[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01

individual                                                       D. Otis
Internet-Draft                                         Trend Micro, NSSG
Expires: December 26, 2006                                 June 24, 2006


                          SPF DoS Exploitation
                     draft-otis-spf-dos-exploit-01

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 26, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes an email induced Denial of Service threat
   from SPF script used to evaluate the association of a source domain-
   name with the sending-system.  The SPF script attempts to establish
   the domain-name association through the construction of an extensive
   IP address list of all sending-systems.  Expectations of an
   association have become problematic, as message handling might be
   negatively affected without an apparent domain-name relationship
   discovered between the sending-system and either the message envelope
   or the message itself.



Otis                    Expires December 26, 2006               [Page 1]

Internet-Draft                   SPF DoS                       June 2006


   There is a safe name-based alternative to the SPF method that
   associates a source domain-name with the sending-system by
   conditionally comparing a list of domain-names against a verified
   EHLO.  This alternative name-based association follows the
   verification of the sending-system's EHLO.  Each of the two steps in
   this alternative approach involves only a single DNS transaction.
   Initially verifying the EHLO of the sending-system avoids the
   multiplicative effects created when a large number of common DNS
   resources are relied upon by a sequence of Mail Handling Systems
   (MHS) forwarding a message.  A verified EHLO also provides a name-
   based identifier for establishing requisite DoS protections.  The two
   SPF indirect references found in the text script, PTR, and MX records
   makes this scheme a highly dangerous method to verify an anonymous
   SMTP client's authorization.  Dramatic reductions in the scale of the
   potential impact is accomplished by limiting common resources used
   for evaluating a domain-name to that of a single conditional DNS
   transaction.


































Otis                    Expires December 26, 2006               [Page 2]

Internet-Draft                   SPF DoS                       June 2006


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   3.  Defense against Denial of Service Attacks  . . . . . . . . . .  5
   4.  The Exploit Example  . . . . . . . . . . . . . . . . . . . . .  8
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   7.  Informative References . . . . . . . . . . . . . . . . . . . . 11
   Appendix A.  Example Attacking Domain Zone File  . . . . . . . . . 12
   Appendix B.  Example Traffic Qualifying
                jo@cert-test.mail-abuse.org . . . . . . . . . . . . . 15
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 62
   Intellectual Property and Copyright Statements . . . . . . . . . . 63





































Otis                    Expires December 26, 2006               [Page 3]

Internet-Draft                   SPF DoS                       June 2006


1.  Introduction

   Two experimental RFCs "Sender Policy Framework (SPF) for Authorizing
   Use of Domains in E-Mail, Version 1" [RFC4408] and "Sender ID:
   Authenticating E-Mail" [RFC4406] relate various email source domains
   with the IP address of the SMTP client by assembling an extensive
   list of IP addresses.  Both drafts utilize the SPF script syntax to
   manipulate names and content of Resource Records (RRs) obtained
   through DNS transactions.  The SPF script is stored in one or more
   TXT RRs that are intended to hold generic character-strings.  An
   additional lookup may be required to ascertain whether SPF specific
   RR types are being used instead of TXT RRs.

   SPF script employs string related macros, Address RRsets containing
   IP address information, MX RRsets containing the name and preference
   numbers of Mail Transfer Agents (MTAs), and the PTR RRsets located in
   the reverse reference IP address domains.  Although this SPF script
   can be utilized in a number of ways, normally the intent is to return
   IP addresses of all systems directly involved with sending messages
   for a particular domain.  In doing so, SPF drastically alters the
   scale of a DNS answer.  The SPF script may define these addresses
   with CIDR notation and/or lookups of various RRsets.

   The SPF script places limits on the number of DNS transactions
   permitted at each Mail Handling Service (MHS) in the path of the
   message when evaluating each source domain-name.  SPF script may
   invoke 10 DNS transactions for various RRsets, where up to 10
   follow-on DNS transactions may then occur.  When the script does not
   provide a PASS result, an additional lookup might be made to obtain a
   macro expanded explanation TXT RR.  As an example, evaluating just
   one domain-name per MHS may involve lookups for 1 TXT RR, 10 MX
   RRsets, and 100 A RRsets for a total of 111 DNS transactions.  While
   there can be 11 SPF TXT RRs containing script in different domains,
   each of the 10 MX mechanism RRsets can contain 10 unique domain-names
   that span 100 victim domains.

   Currently, there are two different domain-names in a message that are
   evaluated using SPF records.  There is the [RFC2821].MailFrom, and
   the experimental and proprietary "Purported Responsible Address in
   E-Mail Messages" [RFC4407], where verifying each domain-name
   separately invokes the SPF evaluation process.  There have been
   suggestions that the [I-D.ietf-dkim-base] Signing-Domain might also
   be evaluated using SPF, where multiple signatures from different
   domains can also exist.

   SPF script is not predicated upon verifying the domain controlling
   the MTA.  Obfuscation of the controlling domain may even erroneously
   shift accountability onto the often hapless email-address domain



Otis                    Expires December 26, 2006               [Page 4]

Internet-Draft                   SPF DoS                       June 2006


   owners who typically rely upon third-party services and may publish
   open-ended address lists.  The address-list approach prevents fair
   name-based accrual of MTA behaviors as a means to establish effective
   DoS protections.  To be effective, a DoS protection scheme must
   indicate specifically what domain is in control.  SPF scripts might
   reference only victim domains unrelated to the control of the MTA,
   and provide inconclusive results subsequent to the evaluation.


2.  Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Terminology: Terminology conforms to [I-D.crocker-email-arch].

      RR: A DNS Resource Record.

      RRset: Resource Records of the same type and name location.

      Victim Domain: A domain not causing the transaction.

      Open-ended: Not all valid elements are included in the set.


3.  Defense against Denial of Service Attacks

   The DoS concern specific to SPF scripts is manifold.  SMTP is a store
   and forward protocol that distributes the SPF script threat to
   otherwise reputable MHS.  This distribution multiplies the impact of
   the script when many common DNS resources from multiple domains are
   utilized by subsequent MHS.  By encompassing multiple domains, the
   SPF script may not establish an accountable domain-name subsequent to
   evaluation when inconclusive results are obtained.  Owing to these
   conditions, there is no reasonable strategy that can be used to
   mitigate the potential harm created by a distributed SPF script
   generated DoS attack.  To estimate the potential for the SPF script
   generated threat, the level of network amplification is considered
   for this SPF DNS scripting scheme.

   A typical stance taken when discussing DoS concerns is that there are
   other network amplification techniques to facilitate DoS exploits.
   One such exploit utilizes DNS servers.  This exploit depends upon a
   lookup to be amplified by the difference between the query size and
   that of the answer, in addition to the number of queries made in a
   recursion process.  To roughly estimate the network impact created by
   DNS UDP traffic, 1.3 queries will be assumed to occur on average from



Otis                    Expires December 26, 2006               [Page 5]

Internet-Draft                   SPF DoS                       June 2006


   every DNS lookup, with an average query size of 100 bytes and an
   average answer of 500 bytes.  Based upon these coarse assumptions,
   the resulting DNS amplification is about 13 to 1 when the source IP
   address of the lookup is also spoofed to be that of the targeted
   domain.  Some techniques have increased the level of this exploit by
   employing the [RFC2671] EDNS0 extension to query large RRsets that
   exceed the network MTU, and cause packet fragmentation.  This
   technique can achieve an impact with about a 60 times amplification,
   however the source of the large RRset can be identified.

   About 1 K bytes of outbound TCP traffic may be needed to send a small
   SMTP message.  SPF scripts can target 100 DNS transactions when
   evaluating a single domain-name.  In estimating the targeted
   amplification, the number of common DNS transactions is multiplied by
   the number of recipients in different domains, the different domain-
   names evaluated within the same message, and each sequential MHS that
   does not share a common DNS cache.  A message sent to only 1
   recipient who also utilize SPF evaluation in their MUA could then
   create about 312 to 1 network amplification directed toward a
   targeted domain.  As a comparison, evaluating domain-names using SPF
   represents about 24 times the threat caused by an exploit using
   recursive DNS, and about 5 times the threat caused by the use of
   EDNS0.  Unlike the EDNS0 technique however, the source of the problem
   remains hidden.

