That scheme requires a high traffic site. Obviously, logging requests to
root servers also produces a pretty complete list of recursors after a
time.
However, LittleScriptKiddie (tm) doesn't have those capabilities.
Hopefully, the root operators, and the operators of such high volume
sites aren't script kiddies, and they hire someone responsible and
trustworthy staff.
If you assume the roots and high volume sites are run by
scriptkiddies/abusers, all kinds of mischief becomes possible: this
would be insignificant in comparison. I don't think anyone considers
that to be a threat case, and I think ICANN and DoC (in the case of the
roots anyway), have an obligation to ensure that it isn't.
Because the root operators and high volume sites hire trustworthy
people, this kind of detection without scanning, isn't a threat.
Although..... it probably should be considered in the analysis of the
recent actual abuse, which (strangely) did use recursors, a limited
small group of people can get this information effortlessly without
scanning.
Scriptkiddies still have to scan for recursors, and have lists of the
existing domains, which gives them the authority servers, which can be
searched for large records without raising suspicion.
The population that is most likely to conduct a DOS attack, (that is
scriptkiddies, not root server operators) would be able to abuse
authority servers much more easily than recursors.
--Dean
On Tue, 13 Mar 2007, Joe Abley wrote:
> Incidentally,
>
> On 13-Mar-2007, at 14:00, Dean Anderson wrote:
>
> > By contrast, searching for recursors is (unless you've discovered some
> > interesting new way of finding them without scanning---I'm very
> > interested to hear about that) some that can be detected, so that
> > the abusers can be identified.
>
> 1. Host some popular content somewhere which will be resolved (most
> of the time) using a DNS name whose authority servers you control.
>
> 2. Turn on query logging on the authority servers.
>
> 3. Wait.
>
> 4. Extract list of recursive servers from log.
>
> That finds you a long list of recursive servers. You can then either
> refine the list by probing individual servers to see whether they
> will perform recursive queries for you, or you can assume that enough
> of them will be open that the duds really don't matter.
>
> The more popular the content, the less time will elapse in step 3.
>
>
> Joe
>
>
>
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
