[79079] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Joe Maimon)
Wed Mar 30 08:25:49 2005
Date: Wed, 30 Mar 2005 08:25:16 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Brad Knowles <brad@stop.mail-abuse.org>,
	Chris Brenton <cbrenton@chrisbrenton.org>, nanog <nanog@merit.edu>
In-Reply-To: <87psxh8qce.fsf@deneb.enyo.de>
Errors-To: owner-nanog@merit.edu
Florian Weimer wrote:
> * Joe Maimon:
> 
> 
>>How do spammers make step 5 succeed?
> 
> 
> They delegate www.example.com instead of example.com?
> 
> 
I suspect I am some distance over the cliff here but nevertheless, onward.
I dont get it. That has nothing to do with the registrar, or dodging
forced deactivation of a domain. All it does is make it appear to
anti-spammers that www.example.com nameservers are the seeded resolvers.
Thats not quite the described problem in the URL that chris included.
http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html
"
Next the spammer goes back to their registry authority and changes their
authoritative name servers to be the recursive name servers they
populated in the last step. Since it appears that registry authorities
no longer validate if a customer has permission to use the name server
they specify (note that this used to be done way back when domain names
were free), the record is quickly updated and users on the Internet are
directed to this populated name server when querying information about
the spammer's domain. The spammer is now free to push out their spam and
if the Internet community decides to attack, the name server being
attacked actually belongs to someone else.
"
SO if the extent of the problem is that the victim nameserver may become
blocklisted/attacked due to its apparent hosting of a spam URL, than the 
answer is that anti-spammers need to be a whole lot more carefull at 
which nameservers they direct their ire at. Specifically, they need to 
confine that to only certain trustworthy points in the delegation, such 
as delegation for .com. and .co.uk. but not any deeper.
IF the concern is that spammers may try to have their spamsite records
survive example.com termination, thats quite possible to attempt doing
without bothering to directly attempt to seed any other resolvers cache, 
all they need are their trojan pcs to host the domain and to hand out 
NS/A records with very large TTL values.
SURBL and others will helpfully prime the resolvers all over the world.
Its quite possible that going after the DNS for spammers may not/should 
not be the quick fix to abusive spam that people would hope for. If all 
this activity is confined to domain names that they have originally 
registered and paid for and belonged to them, I might find it quite 
reasonable declaring this to be strictly a registrar problem.
And a resolver ought to be able to tell that www.example.com delegation
is lame.