   The network amplification exploit using SPF may also leverage a
   provider's SMTP servers that are available from systems an attacker
   may have compromised.  It is common for tens of thousands of
   compromised systems to act in concert to disseminate spam, while each
   system may conform to normal use profiles.  These spam messages could
   have a small list of recipients that further amplify the level of the
   attack.  Perhaps these messages contain an average of 10 recipients.
   These messages may purport to be from email-addresses with random
   local names and sub-domains, beneath a list of top level domains.
   All of these different domains can nevertheless reference similarly
   targeted SPF records.  The messages in the attack could be a stock
   tip ending up in a spam folder.  No single message may convey the
   same information, and yet still target the same victim regardless who
   appears to be the author, or which folder is ultimately selected to
   receive the message.











Otis                    Expires December 26, 2006               [Page 6]

Internet-Draft                   SPF DoS                       June 2006


     (1.3 x (100+500))/1000 = .78 DNS/SMTP Gain Factor

     SPF Script Network Amplification at victim domain:
      RR x MHS x Domain-Names x Recipients x DNS/SMTP = Gain

     100 x  2  x      2       x     1      x   .78    = 312

     100 x  2  x      1       x    10      x   .78    = 1560


     SMTP Name Path Network Amplification at victim domain:
      RR x MHS x Domain-Names x Recipients x DNS/SMTP = Gain

      1  x  2  x      2       x     1      x   .78    =  3

   The SPF script facilitates canvassing by a covert DNS server for
   domains that utilize SPF evaluations and also facilitates a sustained
   DoS attack based upon this knowledge.  Without altering the SPF
   script, local-part label macros provided by SPF can instantiate
   different queries for a series of messages from the same set of
   domains.  Using this technique, in addition to ensuring the DNS
   information has not been locally cached to inundate the targeted
   domain with DNS transactions, this will also flood the local DNS
   cache which may expel previously obtained information prior to its
   normal expiration.

   Just using the SPF script to evaluate a domain-name risks the
   integrity of DNS itself.  A poisoning exploit often attempts to both
   flood the DNS answering for the RR being poisoned, and to gain access
   to the DNS whose cache is to be poisoned.  Both of these efforts are
   facilitated by SPF script.  The SPF script also provides the ability
   to query a covert DNS server that tracks the source IP address,
   ports, and Transaction IDs of DNS transactions to improve upon
   subsequent construction and the timing of poison answers.

   The name-based path registration approach provides a 100 to 1
   reduction in the amount of network amplification with a maximum of
   only one conditional DNS transaction of a common resource.  This
   name-based approach also always provides an accountable domain-name
   for effective DoS protections; see [I-D.otis-smtp-name-path].  The
   name-based path registration alternative to SPF starts by verifying
   the EHLO; see [I-D.crocker-csv-csa].  This allows a name-based
   defense to be established that fairly holds the domain controlling
   each sending system accountable for any abuse.  This approach also
   ensures that prior to acceptance, there is no amplification of DNS
   transactions made with a victim domain, as each subsequent MTA
   forwarding a message offers their own EHLO that exists within their
   own domain or EHLO verification fails.  A failure to verify the EHLO



Otis                    Expires December 26, 2006               [Page 7]

Internet-Draft                   SPF DoS                       June 2006


   allows the recipient to delay subsequent acceptance of messages from
   both the EHLO and the associated client IP address as an effective
   DoS defensive tactic.  Once EHLO verification is established as a
   requisite, message refusals could then be handled in a permanent
   fashion.

   The safe name-based alternative to the SPF script method requires
   just one or two steps.  The first steps ensures the EHLO of the MTA
   is directly verified with a single DNS transaction.  Once the EHLO is
   verified, and when the EHLO is within the domain-name in question, no
   second step is needed.  Otherwise, the second step attempts to
   establish a domain association by making a single forward reference
   PTR RRset lookup from the domain in question.  These PTR RRsets would
   simply list the provider's root domains used by the owner of the
   email-address domain.  A failure to verify the EHLO or to find an
   association with the message domain-names can delay acceptance of the
   message.  EHLO verification is comparatively easier to administer
   than SPF scripts.


4.  The Exploit Example

   This section and the accompanying appendix information is in response
   to requests made by a few large providers.  Explaining the threat in
   general terms proved difficult for many to understand.  This example
   represents one of many possible techniques that are enabled by the
   various SPF script parsing applications.  Other techniques can
   further increase the severity of such an attack, but are not
   reviewed.  As with any script, the permutations of possible actions
   are incredibly vast.

   This Exploit Example makes use of script parser capabilities in many
   SPF libraries, although libspf2 by Wayne Schlitt et al, by default,
   is at half the recommended number of RRs to be processed within an MX
   RRset.  It is not uncommon for an RRset to exceed this lowered limit.
   For example, more than this number of MX RRs are found within
   t-online.de or nokia.com.  These domains also do not publish SPF TXT
   records, which means even when a default SPF script containing the MX
   lookup mechanism is used instead, the lowered RRset cut-off randomly
   prevents some MX RRs from being examined.

   Although several libraries impose the recommended limit, the original
   SPF script's limiting mechanism was recursion depth, that contained
   the DNS transactions by the number of mechanisms that could be
   defined within 20 and changed to 10 additional SPF scripts.  This
   recursive method allows for exceedingly high numbers of DNS
   transactions.  There are several other recent libraries where no
   limits are imposed upon the number of MX RRsets, other than the



Otis                    Expires December 26, 2006               [Page 8]

Internet-Draft                   SPF DoS                       June 2006


   number returned within the MX lookup.  SPF requires the acquisition
   of the TXT SPF record, which may then direct queries to 10 or 11
   other domains.  Most would consider that approach as mandating 10
   times the number of DNS transactions, but SPF also adds highly risky
   indirection enabled through SPF script and macro expansion.

   Taking advantage of just one level of indirection made possible by
   SPF macros, the Exploit Example closely matches the initial estimates
   made in Section 3, but where the request increases, the response is
   reduced by about the same amount.  The Example Exploit therefore
   represents a fairly symmetrical attack, and requires little knowledge
   of the victim's DNS information.  The traffic required to establish
   both the TXT and MX resource record sets should be excluded from the
   gain estimates, as the attack is able to take advantage of a
   difference between negative cache retention, and the TTL of these
   RRsets.

   Often negative caching is for a few minutes, but the RRset could be
   retained many hours.  After the requesting DNS servers have been
   seeded, the level of the attack could maintain a steady barrage while
   requiring far less effort.  The Time-To-Live for negative DNS caching
   may be determined by the recipient, or represent the lesser of the
   SOA TTL or the SOA MINIMUM field, depending upon the recipient's
   implementation, see [RFC2308].

   The attacker would initially populate TXT and MX RRsets that point
   toward the victim's domain.  Referencing different MX RRsets does not
   require an additional SPF TXT script.  Instead, the macro expansion
   capability can be used to reference a vast array of MX records, as
   illustrated by the Example Exploit which uses the local-part as a
   selector.  Optimally, this reference would cycle at a period longer
   than the resolver's negative cache retention period.  A reference to
   a covert DNS server that replicates the SOA record parameters of the
   victim could signal the optimal cycle period.

   The level of attack described in the presentation made for The DNS
   Operations, Analysis, and Research Center (DNS-OARC) called "Recent
   DNS Reflector Attacks From the Victim and the Reflector POV" by Frank
   Scalzo of Verisign, see [r-VS-Reflect] indicated the 35,000
   amplifying reflectors caused on average 144kbps (18KBps) to be
   exchanged with the victim.  A similar level of attack could be
   achieved by the Example Exploit occurring 0.28 times a second or 17
   times per minute.  When 2 domains are being examined, as may occur
   with Sender-ID, this level of attack would require just 8.5 messages
   per minute.

