[164905] in North American Network Operators' Group
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Aug 8 16:37:17 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAJvB4tmUYfB=UyjaqBavap4ubK+N41uE0EzkXo1Zsvrg34tsBQ@mail.gmail.com>
Date: Thu, 8 Aug 2013 16:37:11 -0400
To: Blake Dunlap <ikiris@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 8, 2013, at 2:07 PM, Blake Dunlap <ikiris@gmail.com> wrote:
> On a related note, how are you actually getting this data?
Sure:
=
https://www.nanog.org/sites/default/files/tue.lightning3.open_resolver.mau=
ch_.pdf
I would point you at the streaming archive, but I'm not sure where they =
went. Perhaps they can post them to Youtube?
Anyways, the alternate set of IPs responding is actually increasing over =
time:
http://openresolverproject.org/breakdown-graph2.cgi
> What you have said previously ( Number of unique IPs that spoofed a =
packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). ) =
doesn't even make sense.
Many CPE devices will perform NAT on udp/53 packets received on their =
WAN interface and forward them to their configured DNS server. Some =
will just take the source IP and copy it into the packet. Because it =
comes in on their WAN interface, it will instead of copying the inside =
NAT address just copy my source IP from the weekly scan and use that. =
Since it's on the outside, it doesn't copy it's outside IP and put that =
in, it copies mine.
- Jared
> On Thu, Aug 8, 2013 at 12:51 PM, Jared Mauch <jared@puck.nether.net> =
wrote:
> Oops, I pulled the wrong data (off by one column) out before a trip =
and didn't realize it until now.
>=20
> This is not the spoofer list, but the list of ASNs with open =
resolvers.
>=20
> Let me reprocess it.
>=20
> Apologies, corrected data being generated.
>=20
> - Jared
>=20
> On Aug 8, 2013, at 1:29 PM, Jared Mauch <jared@puck.nether.net> wrote:
>=20
> > The following is a sorted list from worst to best of networks that =
allow spoofing: (cutoff here is 25k)
> >
> > (full list - =
http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
>=20
>=20
>=20
