Re: [Full-Disclosure] new dos attack?

["Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>]

> Now assuming you are the ISP, is there any way to get all those domains
> pointed to somewhere else without having to define them all on your name
> servers? Can't you fax the registrar or something to park them or is this
> pretty much a really difficult type of attack to fight off?

Spam in its present state doesn't in general (with some exceptions) use
a valid return address.  They are still being forged which means the DNS
queries are for yahoo, aol, and other frequent forgeries.

The only real area I can see a lot of potential resolution is with URLs
that people click on in emails.  In a majority of spams I've seen,
however, spammers are still using IP addresses instead of domain names
as their goal is to hide as much revealing information as possible to
pass them through spam filters [insert rant for Bayesian style
filtering]. 

If they did do this though, I would think that name server caching would
significant reduce the number of queries, helping to share the load of
the problem.   Every customer query to aol.com doesn't hit aol's
nameservers (fortunately for AOL)...it hits first the user's local
nameserver cache, and second the ISP's cache...with a large company like
AOL, it'll also hit the ISP's web/ns  inverse cache servers long before
it ever touches their actual name servers.

Some individuals are coding spam filters that actually perform HTTP gets
on the URLs in the spams, in an attempt to DoS the spammers.  I would be
more concerned about this type of DoS.

Jonathan


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html