[161999] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Jared Mauch)
Sun Mar 31 21:46:51 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAAAwwbVHfGYN824_R_zeiYbRU9aFytG=zbmiQjnz1h19agbGLg@mail.gmail.com>
Date: Sun, 31 Mar 2013 21:46:36 -0400
To: Jimmy Hess <mysidia@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 31, 2013, at 5:09 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On 3/29/13, Scott Noel-Hemming <frogstarr78@gmail.com> wrote:
>>> Some of us have both publicly-facing authoritative DNS, and inward
>>> facing recursive servers that may be open resolvers but can't be
>>> found via NS entries (so the IP addresses of those aren't exactly
>>> publicly available info).
>> Sounds like your making the faulty assumption that an attacker would =
use
>> normal means to find your servers.
>=20
> A distributed scan of the entire IPv4 space for all internet IPs
> running open DNS servers is fairly doable; actually a long term scan
> taking 100 to 200 days of continuous DNS scanning is completely
> trivial.
I updated the openresolverproject.org data in less than 8 hours.
The system would scan 1.0.0.0 , 1.0.0.1 =85 in sequence.
Next time it runs, it's going to use a slightly different method which =
may expose a few more servers.
The 2013-Mar-31 data showed:
2,471,484 servers returned refused. (369k change downward)
20,675,738 with correct answer in packet.
If I extrapolate 369k/week closing, everything will be closed in about a =
year.
(Compared to 2.1 mil refused the week before; compared to 21.4 Million =
with correct answer in packet the week before).
I know many people are working on their respective hosts and/or network =
to close things down.
Many thanks to everyone that is treating this as a critical issue to =
close these hosts.
- jared=
