January 12th, 2005, 02:37 PM
New Type of DOS on Worldwide DNS Server.
This technique is use mostly by spammer. In the night, they send a lot of spam from a domain that they will register the next morning. The problem lie that mail server overload the worldwide DNS server trying to found a domain name that doesn't exist because the domain will only be register the day after.
Source (In French): http://www.branchez-vous.com/actu/05-01/09-133504.html
January 12th, 2005, 10:27 PM
I guess the following three questions really need answering:-
1. Since the spammers rely, (ie: make money), from the delivery of their spam this can't be an intentional Denial of Service against the master DNS servers since it is counter-productive isn't it?
2. Since the logical answer to 1. above would seem to be no is it possible that the spammers in question made a mistake, (or were dumb), sending mail from a non-existent domain not remembering/realizing that most mail servers will do a reverse DNS lookup of the sender to make sure they "exist"?
3. Is it possible that they are using this to reduce the initial load on their servers? Think about that... Your mail server does reverse DNS on the sender and rejects it when the RDNS fails. Spammer sends 10 million emails from a non-existent domain. The first email to a domain that does RDNS rejects the mail so the spammers server moves on to the next domain automagically. During the send period the spammers server only sends succesfully to those domains that do not do RDNS. Once all domains have been "tested" and sent to they have a list of domains that do RDNS but the overall load on their server has been reduced since only one try was made to a domain doing RDNS then it moved on to more "productive" ground. At the end of the run and after the domain has been registered then the remaining spam can be sent out.... Rejections can be noted and passed over for the varying reasons giving more "intelligence" and what is left is just left.... But what did they acheive? Well, now they know where they can send large numbers of spam quickly, where they can send them "slowly", where they can't send them and they balanced the load during the entire send period.... Or am I nuts?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides