[164928] in North American Network Operators' Group
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Aug 11 11:40:05 2013
From: Florian Weimer <fw@deneb.enyo.de>
To: Jared Mauch <jared@puck.nether.net>
Date: Sun, 11 Aug 2013 17:40:28 +0200
In-Reply-To: <0E761BB8-1625-4F7F-A147-32BA3B9ADE92@puck.nether.net> (Jared
Mauch's message of "Sun, 11 Aug 2013 11:08:46 -0400")
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Jared Mauch:
> The incidence rate is too high for it to be multihomed hosts.
>
> Let me know if you want to look at the raw data. Very interesting stuff.
>
> Or just look for 8.8.8.8 in the openresolverproject page.
Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP
addresses to the 8.8.8.8 DNS resolver. For a cache miss, I get a
query from a Google IP address and the 8.8.8.8 reply has a plausible
TTL, so I don't think it's spoofing the response.
Apparently, they're implementing DNS proxy by destination-NATting, and
because they listen also on the WAN interface, they get the source
address wrong.
This is quite scary.
