[168506] in North American Network Operators' Group
Re: BCP38.info
daemon@ATHENA.MIT.EDU (TGLASSEY)
Tue Jan 28 13:27:41 2014
Date: Tue, 28 Jan 2014 10:27:24 -0800
From: TGLASSEY <tglassey@earthlink.net>
To: nanog@nanog.org
In-Reply-To: <BFC14D37-8AA0-46C0-BA97-48E260454958@puck.nether.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We see this all the time with banking sites and some of the stock
trading ones
Todd
On 1/28/2014 5:06 AM, Jared Mauch wrote:
> On Jan 26, 2014, at 12:47 PM, Jay Ashworth <jra@baylink.com> wrote:
>
>> something like 6 years ago, and couldn't get any traction on it then;
>> I'm not sure I think much has changed -- apparently, extracting your
>> BP thoughts from mailing list postings and putting them into a wiki is
>> more effort than most NANOGers are up to.
> I do have a list of the top ASNs that can be shown to allow IP spoofing by looking at
> the DNS scans part of the OpenResolverProject:
>
> 52731 ASN7922
> 31251 ASN9394
> 25241 ASN17964
> 15951 ASN4847
> 7576 ASN17430
> 5800 ASN17430
> 4110 ASN7497
> 3645 ASN9812
> 3492 ASN6854
>
> http://openresolverproject.org/spoof-src-dst-asns-20140126.txt
>
> What the data is:
>
> It includes IP address where you send a DNS packet to it and another IP address responds to the query, e.g.:
>
> [jared@hostname ~/spoof]$ dig @101.0.37.11
> ;; reply from unexpected source: 182.19.83.65#53, expected 101.0.37.11#53
>
> The data only includes those where the “source-ASN” and “dest-asn” of these packets don’t match.
>
> - Jared
>
>
>
>
>
--
-------------
Personal Email - Disclaimers Apply
