|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DNS cache poisoning attacks -- are they real?
Florian Weimer wrote: I suspect I am some distance over the cliff here but nevertheless, onward.* Joe Maimon:How do spammers make step 5 succeed?They delegate www.example.com instead of example.com? I dont get it. That has nothing to do with the registrar, or dodging forced deactivation of a domain. All it does is make it appear to anti-spammers that www.example.com nameservers are the seeded resolvers. Thats not quite the described problem in the URL that chris included. http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html " Next the spammer goes back to their registry authority and changes their authoritative name servers to be the recursive name servers they populated in the last step. Since it appears that registry authorities no longer validate if a customer has permission to use the name server they specify (note that this used to be done way back when domain names were free), the record is quickly updated and users on the Internet are directed to this populated name server when querying information about the spammer's domain. The spammer is now free to push out their spam and if the Internet community decides to attack, the name server being attacked actually belongs to someone else. " SO if the extent of the problem is that the victim nameserver may become blocklisted/attacked due to its apparent hosting of a spam URL, than the answer is that anti-spammers need to be a whole lot more carefull at which nameservers they direct their ire at. Specifically, they need to confine that to only certain trustworthy points in the delegation, such as delegation for .com. and .co.uk. but not any deeper. IF the concern is that spammers may try to have their spamsite records survive example.com termination, thats quite possible to attempt doing without bothering to directly attempt to seed any other resolvers cache, all they need are their trojan pcs to host the domain and to hand out NS/A records with very large TTL values. SURBL and others will helpfully prime the resolvers all over the world. Its quite possible that going after the DNS for spammers may not/should not be the quick fix to abusive spam that people would hope for. If all this activity is confined to domain names that they have originally registered and paid for and belonged to them, I might find it quite reasonable declaring this to be strictly a registrar problem. And a resolver ought to be able to tell that www.example.com delegation is lame.
|