   Processing 8.5 messages per minute would represent a very small
   percentage of the emails already being handled by many providers.



Otis                    Expires December 26, 2006               [Page 9]

Internet-Draft                   SPF DoS                       June 2006


   Already a majority of these emails are considered abusive.  A large
   provider may issue as many as 25,000 messages per minute and receive
   emails at twice that rate.  A strategy that sends messages through
   network providers addressed to 10 individuals on average from 35,000
   compromised systems at 50 per hour represents a scale of concerted
   attack commonly seen.  If these messages also get processed by spam
   filtering applications that also uses SPF/Sender-ID, the attack rate
   could then drop to 25 per hour and still sustain the same barrage.

   This type of activity could be considered a good way to leverage
   efforts.  While sending spam, perhaps containing malware,
   authoritative DNS servers are taken out by knowing which domains
   incorporate poorly considered, and ultimately fatally flawed, SPF
   parsers.  Once the authoritative DNS servers are disabled, the same
   SPF script can illicit queries through thousands of provider's DNS
   servers, and also trigger a barrage of poison answers.  These attacks
   can be done through two levels of indirection where it would be
   difficult to correlate what domain is inducing the problem, or how it
   can be stopped.  The SPF RRsets causing trouble will not appear on a
   log.  In the Example Exploit, the message is accepted with a neutral
   status without any evidence it was related to the victim's domain.

   SPF/Sender-ID reduces security.  Although there was already "A DNS RR
   Type for Lists of Address Prefixes (APL RR)" [RFC3123] that could
   serve extremely well for white-listing, SPF was developed as a method
   that avoids declaring who are the sending system's administrators and
   offers the feature-rich/security-poor scripting found with HTTP/TCP.
   Sender-ID was even originally specified using XML contained within
   2KB DNS resource records, expecting DNS/TCP would not become a
   problem.  With the highly distributive anonymous nature of email,
   reducing security while crime is rampant, is foolhardy at best.  SPF/
   Sender-ID continues to place the DNS infrastructure at risk.  Adopt
   EHLO verification, Name-Path registration, and the use of APL RRs.
   Drop the use of SPF.  Such a change would offer additional security,
   without actually reducing it instead.  Don't be afraid to use binary
   with DNS.


5.  IANA Considerations

   There are no registrations required by IANA.


6.  Security Considerations

   This document describes a threat to SMTP created by the evaluation of
   message related domain-names using SPF scripts.  This document
   recommends a safer alternative that first verifies the EHLO of the



Otis                    Expires December 26, 2006              [Page 10]

Internet-Draft                   SPF DoS                       June 2006


   MTA and then conditionally finds associations using a domain-name
   list.  It is expected that the verified EHLO name will be checked
   against block-lists of abusers.  When either the EHLO can not be
   verified, or an association with a message domain-name can not be
   established, delayed message acceptance provides another defensive
   strategy which allows time for abuse to be reported.  Delay in
   acceptance can be accomplished with a Transient Negative Completion,
   in conjunction with "Requested action aborted: error in processing"
   SMTP response; see [RFC2821].

7.  Informative References

   [I-D.crocker-csv-csa]
              Crocker, D., "Client SMTP Authorization (CSA)",
              draft-crocker-csv-csa-00 (work in progress), October 2005.

   [I-D.crocker-email-arch]
              Crocker, D., "Internet Mail Architecture",
              draft-crocker-email-arch-04 (work in progress),
              March 2005.

   [I-D.ietf-dkim-base]
              Allman, E., "DomainKeys Identified Mail Signatures
              (DKIM)", draft-ietf-dkim-base-02 (work in progress),
              May 2006.

   [I-D.otis-smtp-name-path]
              Otis, D., "SMTP Name Path Registration",
              draft-otis-smtp-name-path-00 (work in progress),
              April 2006.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
              NCACHE)", RFC 2308, March 1998.

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
              RFC 2671, August 1999.

   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
              April 2001.

   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822,
              April 2001.

   [RFC3123]  Koch, P., "A DNS RR Type for Lists of Address Prefixes
              (APL RR)", RFC 3123, June 2001.



Otis                    Expires December 26, 2006              [Page 11]

Internet-Draft                   SPF DoS                       June 2006


   [RFC4406]  Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail",
              RFC 4406, April 2006.

   [RFC4407]  Lyon, J., "Purported Responsible Address in E-Mail
              Messages", RFC 4407, April 2006.

   [RFC4408]  Wong, M. and W. Schlitt, "Sender Policy Framework (SPF)
              for Authorizing Use of Domains in E-Mail, Version 1",
              RFC 4408, April 2006.

   [r-VS-Reflect]
              Verisign, "Recent DNS Reflector Attacks From the Victim
              and the Reflector POV", June 2006,
              <http://public.oarci.net/files/mlarson-dnsops.pdf>.


Appendix A.  Example Attacking Domain Zone File

   @ IN SOA @ cert-test.mail-abuse.org.(
    2006062022 ;serial yyyymmddnn
    1H  ;refresh
    15M ;retry
    1D  ;expiry
    1D) ;minimum

     IN  NS  do-dev0.mail-abuse.org.

   $ORIGIN cert-test.mail-abuse.org. ;attacker
   EHLO  IN  A  168.61.5.1

   cert-test.mail-abuse.org.  IN  TXT  "v=spf1
    mx:0.%{l}.%{d} mx:1.%{l}.%{d} mx:2.%{l}.%{d}
    mx:3.%{l}.%{d} mx:4.%{l}.%{d} mx:5.%{l}.%{d}
    mx:6.%{l}.%{d} mx:7.%{l}.%{d} mx:8.%{l}.%{d}
    mx:9.%{l}.%{d} ?all"

   $ORIGIN jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.
    123456789-123456789.
    123456789.
    example.com. ;victim

   0.jo.cert-test.mail-abuse.org.
    IN  MX  1  0-0
    IN  MX  1  0-1



Otis                    Expires December 26, 2006              [Page 12]

Internet-Draft                   SPF DoS                       June 2006


    IN  MX  1  0-2
    IN  MX  1  0-3
    IN  MX  1  0-4
    IN  MX  1  0-5
    IN  MX  1  0-6
    IN  MX  1  0-7
    IN  MX  1  0-8
    IN  MX  1  0-9

   1.jo.cert-test.mail-abuse.org.
    IN  MX  1  1-0
    IN  MX  1  1-1
    IN  MX  1  1-2
    IN  MX  1  1-3
    IN  MX  1  1-4
    IN  MX  1  1-5
    IN  MX  1  1-6
    IN  MX  1  1-7
    IN  MX  1  1-8
    IN  MX  1  1-9

   2.jo.cert-test.mail-abuse.org.
    IN  MX  1  2-0
    IN  MX  1  2-1
    IN  MX  1  2-2
    IN  MX  1  2-3
    IN  MX  1  2-4
    IN  MX  1  2-5
    IN  MX  1  2-6
    IN  MX  1  2-7
    IN  MX  1  2-8
    IN  MX  1  2-9

   3.jo.cert-test.mail-abuse.org.
    IN  MX  1  3-0
    IN  MX  1  3-1
    IN  MX  1  3-2
    IN  MX  1  3-3
    IN  MX  1  3-4
    IN  MX  1  3-5
    IN  MX  1  3-6
    IN  MX  1  3-7
    IN  MX  1  3-8
    IN  MX  1  3-9

   4.jo.cert-test.mail-abuse.org.
    IN  MX  1  4-0
    IN  MX  1  4-1



Otis                    Expires December 26, 2006              [Page 13]

Internet-Draft                   SPF DoS                       June 2006


    IN  MX  1  4-2
    IN  MX  1  4-3
    IN  MX  1  4-4
    IN  MX  1  4-5
    IN  MX  1  4-6
    IN  MX  1  4-7
    IN  MX  1  4-8
    IN  MX  1  4-9

