[dns-operations] MX record scanning
Gilles Massen
gilles.massen at restena.lu
Wed May 11 19:27:29 UTC 2011
On 11/5/11 1:02 , Mauricio Vergara Ereche wrote:
> When you are reaching levels that start to affect the stability of your
> service it's a big deal and must be threated as an important issue... maybe
> not an attack, but with the flavor of it, even if that was not the intention
> of the first burst of the queries.
Yes, you are right...it could well be a threat. ( I'd only consider
something an attack if I'm actually the target)
>> But the bottom line is that this is a botnet trying to send spam. Hardly
>> anything new, for CERTs business as usual.
>
> So, who's the entity in charge to report this? I don't think that my local
> cert would be able to do much with half million addresses from all over the
> world.
Why has there to be an entity "in charge"? From an operational point of
view the CERT to whom you are affiliated would seem the right choice. It
might not have the resources to handle it, but should have the contacts
to forward it to a useful place (cf. the email from Tim, Team Cymru).
From an idealistic point I'd rather have law enforcement track down the
spammers....that is the *only* effective manner.
But the point I'm trying to make is that this is not a specific DNS
problem: DNS is one little helper in the chain. At the end of the day,
the bot is sending a spam email and will get caught by a spamtrap. Like
the others that are not working on a poisoned list.
>> For helping the DNS there is
>> a message to be passed to two parties. As I suspect that the spammers
>> won't listen, get the 'good' guys to stop the random email generating
>> pages.
>
> OK, that could be a start. But I don't think that will stop the botnet.
> The thing keeps growing, right?
Probably. But think plural: there is no reason this is only one botnet,
or will remain one botnet. Actually you could put defensive measures in
place like issuing NXDOMAIN answer with a small delay (*shudder*). But
at the end of the day, your only option is overprovisioning. After all,
at this stage, you could produce this level of traffic by a couple of
laptops (if that were the intention...).
Best,
Gilles
.lu + RESTENA CSIRT
More information about the dns-operations
mailing list