To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I don't think that the amplification is going to be as large as you think. (100's of XFERs per second) If a zone is already in the XFER process, it will simply cause a syslog event that indicates a NOTIFY was received for a zone that was already transferring.
I started and operated the EZ-IP.NET project way back in the day and if this hadn't been the case, there would have been 100's more transfers taking place between my master NS and the secondarys. John -----Original Message----- From: Mark Senior [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 12:35 PM To: Alan Clegg Cc: [email protected] Subject: Re: [botnets] Domain list query... To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I see two possibilities: My first guess would be a DDOS type attack - if an attacker could find a number of DNS servers that would actually request a transfer in response to a NOTIFY for an arbitrary domain, and at least one nameserver for that domain allows zone transfers, then he could have an enormous bandwidth amplifier - send out a hundred NOTIFY's per second, and your target gets stuck transferring the entire zone a hundred times a second. The second possibility I can imagine would be a DNS cache poisoning attack - if you can trick your victim's nameserver into launching a NS query, and spoof the response, then you can become the nameserver for that domain for a time. Checking a few of those domains at random, I got NXDOMAIN responses - which suggests the DDOS angle doesn't make much sense. Regards Mark On 9/5/07, Alan Clegg <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I have a client who's nameservers are being flooded by DNS NOTIFY > packets for the list of domains at the bottom of this message. > > Beyond the domains being used as spam sources, does anyone on the list > see anything that links these domains? > > We are trying to figure out the commonality between them that would > cause the behavior that we are seeing... Why would about eight machines > be pummeling a major provider's DNS servers with NOTIFY (ie, domain > updated, please do a transfer) messages? > > Here's the list: > > abysscastor.info > advizehint.com > ailisar.com > applander.com > baserocket.com > betgisarmer.com > blousecollar.com > bunkerlock.com > calmorphan.com > carlotpro.com > carrycartrter.com > cessful.com > chaudtas.com > checkonline.hk > cnnmk.hk > commacomma.hk > copeckstable.com > cornamusement.com > cpluscrayons.com > crimefooler.com > croquetroof.com > cyberbox.hk > deafanddum.com > deargraler.com > densitylow.com > depiberry.com > dogderopero.com > dynastycost.com > erranter.com > fadedtraveller.com > ficientt.com > fresthikom.com > gratefuldenial.net > grindingpolka.com > guideleper.com > guideleper.net > harrowingbut.com > hazefoul.com > hazefoul.net > hoerillugad.com > honeymandarin.info > hugguide.com > hutchilo.com > inveterat.com > justlom.com > justnaw.com > laryslarys.com > lookprouv.com > lossfeeler.com > mainyachting.com > manegeincision.info > marchobny.com > mattingkoot.com > meanignik.com > medsbuyonline.com > mikosal.cd > motorampere.com > newekind.com > nzmipanel.com > penrockyt.net > pokuureto.net > pretentiou.com > prolinor.com > proseassembly.com > rationboo.com > satyrholl.com > serinti.com > simmqwi.cd > spirefakter.com > spirefakter.net > stafegiyngu.com > sugaryextortion.net > tamosaqui.com > thithera.com > townelection.com > ttqase.hk > uaikq.hk > uickesho.com > uija.hk > ujjia.hk > ujnn.hk > ujud.hk > usadd.hk > usagg.hk > usapro.hk > usjol.hk > vividquiz.com > voomco.hk > vvik.hk > witouta.cn > wrungworld.com > wrungworld.info > yourhalo.hk > ysdh.hk > yyhjks.hk > ziikaol.hk > zinamol.cd > zippoguides.com > zxasd.hk > zxiak.hk > zzzaz.hk > > Thanks, > AlanC > -- > In the beginning of a change, the patriot is a scarce man, brave, > hated, and scorned. When his cause succeeds however, the timid > join him, for then it cost nothing to be a patriot. > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
