[dns-operations] cctld enumeration attack

Thu Jun 13 07:31:20 UTC 2024

Hi Thomas and Randy,

For what it's worth and from an end-user perspective in this: as a holder of many domains in many tlds, there's a new round of scams / spam where owners of domain.cctld is informed domain.com <http://domain.com/> is in pendingDelete/redemptionPeriod/... status, and trying to sell / auction the domain.com <http://domain.com/>. (just got one this morning for a .com equivalent to a .be I own)

"They" are probably building their lists...

Frank

> On 13 Jun 2024, at 09:04, Thomas Dupas via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> 
> From: Thomas Dupas <thomas.dupas at dnsbelgium.be <mailto:thomas.dupas at dnsbelgium.be>>
> Subject: Re: [dns-operations] cctld enumeration attack
> Date: 13 June 2024 at 09:04:51 CEST
> To: Randy Bush <randy at psg.com <mailto:randy at psg.com>>
> Cc: DNS Operations <dns-operations at dns-oarc.net <mailto:dns-operations at dns-oarc.net>>
> 
> 
> Hi Randy,
>  
> We saw a strange pattern a few days ago, which we initially thought came from Google resolvers, coming from GCE.
> A few 10K qps per NS instance.
> Block lasting ~12 hours, seemingly .com registrations attempted towards our cctld.
>  
> Br,
>  
> Thomas
>  
> From: dns-operations <dns-operations-bounces at dns-oarc.net <mailto:dns-operations-bounces at dns-oarc.net>> on behalf of Randy Bush <randy at psg.com <mailto:randy at psg.com>>
> Date: Wednesday, 12 June 2024 at 18:34
> To: DNS Operations <dns-operations at dns-oarc.net <mailto:dns-operations at dns-oarc.net>>
> Subject: [dns-operations] cctld enumeration attack
> 
> [Sommige personen die dit bericht ontvangen, ontvangen vaak geen e-mail van randy at psg.com <mailto:randy at psg.com>. Informatie over waarom dit belangrijk is op https://aka.ms/LearnAboutSenderIdentification] <https://aka.ms/LearnAboutSenderIdentification%5d>
> 
> anyone else seeing somewhat serious distributed cctld enumeration
> attempts?
> 
> randy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations&data=05%7C02%7Cthomas.dupas%40dnsbelgium.be%7C76bd003a0eef431d351308dc8afd8aae%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C638538068766321960%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uSGMrDl30DWQyOssYgHswQDoWsw4GdvHJJGrvB8eYCU%3D&reserved=0 <https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240613/5789dfbd/attachment-0001.html>