On Tuesday 17 October 2006 19:33, Jo Rhett took the opportunity to say:
Send a bunch of spam with a single forged sender address to a lot of
sites that do sender verification. Watch their mail server fall down.
I can assure you that even with modern hardware, no e-mail MTA available
today can handle 20mb/sec of e-mail connections. The best I have
personally observed is commercial Sendmail handling 12mb/sec. (of
connections with no data transfer is a LOT of connections)
Magnus Holmgren wrote:
But surely the amount of traffic generated by the verifying servers is less
than or approximately equal to the amount of traffic generated by the
attacker?
no. One hundred messages to one hundred recipients is pretty low
bandwidth out.
The thing with e.g. the DNS-based DDoS attacks that became common a while ago
is that there is a considerable bandwidth amplification; you send a small
query packet with a forged sender address, asking for a response that is
known to be many times larger, to a large number of recursing nameservers.
Bingo. Very small spam messages with many recipients can get magnified
by the sending mail servers. This works with e-mail, unlike any other
TCP-based attack.
--
Jo Rhett
Network/Software Engineer
Net Consonance