   5.jo.cert-test.mail-abuse.org.
    IN  MX  1  5-0
    IN  MX  1  5-1
    IN  MX  1  5-2
    IN  MX  1  5-3
    IN  MX  1  5-4
    IN  MX  1  5-5
    IN  MX  1  5-6
    IN  MX  1  5-7
    IN  MX  1  5-8
    IN  MX  1  5-9

   6.jo.cert-test.mail-abuse.org.
    IN  MX  1  6-0
    IN  MX  1  6-1
    IN  MX  1  6-2
    IN  MX  1  6-3
    IN  MX  1  6-4
    IN  MX  1  6-5
    IN  MX  1  6-6
    IN  MX  1  6-7
    IN  MX  1  6-8
    IN  MX  1  6-9

   7.jo.cert-test.mail-abuse.org.
    IN  MX  1  7-0
    IN  MX  1  7-1
    IN  MX  1  7-2
    IN  MX  1  7-3
    IN  MX  1  7-4
    IN  MX  1  7-5
    IN  MX  1  7-6
    IN  MX  1  7-7
    IN  MX  1  7-8
    IN  MX  1  7-9

   8.jo.cert-test.mail-abuse.org.
    IN  MX  1  8-0
    IN  MX  1  8-1



Otis                    Expires December 26, 2006              [Page 14]

Internet-Draft                   SPF DoS                       June 2006


    IN  MX  1  8-2
    IN  MX  1  8-3
    IN  MX  1  8-4
    IN  MX  1  8-5
    IN  MX  1  8-6
    IN  MX  1  8-7
    IN  MX  1  8-8
    IN  MX  1  8-9

   9.jo.cert-test.mail-abuse.org.
    IN  MX  1  9-0
    IN  MX  1  9-1
    IN  MX  1  9-2
    IN  MX  1  9-3
    IN  MX  1  9-4
    IN  MX  1  9-5
    IN  MX  1  9-6
    IN  MX  1  9-7
    IN  MX  1  9-8
    IN  MX  1  9-9


Appendix B.  Example Traffic Qualifying jo@cert-test.mail-abuse.org

   XMIT ATTACK Time  0.000000 Domain Name System (query)
   DNS Standard query TXT cert-test.mail-abuse.org
   Frame 1 (74 bytes on wire)
   UDP, Src Port: 52407 (52407), Dst Port: domain (53)

   RECV ATTACK Time  0.000237 Domain Name System (response)
   DNS Standard query response TXT
   Frame 2 (286 bytes on wire)
   UDP, Src Port: domain (53), Dst Port: 52407 (52407)

   XMIT ATTACK Time  0.000387 Domain Name System (query)
   DNS Standard query MX 0.jo.cert-test.mail-abuse.org
   Frame 3 (79 bytes on wire)
   UDP, Src Port: 61719 (61719), Dst Port: domain (53)

   RECV ATTACK Time  0.000668  Domain Name System (response)
   DNS Standard query response MX 1 0-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 15]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 0-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 16]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 4 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61719 (61719)

   XMIT VICTIM Time  0.000800 Domain Name System (query)
   Standard query A 0-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 5 (288 bytes on the wire)
   UDP, Src Port: 60118 (60118), Dst Port: domain (53)

   RECV VICTIM Time  0.000877 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 6 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60118 (60118)

   XMIT VICTIM Time   0.000938 Domain Name System (query)
   DNS Standard query A 0-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 7 (288 bytes on the wire)
   UDP, Src Port: 50197 (50197), Dst Port: domain (53)

   RECV VICTIM Time  0.001006 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 8 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50197 (50197)

   XMIT VICTIM Time  0.001064 Domain Name System (query)
   DNS Standard query A 0-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 9 (288 bytes on the wire)
   UDP, Src Port: 64717 (64717), Dst Port: domain (53)

   RECV VICTIM Time  0.001143 Domain Name System (response)



Otis                    Expires December 26, 2006              [Page 17]

Internet-Draft                   SPF DoS                       June 2006


   DNS Standard query response, No such name
   Frame 10 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 64717 (64717)

   XMIT VICTIM Time  0.001199 Domain Name System (query)
   DNS Standard query A 0-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 11 (288 bytes on the wire)
   UDP, Src Port: 63300 (63300), Dst Port: domain (53)

   RECV VICTIM Time  0.001266 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 12 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 63300 (63300)

   XMIT VICTIM Time  0.001322 Domain Name System (query)
   DNS Standard query A 0-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 13 (288 bytes on the wire)
   UDP, Src Port: 63072 (63072), Dst Port: domain (53)

   RECV VICTIM Time  0.001388 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 14 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 63072 (63072)

   XMIT VICTIM Time  0.001443 Domain Name System (query)
   DNS Standard query A 0-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 15 (288 bytes on the wire)
   UDP, Src Port: 63053 (63053), Dst Port: domain (53)

   RECV VICTIM Time  0.001509 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 16 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 63053 (63053)



Otis                    Expires December 26, 2006              [Page 18]

Internet-Draft                   SPF DoS                       June 2006


   XMIT VICTIM Time  0.001568 Domain Name System (query)
   DNS Standard query A 0-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 17 (288 bytes on the wire)
   UDP, Src Port: 49717 (49717), Dst Port: domain (53)

   RECV VICTIM Time   0.001634 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 18 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49717 (49717)

   XMIT VICTIM Time  0.001688 Domain Name System (query)
   DNS Standard query A 0-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 19 (288 bytes on the wire)
   UDP, Src Port: 51282 (51282), Dst Port: domain (53)

   RECV VICTIM Time  0.001762 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 20 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51282 (51282)

   XMIT VICTIM Time  0.001817 Domain Name System (query)
   DNS Standard query A 0-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 21 (288 bytes on the wire)
   UDP, Src Port: 62103 (62103), Dst Port: domain (53)

   RECV VICTIM Time  0.001884 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 22 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 62103 (62103)

   XMIT VICTIM Time  0.001949 Domain Name System (query)
   DNS Standard query A 0-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 19]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 23 (288 bytes on the wire)
   UDP, Src Port: 53435 (53435), Dst Port: domain (53)

   RECV VICTIM Time 0.002017 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 24 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 53435 (53435)

   XMIT ATTACK Time  0.002077 Domain Name System (query)
   DNS Standard query MX 1.jo.cert-test.mail-abuse.org
   Frame 25 (79 bytes on the wire)
   UDP, Src Port: 59613 (59613), Dst Port: domain (53)

   RECV ATTACK Time  0.002310 Domain Name System (response)
   DNS Standard query response MX 1 1-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com



Otis                    Expires December 26, 2006              [Page 20]

Internet-Draft                   SPF DoS                       June 2006


    MX 1 1-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 1-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.
    123456789.example.com
    MX 1 1-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 26 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59613 (59613)

   XMIT VICTIM Time  0.002408 Domain Name System (query)
   DNS Standard query A 1-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 27 (288 bytes on the wire)
   UDP, Src Port: 59249 (59249), Dst Port: domain (53)

   RECV VICTIM Time  0.002478 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 28 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59249 (59249)




Otis                    Expires December 26, 2006              [Page 21]

Internet-Draft                   SPF DoS                       June 2006


   XMIT VICTIM Time  0.002534 Domain Name System (query)
   DNS Standard query A 1-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 29 (288 bytes on the wire)
   UDP, Src Port: 61124 (61124), Dst Port: domain (53)

   RECV VICTIM Time  0.002612 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 30 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61124 (61124)

   XMIT VICTIM Time  0.002667 Domain Name System (query)
   DNS Standard query A 1-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 31 (288 bytes on the wire)
   UDP, Src Port: 52851 (52851), Dst Port: domain (53)

   RECV VICTIM Time  0.002733 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 32 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 52851 (52851)

   XMIT VICTIM Time  0.002787 Domain Name System (query)
   DNS Standard query A 1-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 33 (288 bytes on the wire)
   UDP, Src Port: 58726 (58726), Dst Port: domain (53)

   RECV VICTIM Time  0.002852 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 34 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 58726 (58726)

   XMIT VICTIM Time  0.002906 Domain Name System (query)
   DNS Standard query A 1-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 22]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 35 (288 bytes on the wire)
   UDP, Src Port: 56126 (56126), Dst Port: domain (53)

   RECV VICTIM Time  0.002973 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 36 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 56126 (56126)

   XMIT VICTIM Time  0.003038 Domain Name System (query)
   DNS Standard query A 1-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 37 (288 bytes on the wire)
   UDP, Src Port: 61690 (61690), Dst Port: domain (53)

   RECV VICTIM Time  0.003106 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 38 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61690 (61690)

   XMIT VICTIM Time  0.003161 Domain Name System (query)
   DNS Standard query A 1-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 39 (288 bytes on the wire)
   UDP, Src Port: 51783 (51783), Dst Port: domain (53)

   RECV VICTIM Time  0.003236 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 40 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51783 (51783)

   XMIT VICTIM Time  0.003292 Domain Name System (query)
   DNS Standard query A 1-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.



