To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I see two possibilities:
My first guess would be a DDOS type attack - if an attacker could find a number of DNS servers that would actually request a transfer in response to a NOTIFY for an arbitrary domain, and at least one nameserver for that domain allows zone transfers, then he could have an enormous bandwidth amplifier - send out a hundred NOTIFY's per second, and your target gets stuck transferring the entire zone a hundred times a second. The second possibility I can imagine would be a DNS cache poisoning attack - if you can trick your victim's nameserver into launching a NS query, and spoof the response, then you can become the nameserver for that domain for a time. Checking a few of those domains at random, I got NXDOMAIN responses - which suggests the DDOS angle doesn't make much sense. Regards Mark On 9/5/07, Alan Clegg <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I have a client who's nameservers are being flooded by DNS NOTIFY > packets for the list of domains at the bottom of this message. > > Beyond the domains being used as spam sources, does anyone on the list > see anything that links these domains? > > We are trying to figure out the commonality between them that would > cause the behavior that we are seeing... Why would about eight machines > be pummeling a major provider's DNS servers with NOTIFY (ie, domain > updated, please do a transfer) messages? > > Here's the list: > > abysscastor.info > advizehint.com > ailisar.com > applander.com > baserocket.com > betgisarmer.com > blousecollar.com > bunkerlock.com > calmorphan.com > carlotpro.com > carrycartrter.com > cessful.com > chaudtas.com > checkonline.hk > cnnmk.hk > commacomma.hk > copeckstable.com > cornamusement.com > cpluscrayons.com > crimefooler.com > croquetroof.com > cyberbox.hk > deafanddum.com > deargraler.com > densitylow.com > depiberry.com > dogderopero.com > dynastycost.com > erranter.com > fadedtraveller.com > ficientt.com > fresthikom.com > gratefuldenial.net > grindingpolka.com > guideleper.com > guideleper.net > harrowingbut.com > hazefoul.com > hazefoul.net > hoerillugad.com > honeymandarin.info > hugguide.com > hutchilo.com > inveterat.com > justlom.com > justnaw.com > laryslarys.com > lookprouv.com > lossfeeler.com > mainyachting.com > manegeincision.info > marchobny.com > mattingkoot.com > meanignik.com > medsbuyonline.com > mikosal.cd > motorampere.com > newekind.com > nzmipanel.com > penrockyt.net > pokuureto.net > pretentiou.com > prolinor.com > proseassembly.com > rationboo.com > satyrholl.com > serinti.com > simmqwi.cd > spirefakter.com > spirefakter.net > stafegiyngu.com > sugaryextortion.net > tamosaqui.com > thithera.com > townelection.com > ttqase.hk > uaikq.hk > uickesho.com > uija.hk > ujjia.hk > ujnn.hk > ujud.hk > usadd.hk > usagg.hk > usapro.hk > usjol.hk > vividquiz.com > voomco.hk > vvik.hk > witouta.cn > wrungworld.com > wrungworld.info > yourhalo.hk > ysdh.hk > yyhjks.hk > ziikaol.hk > zinamol.cd > zippoguides.com > zxasd.hk > zxiak.hk > zzzaz.hk > > Thanks, > AlanC > -- > In the beginning of a change, the patriot is a scarce man, brave, > hated, and scorned. When his cause succeeds however, the timid > join him, for then it cost nothing to be a patriot. > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
