On Tuesday 17 October 2006 19:33, Jo Rhett took the opportunity to say: > Marc Perkel wrote: > > Not really. If somene had the bandwidth to cause a denial of service > > through sender verification they could do it more easlly by just > > attacking the target directly. No one is going to use sender > > verification as a DIS tool. It's to inefficient. > > [...] > Send a bunch of spam with a single forged sender address to a lot of > sites that do sender verification. Watch their mail server fall down. > I can assure you that even with modern hardware, no e-mail MTA available > today can handle 20mb/sec of e-mail connections. The best I have > personally observed is commercial Sendmail handling 12mb/sec. (of > connections with no data transfer is a LOT of connections)
But surely the amount of traffic generated by the verifying servers is less
than or approximately equal to the amount of traffic generated by the
attacker? At least if the servers are well configured, i.e. demand a good
HELO and don't perform the callout until after the first RCPT. In that case
the attacker could just as well attack the victim directly, whether he has a
botnet at disposal or not (admittedly, I'm not taking into account the
additional anonymity the extra hop gives).
The thing with e.g. the DNS-based DDoS attacks that became common a while ago
is that there is a considerable bandwidth amplification; you send a small
query packet with a forged sender address, asking for a response that is
known to be many times larger, to a large number of recursing nameservers.
So if you *intend* to DDoS someone's network, there are surely more effective
ways of doing it. On the other hand, if you're mererely running your dirty
spamming business using a borrowed sender address, callout-verifying servers
can cause a DoS against the guy who lended his address, at no additional
cost, especially if the callouts are done too early.
(Then there is SPF...)
--
Magnus Holmgren [EMAIL PROTECTED]
(No Cc of list mail needed, thanks)
pgpMdvQnWWvxg.pgp
Description: PGP signature
