Re: [Asrg] Development of an object assessment format/protocol
Paul Smith <paul@pscs.co.uk> Mon, 04 March 2013 19:00 UTC
Return-Path: <prvs=077541D51C=paul@pscs.co.uk>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C2D21F89EF for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 11:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkj1qwIelXTg for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 11:00:53 -0800 (PST)
Received: from mail.pscs.co.uk (mail.pscs.co.uk [188.65.177.237]) by ietfa.amsl.com (Postfix) with ESMTP id DC83121F8D44 for <asrg@irtf.org>; Mon, 4 Mar 2013 11:00:51 -0800 (PST)
Received: from lmail.pscs.co.uk ([82.68.5.206]) by mail.pscs.co.uk ([188.65.177.237] running VPOP3) with ESMTP for <asrg@irtf.org>; Mon, 4 Mar 2013 18:49:58 -0000
Received: from [192.168.57.43] ([92.27.146.145]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP for <asrg@irtf.org>; Mon, 4 Mar 2013 18:43:47 -0000
Message-ID: <5134EB63.1020801@pscs.co.uk>
Date: Mon, 04 Mar 2013 18:43:47 +0000
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: asrg@irtf.org
References: <20130304132924.GA27928@gsp.org> <0D79787962F6AE4B84B2CC41FC957D0B20C05A58@abn-exch1b.green.sophos> <5134D304.5040702@bofhland.org> <0D79787962F6AE4B84B2CC41FC957D0B20C05B52@abn-exch1b.green.sophos>
In-Reply-To: <0D79787962F6AE4B84B2CC41FC957D0B20C05B52@abn-exch1b.green.sophos>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V6.0 - Registered
X-Organisation: Paul Smith Computer Services
Subject: Re: [Asrg] Development of an object assessment format/protocol
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 19:00:53 -0000
On 04/03/2013 18:28, Martijn Grooten wrote: > Emanuele Balla (aka Skull) wrote: >> Straight to the point: abusive URLs on legit domains . There's no >> (easy/effective) way to encode an entire URL in a DNS request. >> At least, that's the reason why I've been thinking about this topic for the last >> 4 years... :-\ > Can't you just use HTTP for that? Well, HTTP seems a bit 'heavyweight' for this to me. That's one of the advantages of DNS - it's UDP, so no packets to set up short-lived sessions. (Other advantages, AFAICS, are distributed caching, and widespread support) I suppose you could keep a HTTP session open for a while, but, you'd need a beefy server to handle the zillions of sessions you'd have to have open at once. DNS doesn't have 'sessions' so you don't have this problem. OTOH, a disadvantage of DNS is that it's UDP, so you have to handle retries etc yourself. So, if you're looking at something like this, you need to first of all think UDP or TCP? UDP is easy & quick to have lots of packets flying around, but you have extra work to handle retries, and some of the benefit of UDP could be gained by just having long-lived sessions between reputation source and reputation checker. But, this may cause issues for servers and firewalls (could a typical server/firewall have hundreds of thousands of active TCP sessions? A NAT firewall would die quickly, but could a non-NAT firewall cope?) If you decide UDP is the most efficient, then DNS is very attractive, because you already have distributed caching 'built-in' to the Internet infrastructure, but if we're willing to dump that capability, then I'm fairly sure we could come up with something with the suitable capabilities which would fit in a UDP packet size - once we can decide what the 'suitable capabilities' are... If TCP is the way to go, then the world is your oyster, but I'd be concerned about speed and the server requirements. Anyone know how many queries someone like Spamhaus gets an hour? - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53
- [Asrg] Development of an object assessment format… Rich Kulawiec
- Re: [Asrg] Development of an object assessment fo… Martijn Grooten
- Re: [Asrg] Development of an object assessment fo… Emanuele Balla (aka Skull)
- Re: [Asrg] Development of an object assessment fo… Dave Crocker
- Re: [Asrg] Development of an object assessment fo… Rich Kulawiec
- Re: [Asrg] Development of an object assessment fo… Martijn Grooten
- Re: [Asrg] Development of an object assessment fo… Paul Smith
- Re: [Asrg] Development of an object assessment fo… Barry Shein
- Re: [Asrg] Development of an object assessment fo… Emanuele Balla (aka Skull)
- Re: [Asrg] Development of an object assessment fo… John Levine