[164907] in North American Network Operators' Group
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not
daemon@ATHENA.MIT.EDU (Blake Dunlap)
Thu Aug 8 21:14:54 2013
In-Reply-To: <E0455C30-23B4-4000-8CDF-D08540F87008@puck.nether.net>
From: Blake Dunlap <ikiris@gmail.com>
Date: Thu, 8 Aug 2013 20:13:56 -0500
To: Jared Mauch <jared@puck.nether.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks, this is quite interesting. I never would have expected that kind of
behavior.
-Blake
On Thu, Aug 8, 2013 at 3:37 PM, Jared Mauch <jared@puck.nether.net> wrote:
>
> On Aug 8, 2013, at 2:07 PM, Blake Dunlap <ikiris@gmail.com> wrote:
>
> > On a related note, how are you actually getting this data?
>
> Sure:
>
>
> https://www.nanog.org/sites/default/files/tue.lightning3.open_resolver.mauch_.pdf
>
> I would point you at the streaming archive, but I'm not sure where they
> went. Perhaps they can post them to Youtube?
>
> Anyways, the alternate set of IPs responding is actually increasing over
> time:
>
> http://openresolverproject.org/breakdown-graph2.cgi
>
> > What you have said previously ( Number of unique IPs that spoofed a
> packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). )
> doesn't even make sense.
>
> Many CPE devices will perform NAT on udp/53 packets received on their WAN
> interface and forward them to their configured DNS server. Some will just
> take the source IP and copy it into the packet. Because it comes in on
> their WAN interface, it will instead of copying the inside NAT address just
> copy my source IP from the weekly scan and use that. Since it's on the
> outside, it doesn't copy it's outside IP and put that in, it copies mine.
>
> - Jared
>
> > On Thu, Aug 8, 2013 at 12:51 PM, Jared Mauch <jared@puck.nether.net>
> wrote:
> > Oops, I pulled the wrong data (off by one column) out before a trip and
> didn't realize it until now.
> >
> > This is not the spoofer list, but the list of ASNs with open resolvers.
> >
> > Let me reprocess it.
> >
> > Apologies, corrected data being generated.
> >
> > - Jared
> >
> > On Aug 8, 2013, at 1:29 PM, Jared Mauch <jared@puck.nether.net> wrote:
> >
> > > The following is a sorted list from worst to best of networks that
> allow spoofing: (cutoff here is 25k)
> > >
> > > (full list -
> http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
> >
> >
> >
>
>
