Interesting interaction between Blaster worm variants and Verisign DNS change

I think that an interesting interaction involving:

1) Blaster worm DDoS attack against windows update.
2) The default action of Windows 2000 and XP computers
to automatically append the domain name under "Network
Identification" or the suffix search list to DNS lookups.
3) The number of non-existent domains that exist in the
above settings.
4) The change that Verisign made so that all non-existent
domains resolve to

is the cause of the DDoS attack that Verisign is experiencing.

It is simple to reproduce 2-4. Reconfigure any Windows 2000
computer or XP computer so that its domain name does not
exist or so that the first domain name in its domain suffix
search order does not exist and then do an nslookup. It
will append the domain you added to your lookup and the result
of the lookup will be if the domain you added
does not exist. All that is needed next is a machine satisfying
this condition to have a variant of the Blaster worm that is
performing its DDoS against It will instead
sends its traffic to In a network of roughly
30,000 computers we have had 2 with this combination of troubles

Jeremy Powell
San Bernardino County Superintendent of Schools