Otis                    Expires December 26, 2006              [Page 23]

Internet-Draft                   SPF DoS                       June 2006


    example.com
   Frame 41 (288 bytes on the wire)
   UDP, Src Port: 60344 (60344), Dst Port: domain (53)

   RECV VICTIM Time  0.003359 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 42 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60344 (60344)

   XMIT VICTIM Time  0.003413 Domain Name System (query)
   DNS Standard query A 1-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 43 (288 bytes on the wire)
   UDP, Src Port: 63367 (63367), Dst Port: domain (53)

   RECV VICTIM Time  0.003479 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 44 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 63367 (63367)

   XMIT VICTIM Time  0.003533 Domain Name System (query)
   DNS Standard query A 1-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 45 (288 bytes on the wire)
   UDP, Src Port: 51204 (51204), Dst Port: domain (53)

   RECV VICTIM Time  0.003603 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 46 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51204 (51204)

   XMIT ATTACK Time  0.003661 Domain Name System (query)
   DNS Standard query MX 2.jo.cert-test.mail-abuse.org
   Frame 47 (79 bytes on the wire)
   UDP, Src Port: 61534 (61534), Dst Port: domain (53)

   RECV ATTACK Time  0.003894 Domain Name System (response)
   DNS Standard query response MX 1 2-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 24]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 25]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 2-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 48 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61534 (61534)

   XMIT VICTIM Time  0.003993 Domain Name System (query)
   DNS Standard query A 2-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 49 (288 bytes on the wire)
   UDP, Src Port: 50303 (50303), Dst Port: domain (53)

   RECV VICTIM Time  0.004071 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 50 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50303 (50303)

   XMIT VICTIM Time  0.004139 Domain Name System (query)
   DNS Standard query A 2-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 51 (288 bytes on the wire)
   UDP, Src Port: 52940 (52940), Dst Port: domain (53)

   RECV VICTIM Time 0.004206 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 52 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 52940 (52940)

   XMIT VICTIM Time 0.004261 Domain Name System (query)
   DNS Standard query A 2-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.



Otis                    Expires December 26, 2006              [Page 26]

Internet-Draft                   SPF DoS                       June 2006


    example.com
   Frame 53 (288 bytes on the wire)
   UDP, Src Port: 60474 (60474), Dst Port: domain (53)

   RECV VICTIM Time 0.004327 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 54 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60474 (60474)

   XMIT VICTIM Time 0.004382 Domain Name System (query)
   DNS Standard query A 2-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 55 (288 bytes on the wire)
   UDP, Src Port: 49663 (49663), Dst Port: domain (53)

   RECV VICTIM Time 0.004447 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 56 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49663 (49663)

   XMIT VICTIM Time 0.004502 Domain Name System (query)
   DNS Standard query A 2-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 57 (288 bytes on the wire)
   UDP, Src Port: 61283 (61283), Dst Port: domain (53)

   RECV VICTIM Time 0.004571 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 58 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61283 (61283)

   XMIT VICTIM Time 0.004625 Domain Name System (query)
   DNS Standard query A 2-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 59 (288 bytes on the wire)
   UDP, Src Port: 60191 (60191), Dst Port: domain (53)



Otis                    Expires December 26, 2006              [Page 27]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time 0.004698 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 60 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60191 (60191)

   XMIT VICTIM Time 0.004753 Domain Name System (query)
   DNS Standard query A 2-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 61 (288 bytes on the wire)
   UDP, Src Port: 58486 (58486), Dst Port: domain (53)

   RECV VICTIM Time 0.004819 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 62 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 58486 (58486)

   XMIT VICTIM Time 0.004874 Domain Name System (query)
   DNS Standard query A 2-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 63 (288 bytes on the wire)
   UDP, Src Port: 62555 (62555), Dst Port: domain (53)

   RECV VICTIM Time 0.004939 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 64 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 62555 (62555)

   XMIT VICTIM Time 0.004993 Domain Name System (query)
   DNS Standard query A 2-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 65 (288 bytes on the wire)
   UDP, Src Port: 49410 (49410), Dst Port: domain (53)

   RECV VICTIM Time  0.005060 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 66 (348 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 28]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 49410 (49410)

   XMIT VICTIM Time  0.005115 Domain Name System (query)
   DNS Standard query A 2-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 67 (288 bytes on the wire)
   UDP, Src Port: 59650 (59650), Dst Port: domain (53)

   RECV VICTIM Time  0.005180 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 68 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59650 (59650)

   XMIT ATTACK Time  0.005236 Domain Name System (query)
   DNS Standard query MX 3.jo.cert-test.mail-abuse.org
   Frame 69 (79 bytes on the wire)
   UDP, Src Port: 60922 (60922), Dst Port: domain (53)

   RECV ATTACK Time  0.005477 Domain Name System (response)
   DNS Standard query response MX 1 3-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-6.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 29]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 3-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 70 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60922 (60922)

   XMIT VICTIM Time  0.005592 Domain Name System (query)
   DNS Standard query A 3-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 71 (288 bytes on the wire)
   UDP, Src Port: 60056 (60056), Dst Port: domain (53)




Otis                    Expires December 26, 2006              [Page 30]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time  0.005662 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 72 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60056 (60056)

   XMIT VICTIM Time  0.005717 Domain Name System (query)
   DNS Standard query A 3-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 73 (288 bytes on the wire)
   UDP, Src Port: 51567 (51567), Dst Port: domain (53)

   RECV VICTIM Time  0.005783 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 74 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51567 (51567)

   XMIT VICTIM Time  0.005839 Domain Name System (query)
   DNS Standard query A 3-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 75 (288 bytes on the wire)
   UDP, Src Port: 55946 (55946), Dst Port: domain (53)

   RECV VICTIM Time  0.005904 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 76 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55946 (55946)

   XMIT VICTIM Time   0.005958 Domain Name System (query)
   DNS Standard query A 3-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 77 (288 bytes on the wire)
   UDP, Src Port: 61606 (61606), Dst Port: domain (53)

   RECV VICTIM Time  0.006022 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 78 (348 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 31]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 61606 (61606)

   XMIT VICTIM Time  0.006077 Domain Name System (query)
   DNS Standard query A 3-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 79 (288 bytes on the wire)
   UDP, Src Port: 57948 (57948), Dst Port: domain (53)

   RECV VICTIM Time 0.006151 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 80 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 57948 (57948)

   XMIT VICTIM Time 0.006205 Domain Name System (query)
   DNS Standard query A 3-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 81 (288 bytes on the wire)
   UDP, Src Port: 62371 (62371), Dst Port: domain (53)

   RECV VICTIM Time 0.006270 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 82 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 62371 (62371)

   XMIT VICTIM Time 0.006325 Domain Name System (query)
   DNS Standard query A 3-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 83 (288 bytes on the wire)
   UDP, Src Port: 51455 (51455), Dst Port: domain (53)

