nanog mailing list archives

Re: DNS cache poisoning attacks -- are they real?

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Mon, 28 Mar 2005 06:44:59 -0500


On Mon, 2005-03-28 at 01:04, John Payne wrote:


And to Randy's point about problems with open recursive nameservers... 
abusers have been known to cache "hijack".  Register a domain, 
configure an authority with very large TTLs, seed it onto known open 
recursive nameservers, update domain record to point to the open 
recursive servers rather than their own.  Wammo, "bullet proof" dns 
hosting.


I posted a note to Bugtraq on this process about a year and a half ago
as at the time I noticed a few spammers using this technique. Seems they
were doing this to protect their NS from retaliatory attacks. 
http://cert.uni-stuttgart.de/archive/bugtraq/2003/09/msg00164.html

Large TTLs only get you so far. All depends on the default setting of
max-cache-ttl. For Bind this is 7 days. MS DNS is 24 hours. Obviously
spammers can do a lot of damage in 7 days. :(

HTH,
Chris

Current thread:

Re: DNS cache poisoning attacks -- are they real?, (continued)
- - - Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Simon Waters (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
    - Message not available
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 28)
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Chris Brenton (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Sam Hayes Merritt, III (Mar 29)
    - Message not available
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 29)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 30)
    - Re: DNS cache poisoning attacks -- are they real? bmanning (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
    - Message not available
    - Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)

(Thread continues...)