North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Chris Brenton
  • Date: Mon Mar 28 06:49:27 2005

On Mon, 2005-03-28 at 01:04, John Payne wrote:
>
> And to Randy's point about problems with open recursive nameservers... 
> abusers have been known to cache "hijack".  Register a domain, 
> configure an authority with very large TTLs, seed it onto known open 
> recursive nameservers, update domain record to point to the open 
> recursive servers rather than their own.  Wammo, "bullet proof" dns 
> hosting.

I posted a note to Bugtraq on this process about a year and a half ago
as at the time I noticed a few spammers using this technique. Seems they
were doing this to protect their NS from retaliatory attacks. 
http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html

Large TTLs only get you so far. All depends on the default setting of
max-cache-ttl. For Bind this is 7 days. MS DNS is 24 hours. Obviously
spammers can do a lot of damage in 7 days. :(

HTH,
Chris