Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Joe Maimon
  • Date: Wed Mar 30 08:26:31 2005



Florian Weimer wrote:
* Joe Maimon:


How do spammers make step 5 succeed?

They delegate www.example.com instead of example.com?


I suspect I am some distance over the cliff here but nevertheless, onward.

I dont get it. That has nothing to do with the registrar, or dodging
forced deactivation of a domain. All it does is make it appear to
anti-spammers that www.example.com nameservers are the seeded resolvers.

Thats not quite the described problem in the URL that chris included.

http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html

"
Next the spammer goes back to their registry authority and changes their
authoritative name servers to be the recursive name servers they
populated in the last step. Since it appears that registry authorities
no longer validate if a customer has permission to use the name server
they specify (note that this used to be done way back when domain names
were free), the record is quickly updated and users on the Internet are
directed to this populated name server when querying information about
the spammer's domain. The spammer is now free to push out their spam and
if the Internet community decides to attack, the name server being
attacked actually belongs to someone else.
"

SO if the extent of the problem is that the victim nameserver may become
blocklisted/attacked due to its apparent hosting of a spam URL, than the answer is that anti-spammers need to be a whole lot more carefull at which nameservers they direct their ire at. Specifically, they need to confine that to only certain trustworthy points in the delegation, such as delegation for .com. and .co.uk. but not any deeper.

IF the concern is that spammers may try to have their spamsite records
survive example.com termination, thats quite possible to attempt doing
without bothering to directly attempt to seed any other resolvers cache, all they need are their trojan pcs to host the domain and to hand out NS/A records with very large TTL values.

SURBL and others will helpfully prime the resolvers all over the world.

Its quite possible that going after the DNS for spammers may not/should not be the quick fix to abusive spam that people would hope for. If all this activity is confined to domain names that they have originally registered and paid for and belonged to them, I might find it quite reasonable declaring this to be strictly a registrar problem.

And a resolver ought to be able to tell that www.example.com delegation
is lame.






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.