[dns-operations] MX record scanning

Gilles Massen gilles.massen at restena.lu
Wed May 11 19:27:29 UTC 2011


On 11/5/11 1:02 , Mauricio Vergara Ereche wrote:

> When you are reaching levels that start to affect the stability of your
> service it's a big deal and must be threated as an important issue... maybe
> not an attack, but with the flavor of it, even if that was not the intention
> of the first burst of the queries.

Yes, you are right...it could well be a threat. ( I'd only consider 
something an attack if I'm actually the target)

>> But the bottom line is that this is a botnet trying to send spam. Hardly
>> anything new, for CERTs business as usual.
>
> So, who's the entity in charge to report this? I don't think that my local
> cert would be able to do much with half million addresses from all over the
> world.

Why has there to be an entity "in charge"? From an operational point of 
view the CERT to whom you are affiliated would seem the right choice. It 
might not have the resources to handle it, but should have the contacts 
to forward it to a useful place (cf. the email from Tim, Team Cymru). 
 From an idealistic point I'd rather have law enforcement track down the 
spammers....that is the *only* effective manner.

But the point I'm trying to make is that this is not a specific DNS 
problem: DNS is one little helper in the chain. At the end of the day, 
the bot is sending a spam email and will get caught by a spamtrap. Like 
the others that are not working on a poisoned list.

>> For helping the DNS there is
>> a message to be passed to two parties. As I suspect that the spammers
>> won't listen, get the 'good' guys to stop the random email generating
>> pages.
>
> OK, that could be a start. But I don't think that will stop the botnet.
> The thing keeps growing, right?

Probably. But think plural: there is no reason this is only one botnet, 
or will remain one botnet. Actually you could put defensive measures in 
place like issuing NXDOMAIN answer with a small delay (*shudder*). But 
at the end of the day, your only option is overprovisioning. After all, 
at this stage, you could produce this level of traffic by a couple of 
laptops (if that were the intention...).

Best,
Gilles
.lu + RESTENA CSIRT





More information about the dns-operations mailing list