Stopping name server abuse

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Wed Jun 27 21:42:06 UTC 2018 

IANAL, but even if one considers this scenario to constitute a DDoS attack, and there is plenty of case law supporting prosecution under CFAA (Computer Fraud and Abuse Act) for DDoS attacks, CFAA generally requires *intent*, and this appears to be simple negligence.

"Trespass to chattel" might be another possibility, but only as a civil (not criminal) complaint. And one would have to prove damages, which might be difficult to assess, or simply _de_minimis_.

													- Kevin

-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Barry Margolin
Sent: Tuesday, June 26, 2018 10:42 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Stopping name server abuse

In article <mailman.87.1529956879.803.bind-users at lists.isc.org>,
 Paul Kosinski <bind at iment.com> wrote:

> Somebody who has irresponsibly (and apparently wantonly, given his 
> refusal to fix it) delegated his domain(s) to your DNS server is 
> essentially causing a (modest bandwidth) distributed denial of service 
> attack on your server. I don't think that the "responsible" thing to 
> do is to sit there and suffer from a significantly increased load.

Good luck getting him prosecuted under any kind of computer abuse law. 
That would be like calling the cops on a sibling who is poking you, claiming that it's assault.

> What should be done is to get the domain(s) revoked if the owner 
> continues to refuse to remedy the problem: it is *he*, not you, who is 
> being irresponsible. And if the queries are coming via an innocent 
> ISP's resolver, then they are inadvertently assisting in the attack, 
> and should be contacted and asked to help in the remediation. (Note 
> that *their* resources, as well as yours, are being wasted.)

I doubt any ISPs will do anything about it. It's probably negligible relative to their total DNS volume, and would be more trouble than it's worth to add filters to block it.

The domain registrar is the place to go, I expect most of them have standard procedures for exactly this problem.

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list