nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Joe Maimon <jmaimon () ttec com>
Date: Wed, 30 Mar 2005 08:25:16 -0500
Florian Weimer wrote:
* Joe Maimon:How do spammers make step 5 succeed?They delegate www.example.com instead of example.com?
I suspect I am some distance over the cliff here but nevertheless, onward. I dont get it. That has nothing to do with the registrar, or dodging forced deactivation of a domain. All it does is make it appear to anti-spammers that www.example.com nameservers are the seeded resolvers. Thats not quite the described problem in the URL that chris included. http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html " Next the spammer goes back to their registry authority and changes their authoritative name servers to be the recursive name servers they populated in the last step. Since it appears that registry authorities no longer validate if a customer has permission to use the name server they specify (note that this used to be done way back when domain names were free), the record is quickly updated and users on the Internet are directed to this populated name server when querying information about the spammer's domain. The spammer is now free to push out their spam and if the Internet community decides to attack, the name server being attacked actually belongs to someone else. " SO if the extent of the problem is that the victim nameserver may becomeblocklisted/attacked due to its apparent hosting of a spam URL, than the answer is that anti-spammers need to be a whole lot more carefull at which nameservers they direct their ire at. Specifically, they need to confine that to only certain trustworthy points in the delegation, such as delegation for .com. and .co.uk. but not any deeper.
IF the concern is that spammers may try to have their spamsite records survive example.com termination, thats quite possible to attempt doingwithout bothering to directly attempt to seed any other resolvers cache, all they need are their trojan pcs to host the domain and to hand out NS/A records with very large TTL values.
SURBL and others will helpfully prime the resolvers all over the world.Its quite possible that going after the DNS for spammers may not/should not be the quick fix to abusive spam that people would hope for. If all this activity is confined to domain names that they have originally registered and paid for and belonged to them, I might find it quite reasonable declaring this to be strictly a registrar problem.
And a resolver ought to be able to tell that www.example.com delegation is lame.
Current thread:
- Re: DNS cache poisoning attacks -- are they real?, (continued)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Sam Hayes Merritt, III (Mar 29)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 30)
- Re: DNS cache poisoning attacks -- are they real? bmanning (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Message not available
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Blocking port 53 Sean Donelan (Mar 27)
- Re: Blocking port 53 Randy Bush (Mar 27)
- Re: Blocking port 53 John Levine (Mar 27)
- how about the basics? [was: Re: Blocking port 53] Gadi Evron (Mar 28)