   RECV VICTIM Time  0.006390 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 84 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51455 (51455)

   XMIT VICTIM Time  0.006444 Domain Name System (query)



Otis                    Expires December 26, 2006              [Page 32]

Internet-Draft                   SPF DoS                       June 2006


   DNS Standard query A 3-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 85 (288 bytes on the wire)
   UDP, Src Port: 50959 (50959), Dst Port: domain (53)

   RECV VICTIM Time  0.006510 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 86 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50959 (50959)

   XMIT VICTIM Time 0.006569 Domain Name System (query)
   DNS Standard query A 3-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 87 (288 bytes on the wire)
   UDP, Src Port: 50458 (50458), Dst Port: domain (53)

   RECV VICTIM Time 0.006635 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 88 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50458 (50458)

   XMIT VICTIM Time 0.006688 Domain Name System (query)
   DNS Standard query A 3-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 89 (288 bytes on the wire)
   UDP, Src Port: 55297 (55297), Dst Port: domain (53)

   RECV VICTIM Time 0.006762 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 90 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55297 (55297)

   XMIT ATTACK Time 0.006829 Domain Name System (query)
   DNS Standard query MX 4.jo.cert-test.mail-abuse.org
   Frame 91 (79 bytes on the wire)
   UDP, Src Port: 55642 (55642), Dst Port: domain (53)



Otis                    Expires December 26, 2006              [Page 33]

Internet-Draft                   SPF DoS                       June 2006


   RECV ATTACK Time  0.007064 Domain Name System (response)
   DNS Standard query response MX 1 4-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789
             .example.com
    MX 1 4-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.



Otis                    Expires December 26, 2006              [Page 34]

Internet-Draft                   SPF DoS                       June 2006


    example.com
    MX 1 4-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 4-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 92 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55642 (55642)

   XMIT VICTIM Time 0.007173 Domain Name System (query)
   DNS Standard query A 4-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 93 (288 bytes on the wire)
   UDP, Src Port: 60109 (60109), Dst Port: domain (53)

   RECV VICTIM Time 0.007243 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 94 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60109 (60109)

   XMIT VICTIM Time 0.007299 Domain Name System (query)
   DNS Standard query A 4-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 95 (288 bytes on the wire)
   UDP, Src Port: 59804 (59804), Dst Port: domain (53)

   RECV VICTIM Time 0.007365 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 96 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59804 (59804)

   XMIT VICTIM Time 0.007419 Domain Name System (query)
   DNS Standard query A 4-4.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 35]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 97 (288 bytes on the wire)
   UDP, Src Port: 59201 (59201), Dst Port: domain (53)

   RECV VICTIM Time 0.007486 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 98 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59201 (59201)

   XMIT VICTIM Time 0.007540 Domain Name System (query)
   DNS Standard query A 4-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 99 (288 bytes on the wire)
   UDP, Src Port: 54029 (54029), Dst Port: domain (53)

   RECV VICTIM Time 0.008675 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 100 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54029 (54029)

   XMIT VICTIM Time 0.008773 Domain Name System (query)
   DNS Standard query A 4-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 101 (288 bytes on the wire)
   UDP, Src Port: 60108 (60108), Dst Port: domain (53)

   RECV VICTIM Time 0.013443 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 102 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60108 (60108)

   XMIT VICTIM Time 0.013561 Domain Name System (query)
   DNS Standard query A 4-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 36]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 103 (288 bytes on the wire)
   UDP, Src Port: 52259 (52259), Dst Port: domain (53)

   RECV VICTIM Time 0.014616 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 104 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 52259 (52259)

   XMIT VICTIM Time 0.014701 Domain Name System (query)
   DNS Standard query A 4-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 105 (288 bytes on the wire)
   UDP, Src Port: 59589 (59589), Dst Port: domain (53)

   RECV VICTIM Time 0.014866 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 106 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59589 (59589)

   XMIT VICTIM Time 0.014928
   DNS Standard query A 4-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 107 (288 bytes on the wire)
   UDP, Src Port: 49838 (49838), Dst Port: domain (53)
   Domain Name System (query)

   RECV VICTIM Time 0.015609 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 108 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49838 (49838)

   XMIT VICTIM Time 0.015681 Domain Name System (query)
   DNS Standard query A 4-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com



Otis                    Expires December 26, 2006              [Page 37]

Internet-Draft                   SPF DoS                       June 2006


   Frame 109 (288 bytes on the wire)
   UDP, Src Port: 61868 (61868), Dst Port: domain (53)

   RECV VICTIM Time 0.015753 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 110 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61868 (61868)

   XMIT VICTIM Time 0.015826 Domain Name System (query)
   DNS Standard query A 4-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 111 (288 bytes on the wire)
   UDP, Src Port: 54485 (54485), Dst Port: domain (53)

   RECV VICTIM Time 0.015897 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 112 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54485 (54485)

   XMIT ATTACK Time 0.015963 Domain Name System (query)
   DNS Standard query MX 5.jo.cert-test.mail-abuse.org
   Frame 113 (79 bytes on the wire)
   UDP, Src Port: 62648 (62648), Dst Port: domain (53)

   RECV ATTACK Time 0.016223 Domain Name System (response)
   DNS Standard query response MX 1 5-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-5.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 38]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.
    123456789.example.com
    MX 1 5-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.
    123456789.example.com
    MX 1 5-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 5-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 114 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 62648 (62648)

   XMIT VICTIM Time 0.016326 Domain Name System (query)
   DNS Standard query A 5-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 39]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 115 (288 bytes on the wire)
   UDP, Src Port: 64862 (64862), Dst Port: domain (53)

   RECV VICTIM Time 0.016397 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 116 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 64862 (64862)

   XMIT VICTIM Time 0.016453 Domain Name System (query)
   DNS Standard query A 5-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 117 (288 bytes on the wire)
   UDP, Src Port: 55595 (55595), Dst Port: domain (53)

   RECV VICTIM Time 0.016530 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 118 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55595 (55595)

   XMIT VICTIM Time 0.016590 Domain Name System (query)
   DNS Standard query A 5-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 119 (288 bytes on the wire)
   UDP, Src Port: 59040 (59040), Dst Port: domain (53)

   RECV VICTIM Time 0.016658 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 120 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59040 (59040)

   XMIT VICTIM Time 0.016712 Domain Name System (query)
   DNS Standard query A 5-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com



Otis                    Expires December 26, 2006              [Page 40]

Internet-Draft                   SPF DoS                       June 2006


   Frame 121 (288 bytes on the wire)
   UDP, Src Port: 64566 (64566), Dst Port: domain (53)

   RECV VICTIM Time 0.016778 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 122 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 64566 (64566)

   XMIT VICTIM Time 0.016833 Domain Name System (query)
   DNS Standard query A 5-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 123 (288 bytes on the wire)
   UDP, Src Port: 57893 (57893), Dst Port: domain (53)

   RECV VICTIM Time 0.016899 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 124 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 57893 (57893)

   XMIT VICTIM Time 0.016966 Domain Name System (query)
   DNS Standard query A 5-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 125 (288 bytes on the wire)
   UDP, Src Port: 50080 (50080), Dst Port: domain (53)

   RECV VICTIM Time 0.017033 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 126 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50080 (50080)

   XMIT VICTIM Time 0.017089 Domain Name System (query)
   DNS Standard query A 5-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 127 (288 bytes on the wire)
   UDP, Src Port: 59589 (59589), Dst Port: domain (53)




Otis                    Expires December 26, 2006              [Page 41]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time 0.017163 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 128 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59589 (59589)

   XMIT VICTIM Time 0.017218 Domain Name System (query)
   DNS Standard query A 5-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 129 (288 bytes on the wire)
   UDP, Src Port: 51145 (51145), Dst Port: domain (53)

   RECV VICTIM Time 0.017284 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 130 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51145 (51145)

   XMIT VICTIM Time 0.017339 Domain Name System (query)
   DNS Standard query A 5-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 131 (288 bytes on the wire)
   UDP, Src Port: 55246 (55246), Dst Port: domain (53)

