> On 2 Nov 2023, at 20:25, Stephane Bortzmeyer wrote:
>
> On Thu, Nov 02, 2023 at 04:09:24PM +1100,
> Mark Andrews wrote
> a message of 90 lines which said:
>
>> I also see QNAME minimisation in action as the QTYPE is NS. This
>> could just be a open recursive servers using QNAME minimisat
On 02/11/2023 05:15, Randy Bush wrote:
ya, right, and at a whole bunch of other cctld servers
from a network called domaincrawler-hosting
It looks like a list based attempt to discover domain names registered
in some small ccTLDs. The problem with some of the queries is that a few
of the sec
> I might be reading this wrong, but I don't think the point Randy was
> trying to make was 'NS queries are an attack', 'UDP packets are an
> attack' or 'IP packets are an attack' . I base this on the list of
> queries Randy decided to include as relevant to the thesis Randy was
> trying to make, i
On Thu, Nov 02, 2023 at 04:09:24PM +1100,
Mark Andrews wrote
a message of 90 lines which said:
> I also see QNAME minimisation in action as the QTYPE is NS. This
> could just be a open recursive servers using QNAME minimisation.
> With QNAME minimisation working correctly all parent zones sho
On Thu, 2 Nov 2023 at 10:32, Mark Andrews wrote:
> You missed the point I was trying to make. While I think that that source is
> trying to enumerate some part of the namespace. NS queries by themselves
> don’t indicate an attack. Others would probably see the series of NS queries
> as a sig
You missed the point I was trying to make. While I think that that source is
trying to enumerate some part of the namespace. NS queries by themselves don’t
indicate an attack. Others would probably see the series of NS queries as a
signature of an attack when they are NOT. There needs to be m
ya, right, and at a whole bunch of other cctld servers
from a network called domaincrawler-hosting
shall we smoke another?
/home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, lin
While I see evidence for the claim, 5 character left hand label and all
non-existant.
I also see QNAME minimisation in action as the QTYPE is NS. This could just be
a open
recursive servers using QNAME minimisation. With QNAME minimisation working
correctly
all parent zones should see is NS qu
Randy, thanks for sharing, I didn't know this is actually done. Any idea if
they use something clever or just exhaustive search? thanks Amir
--
Amir Herzberg
Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/s
i have blocked a zone enumerator, though i guess they will be a
whack-a-mole
others have reported them as well
/home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (
10 matches
Mail list logo
