[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Zuleger, Holger, Vodafone Germany holger.zuleger at vodafone.com
Mon Jun 11 07:39:17 UTC 2012


> Someone mentioned that as soon as the spoofed client is blocked, that
> a new spoofed client is used... This behavior seems... strange. How
I can't confirm this behaviour.

> quick is this shift? How would one know when to shift the target? The
> modes I _can_ come up with largely involve having some sort of
> information about what is reaching the target. (bandwidth or traffic
> sources) This just leads to more interesting questions about those
> perpetrating the attacks, and their intent. Is there an obvious way of
> discerning the time to switch targets that I am missing? Is this a
> non-interesting topic?
My observation is that the source adress is changing anyway after a
while.
With or without blocking.




More information about the dns-operations mailing list