[161713] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Mar 25 21:13:43 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <5150BE64.2020907@pubnix.net>
Date: Mon, 25 Mar 2013 21:13:27 -0400
To: ahebert@pubnix.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 25, 2013, at 5:15 PM, Alain Hebert <ahebert@pubnix.net> wrote:
> Well,
>=20
> On 03/25/13 16:45, Jared Mauch wrote:
>> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra@baylink.com> wrote:
>>=20
>>> ----- Original Message -----
>>>> From: "Jared Mauch" <jared@puck.nether.net>
>>>> Open resolvers pose a security threat.
>>> Could you clarify, here, Jared?
>>>=20
>>> Do "open DNS customer-resolver/recursive servers" *per se* cause a =
problem?
>>>=20
>>> Or is it merely "customer zone servers which are misconfigured to =
recurse",
>>> as has always been problematic?
>>>=20
>>> That is: is this just a reminder we never closed the old hole, or=20
>>> notification of some new and much nastier hole?
>> There have been some moderate size attacks recently that I won't go =
into detail here about. The IPs that are on the website are certainly =
being used/abused. A recent attack saw a 90% match rate against the =
"master list" here. This means your open resolver is likely being used.
>>=20
>> Anything to raise the bar here will minimize the impact to those =
networks under attack. Turn on RPF facing your colocation and =
high-speed server lans. We all know hosts become compromised. Help =
minimize the impact of these attacks by=20
>>=20
>> a) doing BCP-38
>> b) locking down your recursive servers to networks you control
>> c) locking down your authority servers to not provide the same answer =
15x in a second to the same querying IP. If it's asking that same =
question 15x, then it's not you that's broken, it's that client. (Or =
it's being abused).
>>=20
>> - Jared
>=20
> I think most of the audience here knows and are sensitive about it.
>=20
> The problems come from from those who don't give a *shit*... And
> they've been not giving a *shit* it for years.
>=20
> The magic is in "how" to make them care
If this started to move into an AUP violation direction (e.g.: ala =
spammers, etc) would that motivate people?
> Do the industry need to go "a la PCI-DSS" for Peers?
I think that any effort we can take here to help educate people to the =
right standards is helpful. I'd like to see people fix hosts, routers =
and a number of other things.
> PS: My pico ISP is soooo on your list Jared =3DD Not for long =
hopefully.
Appreciated. And many thanks for others that have emailed me saying =
their hosts have been fixed as well, and those that have emailed me =
updated text for the webpage.
- jared=
