>> Current amplification attacks as I understand them depend on monlist >> queries, which amplify by a factor of from 3 or 4 to somewhere up in >> the 450 range, depending on how busy the machine in question is.
> A monlist query will return about 53,000 characters. Perhaps when run against your machine. When I fired monlist queries at my own machines, I got anywhere from 210 octets to 21168 octets back, depending on which machine I queried, in response to a 90-octet packet. (All sizes measured at the Ethernet layer.) That's whence the low end of my range. The high end came from an abuse report which claimed that "one 40-byte-long request generates 18252 bytes worth of response traffic"; I don't know where they got the "40-byte" size - the monlist queries I see have 48 bytes of UDP payload. I guess now I should say the high end is about a factor of 1100 (53000 divided by 48). Given the widely disparate claims, including two differing by over two orders of magnitude in my own experience, it is fairly clear to me that any single value for either the amplification factor or the response size is right for, at best, one particular query against one particular machine. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
