Re: [Asrg] Development of an object assessment format/protocol

Paul Smith <paul@pscs.co.uk> Mon, 04 March 2013 19:00 UTC

Return-Path: <prvs=077541D51C=paul@pscs.co.uk>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C2D21F89EF for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 11:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkj1qwIelXTg for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 11:00:53 -0800 (PST)
Received: from mail.pscs.co.uk (mail.pscs.co.uk [188.65.177.237]) by ietfa.amsl.com (Postfix) with ESMTP id DC83121F8D44 for <asrg@irtf.org>; Mon, 4 Mar 2013 11:00:51 -0800 (PST)
Received: from lmail.pscs.co.uk ([82.68.5.206]) by mail.pscs.co.uk ([188.65.177.237] running VPOP3) with ESMTP for <asrg@irtf.org>; Mon, 4 Mar 2013 18:49:58 -0000
Received: from [192.168.57.43] ([92.27.146.145]) by lmail.pscs.co.uk ([192.168.66.70] running VPOP3) with ESMTP for <asrg@irtf.org>; Mon, 4 Mar 2013 18:43:47 -0000
Message-ID: <5134EB63.1020801@pscs.co.uk>
Date: Mon, 04 Mar 2013 18:43:47 +0000
From: Paul Smith <paul@pscs.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: asrg@irtf.org
References: <20130304132924.GA27928@gsp.org> <0D79787962F6AE4B84B2CC41FC957D0B20C05A58@abn-exch1b.green.sophos> <5134D304.5040702@bofhland.org> <0D79787962F6AE4B84B2CC41FC957D0B20C05B52@abn-exch1b.green.sophos>
In-Reply-To: <0D79787962F6AE4B84B2CC41FC957D0B20C05B52@abn-exch1b.green.sophos>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: paul
X-Server: VPOP3 Enterprise V6.0 - Registered
X-Organisation: Paul Smith Computer Services
Subject: Re: [Asrg] Development of an object assessment format/protocol
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 19:00:53 -0000

On 04/03/2013 18:28, Martijn Grooten wrote:
> Emanuele Balla (aka Skull) wrote:
>> Straight to the point: abusive URLs on legit domains . There's no
>> (easy/effective) way to encode an entire URL in a DNS request.
>> At least, that's the reason why I've been thinking about this topic for the last
>> 4 years... :-\
> Can't you just use HTTP for that?

Well, HTTP seems a bit 'heavyweight' for this to me. That's one of the 
advantages of DNS - it's UDP, so no packets to set up short-lived 
sessions. (Other advantages, AFAICS, are distributed caching, and 
widespread support)

I suppose you could keep a HTTP session open for a while, but, you'd 
need a beefy server to handle the zillions of sessions you'd have to 
have open at once. DNS doesn't have 'sessions' so you don't have this 
problem.

OTOH, a disadvantage of DNS is that it's UDP, so you have to handle 
retries etc yourself.

So, if you're looking at something like this, you need to first of all 
think UDP or TCP? UDP is easy & quick to have lots of packets flying 
around, but you have extra work to handle retries, and some of the 
benefit of UDP could be gained by just having long-lived sessions 
between reputation source and reputation checker. But, this may cause 
issues for servers and firewalls (could a typical server/firewall have 
hundreds of thousands of active TCP sessions? A NAT firewall would die 
quickly, but could a non-NAT firewall cope?)

If you decide UDP is the most efficient, then DNS is very attractive, 
because you already have distributed caching 'built-in' to the Internet 
infrastructure, but if we're willing to dump that capability, then I'm 
fairly sure we could come up with something with the suitable 
capabilities which would fit in a UDP packet size - once we can decide 
what the 'suitable capabilities' are...

If TCP is the way to go, then the world is your oyster, but I'd be 
concerned about speed and the server requirements. Anyone know how many 
queries someone like Spamhaus gets an hour?



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53