[dns-operations] All Too Quiet?

Florian Weimer fw at deneb.enyo.de
Wed Jul 30 21:33:24 UTC 2008

* David Dagon:

> On Wed, Jul 30, 2008 at 01:18:24PM +0100, Richard Westlake wrote:
>>  How do you tell if an apparent attack is a researcher, mischief maker or 
>>  fraudster?
> Here are some rules of thumb:

The problem is that an attacker will do reconnaissance, too.  A list of
servers which are easily spoofed, and for which traffic levels have been
estimated based on TTL values, surely has some value of its own.

>   -- The host sending you suspect packs will (in my case) have a
>      webserver, offering HTML 3.2 non-js content, information, phone
>      numbers, email addresses, and a mechansim to remove your network
>      from all future probes.  This is the minimum I think rfc 1262
>      suggests; however, it seems that reverse is your only chance.

But this isn't really helpful when the web server is unreachable when
you look at your log files.

>   -- The researcher will, after an appropriate learning time,
>      respect your ICMP 'host not reachable' (3,3) messages,

On the other hand, the researcher ignores DNS REFUSED messages, so
adherence to ICMP messages seems to be rather far-fetched.

Things what I expect from researchers, but which are not generally met:

  (a) announcements on relevant mailing lists
  (b) queries for TLDs, not some constant set of domains
  (c) RD=0 queries
  (d) no ICMP response from the researcher to my REFUSED answer
  (e) source port randomization by the researcher
  (f) transaction ID randomization by the researcher
  (g) no magic in the PTR record, so that it's more reliable

(d) could mean that the probes are spoofed.  How would I know?

More information about the dns-operations mailing list