   RECV VICTIM Time 0.017405 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 132 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55246 (55246)

   XMIT VICTIM Time 0.017459 Domain Name System (query)
   DNS Standard query A 5-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 133 (288 bytes on the wire)
   UDP, Src Port: 65477 (65477), Dst Port: domain (53)

   RECV VICTIM Time 0.017525 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 134 (348 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 42]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 65477 (65477)

   XMIT ATTACK Time 0.017656 Domain Name System (query)
   DNS Standard query MX 6.jo.cert-test.mail-abuse.org
   Frame 135 (79 bytes on the wire)
   UDP, Src Port: 50935 (50935), Dst Port: domain (53)

   RECV ATTACK Time 0.017899 Domain Name System (response)
   DNS Standard query response MX 1 6-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 43]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 6-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 136 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50935 (50935)

   XMIT VICTIM Time 0.018001 Domain Name System (query)
   DNS Standard query A 6-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 137 (288 bytes on the wire)
   UDP, Src Port: 65317 (65317), Dst Port: domain (53)

   RECV VICTIM Time 0.018072 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 138 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 65317 (65317)

   XMIT VICTIM Time 0.018141 Domain Name System (query)
   DNS Standard query A 6-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 139 (288 bytes on the wire)
   UDP, Src Port: 65391 (65391), Dst Port: domain (53)




Otis                    Expires December 26, 2006              [Page 44]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time 0.018209 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 140 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 65391 (65391)

   XMIT VICTIM Time 0.018264 Domain Name System (query)
   DNS Standard query A 6-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 141 (288 bytes on the wire)
   UDP, Src Port: 61277 (61277), Dst Port: domain (53)

   RECV VICTIM Time 0.018330 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 142 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61277 (61277)

   XMIT VICTIM Time 0.018384 Domain Name System (query)
   DNS Standard query A 6-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 143 (288 bytes on the wire)
   UDP, Src Port: 62266 (62266), Dst Port: domain (53)

   RECV VICTIM Time 0.018459 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 144 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 62266 (62266)

   XMIT VICTIM Time  0.018515 Domain Name System (query)
   DNS Standard query A 6-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 145 (288 bytes on the wire)
   UDP, Src Port: 56381 (56381), Dst Port: domain (53)

   RECV VICTIM Time 0.018585 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 146 (348 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 45]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 56381 (56381)

   XMIT VICTIM Time 0.018640 Domain Name System (query)
   DNS Standard query A 6-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 147 (288 bytes on the wire)
   UDP, Src Port: 50878 (50878), Dst Port: domain (53)

   RECV VICTIM Time 0.018707 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 148 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50878 (50878)

   XMIT VICTIM Time 0.018761 Domain Name System (query)
   DNS Standard query A 6-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 149 (288 bytes on the wire)
   UDP, Src Port: 51814 (51814), Dst Port: domain (53)

   RECV VICTIM Time 0.018826 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 150 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51814 (51814)

   XMIT VICTIM Time 0.018881 Domain Name System (query)
   DNS Standard query A 6-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 151 (288 bytes on the wire)
   UDP, Src Port: 57344 (57344), Dst Port: domain (53)

   RECV VICTIM Time 0.018946 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 152 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 57344 (57344)

   XMIT VICTIM Time 0.019000 Domain Name System (query)



Otis                    Expires December 26, 2006              [Page 46]

Internet-Draft                   SPF DoS                       June 2006


   DNS Standard query A 6-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 153 (288 bytes on the wire)
   UDP, Src Port: 54706 (54706), Dst Port: domain (53)

   RECV VICTIM Time 0.019076 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 154 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54706 (54706)

   XMIT VICTIM Time 0.019131 Domain Name System (query)
   DNS Standard query A 6-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 155 (288 bytes on the wire)
   UDP, Src Port: 61147 (61147), Dst Port: domain (53)

   RECV VICTIM Time 0.019197 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 156 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61147 (61147)

   XMIT ATTACK Time 0.019254 Domain Name System (query)
   DNS Standard query MX 7.jo.cert-test.mail-abuse.org
   Frame 157 (79 bytes on the wire)
   UDP, Src Port: 59174 (59174), Dst Port: domain (53)

   RECV ATTACK Time 0.019487 Domain Name System (response)
   DNS Standard query response MX 1 7-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-4.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 47]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 7-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 158 (535 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 48]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 59174 (59174)

   XMIT VICTIM Time 0.019601 Domain Name System (query)
   DNS Standard query A 7-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 159 (288 bytes on the wire)
   UDP, Src Port: 49466 (49466), Dst Port: domain (53)

   RECV VICTIM Time 0.019673 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 160 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49466 (49466)

   XMIT VICTIM Time 0.019729 Domain Name System (query)
   DNS Standard query A 7-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 161 (288 bytes on the wire)
   UDP, Src Port: 56355 (56355), Dst Port: domain (53)

   RECV VICTIM Time 0.019795 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 162 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 56355 (56355)

   XMIT VICTIM Time 0.019849 Domain Name System (query)
   DNS Standard query A 7-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 163 (288 bytes on the wire)
   UDP, Src Port: 64811 (64811), Dst Port: domain (53)

   RECV VICTIM Time 0.019924 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 164 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 64811 (64811)

   XMIT VICTIM Time 0.019979 Domain Name System (query)



Otis                    Expires December 26, 2006              [Page 49]

Internet-Draft                   SPF DoS                       June 2006


   DNS Standard query A 7-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 165 (288 bytes on the wire)
   UDP, Src Port: 65350 (65350), Dst Port: domain (53)

   RECV VICTIM Time 0.020046 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 166 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 65350 (65350)

   XMIT VICTIM Time 0.020101 Domain Name System (query)
   DNS Standard query A 7-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 167 (288 bytes on the wire)
   UDP, Src Port: 54501 (54501), Dst Port: domain (53)

   RECV VICTIM Time 0.020165 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 168 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54501 (54501)

   XMIT VICTIM Time 0.020220 Domain Name System (query)
   DNS Standard query A 7-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 169 (288 bytes on the wire)
   UDP, Src Port: 55871 (55871), Dst Port: domain (53)

   RECV VICTIM Time 0.020285 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 170 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55871 (55871)

   XMIT VICTIM Time 0.020340 Domain Name System (query)
   DNS Standard query A 7-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 50]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 171 (288 bytes on the wire)
   UDP, Src Port: 60209 (60209), Dst Port: domain (53)

   RECV VICTIM Time 0.020406 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 172 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60209 (60209)

   XMIT VICTIM Time 0.020461 Domain Name System (query)
   DNS Standard query A 7-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 173 (288 bytes on the wire)
   UDP, Src Port: 50737 (50737), Dst Port: domain (53)

   RECV VICTIM Time  0.020534 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 174 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50737 (50737)

   XMIT VICTIM Time  0.020598 Domain Name System (query)
   DNS Standard query A 7-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 175 (288 bytes on the wire)
   UDP, Src Port: 54327 (54327), Dst Port: domain (53)

   RECV VICTIM Time 0.020706 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 176 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54327 (54327)

   XMIT VICTIM Time 0.020761 Domain Name System (query)
   DNS Standard query A 7-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com



Otis                    Expires December 26, 2006              [Page 51]

Internet-Draft                   SPF DoS                       June 2006


   Frame 177 (288 bytes on the wire)
   UDP, Src Port: 58995 (58995), Dst Port: domain (53)

   RECV VICTIM Time 0.020827 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 178 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 58995 (58995)

   XMIT ATTACK Time 0.020885 Domain Name System (query)
   DNS Standard query MX 8.jo.cert-test.mail-abuse.org
   Frame 179 (79 bytes on the wire)
   UDP, Src Port: 55097 (55097), Dst Port: domain (53)

   RECV ATTACK Time 0.021120 Domain Name System (response)
   DNS Standard query response MX 1 8-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 52]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 8-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 180 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55097 (55097)

   XMIT VICTIM Time 0.021243 Domain Name System (query)
   DNS Standard query A 8-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 181 (288 bytes on the wire)
   UDP, Src Port: 60196 (60196), Dst Port: domain (53)

   No. 182    Time 0.021313 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 182 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60196 (60196)

   XMIT VICTIM Time 0.021369 Domain Name System (query)
   DNS Standard query A 8-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.



