On Sun, 29 Oct 2006, Douglas Otis wrote: > > On Sun, 2006-10-29 at 09:40 -0600, Gadi Evron wrote: > > On Sun, 29 Oct 2006, Douglas Otis wrote: > > > > > > How would you identify and quell an SPF attack in progress? > > > > Okay, now I understand. > > > > You speak of an attack specifically utilizing SPF, not of how SPF > > relates to botnets or attack traceback. > > > > The same could be said for web servers, databases behind them, DNS-SEC > > crypto calculations, etc. > > The described indirect SPF attack does not utilize packet source > spoofing, and yet may achieve amplifications greater than 1000:1. The > resources to stage an SPF attack would be the ever present spam, where > about 70% this is coming from Botnets. In the case of spam related SPF, > the attack itself can be virtually free. > > While also consuming an attacker's resources, a DNS reflective attack > with spoofed source packets represents a far lower impact when compared > to the SPF attack. SPF represents a grave danger without means for > mitigation. The same can not be said for these other protocols.
There's a lot that can be done with DDoS techonology and amplification that has not yet been done. You are 100% right. There is even more that can be done with current technology. If it takes 200 or so bots to generate ~10Gbps traffic using DNS amplification... 'New' ideas should remain quiet, thing is, they remain quiet and the bad guys are all over them, long after this silence is harmful. > -Doug Gadi.