[Pool] New participant, big question

Mouse mouse at Rodents-Montreal.ORG
Sun Feb 9 22:49:59 UTC 2014


>> Current amplification attacks as I understand them depend on monlist
>> queries, which amplify by a factor of from 3 or 4 to somewhere up in
>> the 450 range, depending on how busy the machine in question is.

> A monlist query will return about 53,000 characters.

Perhaps when run against your machine.

When I fired monlist queries at my own machines, I got anywhere from
210 octets to 21168 octets back, depending on which machine I queried,
in response to a 90-octet packet.  (All sizes measured at the Ethernet
layer.)  That's whence the low end of my range.  The high end came from
an abuse report which claimed that "one 40-byte-long request generates
18252 bytes worth of response traffic"; I don't know where they got the
"40-byte" size - the monlist queries I see have 48 bytes of UDP
payload.  I guess now I should say the high end is about a factor of
1100 (53000 divided by 48).

Given the widely disparate claims, including two differing by over two
orders of magnitude in my own experience, it is fairly clear to me that
any single value for either the amplification factor or the response
size is right for, at best, one particular query against one particular
machine.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list