Otis                    Expires December 26, 2006              [Page 53]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 183 (288 bytes on the wire)
   UDP, Src Port: 54875 (54875), Dst Port: domain (53)

   RECV VICTIM Time 0.021445 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 184 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54875 (54875)

   XMIT VICTIM Time 0.021501 Domain Name System (query)
   DNS Standard query A 8-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 185 (288 bytes on the wire)
   UDP, Src Port: 54995 (54995), Dst Port: domain (53)

   RECV VICTIM Time 0.021571 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 186 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54995 (54995)

   XMIT VICTIM Time 0.021625 Domain Name System (query)
   DNS Standard query A 8-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 187 (288 bytes on the wire)
   UDP, Src Port: 51443 (51443), Dst Port: domain (53)

   RECV VICTIM Time 0.021691 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 188 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51443 (51443)

   XMIT VICTIM Time 0.021744 Domain Name System (query)
   DNS Standard query A 8-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com



Otis                    Expires December 26, 2006              [Page 54]

Internet-Draft                   SPF DoS                       June 2006


   Frame 189 (288 bytes on the wire)
   UDP, Src Port: 49195 (49195), Dst Port: domain (53)

   RECV VICTIM Time 0.021810 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 190 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49195 (49195)

   XMIT VICTIM Time 0.021863 Domain Name System (query)
   DNS Standard query A 8-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 191 (288 bytes on the wire)
   UDP, Src Port: 57078 (57078), Dst Port: domain (53)

   RECV VICTIM Time 0.021928 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 192 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 57078 (57078)

   XMIT VICTIM Time 0.021982 Domain Name System (query)
   DNS Standard query A 8-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 193 (288 bytes on the wire)
   UDP, Src Port: 57749 (57749), Dst Port: domain (53)

   RECV VICTIM Time 0.022056 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 194 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 57749 (57749)

   XMIT VICTIM Time 0.022110 Domain Name System (query)
   DNS Standard query A 8-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 195 (288 bytes on the wire)
   UDP, Src Port: 52752 (52752), Dst Port: domain (53)




Otis                    Expires December 26, 2006              [Page 55]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time 0.022176 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 196 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 52752 (52752)

   XMIT VICTIM Time 0.022730 Domain Name System (query)
   DNS Standard query A 8-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 197 (288 bytes on the wire)
   UDP, Src Port: 51832 (51832), Dst Port: domain (53)

   RECV VICTIM Time 0.022809 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 198 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51832 (51832)

   XMIT VICTIM Time 0.022886 Domain Name System (query)
   DNS Standard query A 8-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 199 (288 bytes on the wire)
   UDP, Src Port: 50808 (50808), Dst Port: domain (53)

   RECV VICTIM Time 0.022953 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 200 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50808 (50808)

   XMIT ATTACK Time 0.023015 Domain Name System (query)
   DNS Standard query MX 9.jo.cert-test.mail-abuse.org
   Frame 201 (79 bytes on the wire)
   UDP, Src Port: 59035 (59035), Dst Port: domain (53)

   RECV ATTACK Time 0.023258 Domain Name System (response)
   DNS Standard query response MX 1 9-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-3.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 56]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
    MX 1 9-1.jo.cert-test.



Otis                    Expires December 26, 2006              [Page 57]

Internet-Draft                   SPF DoS                       June 2006


    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 202 (535 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 59035 (59035)

   XMIT VICTIM Time 0.023359 Domain Name System (query)
   DNS Standard query A 9-2.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 203 (288 bytes on the wire)
   UDP, Src Port: 50611 (50611), Dst Port: domain (53)

   RECV VICTIM Time 0.023440 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 204 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 50611 (50611)

   XMIT VICTIM Time 0.023496 Domain Name System (query)
   DNS Standard query A 9-3.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 205 (288 bytes on the wire)
   UDP, Src Port: 61681 (61681), Dst Port: domain (53)

   RECV VICTIM Time 0.023567 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 206 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 61681 (61681)

   XMIT VICTIM Time 0.023622 Domain Name System (query)
   DNS Standard query A 9-4.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 207 (288 bytes on the wire)
   UDP, Src Port: 58347 (58347), Dst Port: domain (53)




Otis                    Expires December 26, 2006              [Page 58]

Internet-Draft                   SPF DoS                       June 2006


   RECV VICTIM Time 0.023688 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 208 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 58347 (58347)

   XMIT VICTIM Time 0.023742 Domain Name System (query)
   DNS Standard query A 9-5.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 209 (288 bytes on the wire)
   UDP, Src Port: 54368 (54368), Dst Port: domain (53)

   RECV VICTIM Time 0.023808 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 210 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 54368 (54368)

   XMIT VICTIM Time 0.023861 Domain Name System (query)
   DNS Standard query A 9-6.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 211 (288 bytes on the wire)
   UDP, Src Port: 60614 (60614), Dst Port: domain (53)

   RECV VICTIM Time 0.023925 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 212 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 60614 (60614)

   XMIT VICTIM Time 0.023991 Domain Name System (query)
   DNS Standard query A 9-7.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 213 (288 bytes on the wire)
   UDP, Src Port: 55345 (55345), Dst Port: domain (53)

   RECV VICTIM Time 0.024068 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 214 (348 bytes on the wire)



Otis                    Expires December 26, 2006              [Page 59]

Internet-Draft                   SPF DoS                       June 2006


   UDP, Src Port: domain (53), Dst Port: 55345 (55345)

   XMIT VICTIM Time 0.024123 Domain Name System (query)
   DNS Standard query A 9-8.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 215 (288 bytes on the wire)
   UDP, Src Port: 51591 (51591), Dst Port: domain (53)

   RECV VICTIM Time 0.024188 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 216 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 51591 (51591)

   XMIT VICTIM Time 0.024243 Domain Name System (query)
   DNS Standard query A 9-9.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 217 (288 bytes on the wire)
   UDP, Src Port: 63273 (63273), Dst Port: domain (53)

   RECV VICTIM Time 0.024307 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 218 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 63273 (63273)

   XMIT VICTIM Time 0.024362 Domain Name System (query)
   DNS Standard query A 9-0.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 219 (288 bytes on the wire)
   UDP, Src Port: 55263 (55263), Dst Port: domain (53)

   RECV VICTIM Time 0.024427 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 220 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 55263 (55263)

   XMIT VICTIM Time 0.024483 Domain Name System (query)



Otis                    Expires December 26, 2006              [Page 60]

Internet-Draft                   SPF DoS                       June 2006


   DNS Standard query A 9-1.jo.cert-test.
    123456789-123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789-123456789.
    123456789-123456789-123456789-123456789.
    123456789-123456789-123456789.123456789-123456789.123456789.
    example.com
   Frame 221 (288 bytes on the wire)
   UDP, Src Port: 49820 (49820), Dst Port: domain (53)

   RECV VICTIM Time 0.024551 Domain Name System (response)
   DNS Standard query response, No such name
   Frame 222 (348 bytes on the wire)
   UDP, Src Port: domain (53), Dst Port: 49820 (49820)






































Otis                    Expires December 26, 2006              [Page 61]

Internet-Draft                   SPF DoS                       June 2006


Author's Address

   Douglas Otis
   Trend Micro, NSSG
   1737 North First Street, Suite 680
   San Jose, CA  95112
   USA

   Phone: +1.408.453.6277
   Email: doug_otis@trendmicro.com









































Otis                    Expires December 26, 2006              [Page 62]

Internet-Draft                   SPF DoS                       June 2006


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Otis                    Expires December 26, 2006              [Page 63]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/