[nsp-sec] 700K *abused* resolver list?
Smith, Donald
Donald.Smith at qwest.com
Wed Apr 15 12:30:27 EDT 2009
I believe this attack is using the new pattern that Joe outlines here:
http://www.secureworks.com/research/threats/dns-amplification/?threat=dns-amplification
Which doesn't need open resolvers as you state below.
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Mike Lewinski
> Sent: Tuesday, April 14, 2009 12:22 PM
> To: NSP-SEC List
> Subject: Re: [nsp-sec] 700K *abused* resolver list?
>
> ----------- nsp-security Confidential --------
>
> Mike Lewinski wrote:
>
> > I'm thinking that additional-from-auth and
> additional-from-cache may not
> > be available on some of the older BIND 8s that are out
> there? It may
> > also not be advisable for people who are running combined
> auth/caching
> > servers? Advice appreciated, TIA!
>
> Replying to myself because the list is a little slow today
> and I've done
> more research....
>
> Closing recursion alone isn't enough, and mere presence of an
> IP address
> on the 700K list may not be an accurate indicator of open vs closed
> resolver?
>
> http://www.secureworks.com/research/threats/dns-amplification
>
> I see no functional difference querying "." vs "um."
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
More information about the nsp-security
mailing list