[162362] in North American Network Operators' Group
Re: Open Resolver Dataset Update
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Apr 10 07:42:25 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAHGyo+-zKv2hwcK4=Yod5TPnahEEMQthVWr31pqErpyoNhgPvg@mail.gmail.com>
Date: Wed, 10 Apr 2013 07:42:06 -0400
To: "A. Pishdadi" <apishdadi@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I sent you a private reply, but also posting publicly=85
On Apr 9, 2013, at 4:55 PM, "A. Pishdadi" <apishdadi@gmail.com> wrote:
> In the last 2 weeks we have seen double the amount of ddos attacks, =
and way bigger then normal. All of them being amplification attacks. I =
think the media whoring done during the spamhaus debacle motivated more =
people to invest time building up there openresolver list, since really =
no one has disclosed attacks of that size and gave the blueprints of how =
to do it. Now we know the attack has been around for awhile but no one =
really knew how big they could take it until a couple weeks ago..=20
>=20
> Now I know your openresolver DB is meant to get them closed but it =
would take only a small amount of someones day to write a script to =
crawl your database.. You go to fixedorbit.com or something of the sort, =
look up the as's of the biggest hosting companies, plop there list of ip =
allocaitons in to a text file, run the script and boom i now have the =
biggest open resolver list to feed my botnet.. Maybe you should require =
some sort of CAPTCHA or registration to view that database. While im =
sure people have other ways of gathering up the open resolvers , you =
just took away all the work and handed it to them on a silver platter. =
While i am and others surely are greatful for the data, i think a little =
more thought should be put in how you are going to deliver the data to =
who should have it, and that would be the network / AS they are hanging =
off of.
Both systems that return a referral to root and that do full recursion =
are being abused in attacks.
Honestly, if you send 100kpps to 2^32 IPs it would take ~12 hours. If =
you have 10 hosts to scan at a lower rate and skip all the 'unused' =
space, e.g.: 0/8 10/8 127/8 224/4 you cut down the time as well.
I won't say exactly how long my weekly process takes, but it doesn't =
take long if you wanted to replicate the data.
About 1:122 hosts responds in some fashion.
That means for any given /24, expect there to be about 2 responses. =
While that may not be the case for some blocks, there's a good chance =
something is responding nearby. At some point the lack of scoping your =
response will result in a real problem for the person being attacked. =
Your hosts will get used in an attack. It's not really an IF question =
anymore.
- jared=
