[62581] in North American Network Operators' Group
RE: Interesting interaction between Blaster worm variants and Verisign DNS change
daemon@ATHENA.MIT.EDU (Jeremy_Powell@sbcss.k12.ca.us)
Fri Sep 19 11:35:20 2003
Date: Fri, 19 Sep 2003 08:33:15 -0700
From: <Jeremy_Powell@sbcss.k12.ca.us>
To: <fw@deneb.enyo.de>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Not possible is a strong statement since it has happened=20
twice so far. The assumption you are making is the assumption
that I made, which is that the resolver would first try to
lookup exactly what was requested, but that is not what it
does for example, with the machines domain set to clementnt.com
and the default Append Primary DNS suffix to lookups checked
under thae advanced TCP/IP properties the result of an nslookup
from the machine for www.apple.com is to lookup=20
www.apple.com.clementnt.com which returns 64.94.110.11 because
it does not exist. It does this before actually looking up what
was typed. When I say it has happened twice, I mean that I have
had 2 Blaster infected machines sending spoofed IP address request
to 64.94.110.11 tcp port 80 containing the windowsupdate.com in
the host portion of the html header. Removing blaster using virus
tools eliminated this behavior.
Jeremy Powell
> -----Original Message-----
> From: Florian Weimer [mailto:fw@deneb.enyo.de]
> Sent: Friday, September 19, 2003 4:44 AM
> To: Jeremy Powell
> Cc: nanog@merit.edu
> Subject: Re: Interesting interaction between Blaster worm variants and
> Verisign DNS change
>=20
>=20
> <Jeremy_Powell@sbcss.k12.ca.us> writes:
>=20
> > I think that an interesting interaction involving:
> >
> > 1) Blaster worm DDoS attack against windows update.
> > 2) The default action of Windows 2000 and XP computers
> > to automatically append the domain name under "Network
> > Identification" or the suffix search list to DNS lookups.
> > 3) The number of non-existent domains that exist in the
> > above settings.
> > 4) The change that Verisign made so that all non-existent
> > domains resolve to 64.94.110.11
> >
> > is the cause of the DDoS attack that Verisign is experiencing.
>=20
> This is not possible. There's a NS entry for windowsupdate.com, which
> overrides the wildcard A record (in standard zone files, wildcard
> records are suppressed as soon as an RR for the domain exists, even if
> the types don't match).
>=20
_________________________________________________________________________=
________
Statement of Confidentiality: The contents of this e-mail message and =
any attachments are intended solely for the addressee. The information =
may also be confidential and/or legally privileged. This transmission =
is sent for the sole purpose of delivery to the intended recipient. If =
you have received this transmission in error, any use, reproduction, or =
dissemination of this transmission is strictly prohibited. If you are =
not the intended recipient, please immediately notify the sender by =
reply e-mail, send a copy to postmaster@sbcss.k12.ca.us and delete this =
message and its attachments, if any.
E-mail is covered by the Electronic Communications Privacy Act, 18 USC =
SS 2510-2521 and is legally privileged. =20
Date Sent (d/m/yy): 19/9/2003 - Sender: Jeremy_Powell@sbcss.k12.ca.us
