lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1070551489.3190.10.camel@tantor.nuclearelephant.com>
From: jonathan at nuclearelephant.com (Jonathan A. Zdziarski)
Subject: new dos attack?

> Now assuming you are the ISP, is there any way to get all those domains
> pointed to somewhere else without having to define them all on your name
> servers? Can't you fax the registrar or something to park them or is this
> pretty much a really difficult type of attack to fight off?

Spam in its present state doesn't in general (with some exceptions) use
a valid return address.  They are still being forged which means the DNS
queries are for yahoo, aol, and other frequent forgeries.

The only real area I can see a lot of potential resolution is with URLs
that people click on in emails.  In a majority of spams I've seen,
however, spammers are still using IP addresses instead of domain names
as their goal is to hide as much revealing information as possible to
pass them through spam filters [insert rant for Bayesian style
filtering]. 

If they did do this though, I would think that name server caching would
significant reduce the number of queries, helping to share the load of
the problem.   Every customer query to aol.com doesn't hit aol's
nameservers (fortunately for AOL)...it hits first the user's local
nameserver cache, and second the ISP's cache...with a large company like
AOL, it'll also hit the ISP's web/ns  inverse cache servers long before
it ever touches their actual name servers.

Some individuals are coding spam filters that actually perform HTTP gets
on the URLs in the spams, in an attempt to DoS the spammers.  I would be
more concerned about this type of DoS.

Jonathan



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