[rbldnsd] possible ddos vector against rbldnsd: negative cache overflow

[Jeff Chan]

My colleague in the Netherlands Raymond Dijkxhoorn
reports that Dutch ISP xs4all was seeing Storm-infected computers
possibly trying to DDOS our nameservers in addition to our web
site.

xs4all said they were seeing the infected computers send repeated
dns queries to our blacklist nameservers.  They would try a query
and if it was positively cached (a matching blacklist hit), it
would not repeat.  If they hit a negatively cached (blacklist
non-match) they would repeatedly query that.  This suggests that
they have possibly tried to analyze weaknesses in the rbldnsd DNS
server that is widely used to serve blacklist zone files for
pretty much all major blacklists: Spamhaus, surbl.org, uribl.com,
CBL and probably nearly every blacklist of significance.

IIRC I have the negative and positive caching timeouts set to 15
minutes for SURBL zone files, so one might think there's little
difference in positive and negative caching.  However the
practicalities may be different.  In particular, the positive
caching space is of relatively fixed size since it refers to
specific instances actually existing in the published zone data.
Negatively cached instances can in principle be infinite, i.e.,
the infinitely larger universe of things not specifically in the
blacklist data.  Therefore this may be an attempt to overflow
rbldnsd's negative cache.  I will report this to the rbldnsd
author and ask if he can make (or already has made) a version
that addresses this possibility.

Jeff C.

P.S.  surbl.org mail is still intermittent.

P.P.S.  Please excuse my lack of timely/any responses; in
addition to the mail issues we're trying to fix a lot of
different issues now partially as a result of the ddos attack
against us.
-- 
Jeff Chan
mailto:jeffc at surbl.org
http://www.surbl.org/