I'm seriously afraid of are "advanced" libraries designed
for high-end multi-threaded systems that would try to send multiple
requests asynchronously. For SPF that means multiple listed "exists"
and/or "mx" instead of trying first and then 2nd, etc - but I don't
think there are any doing it this way right now even though SPF allows
for it in its design. More serious issue maybe mail servers as there
are some that would try to get resolution for all listed MX in a
asynchronous manner. Lucky for us the number of such deployments
are few where as attack depends on great number of systems doing it.
P.S. I'm not sure this discussion is good to be held on public mail
list. Think about who it helps most when we publicly brainstorm most
useful way to accomplish this sort of attack?
===
William Leibzon
Elan Networks
[EMAIL PROTECTED]
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
