[170599] in North American Network Operators' Group
Re: new DNS forwarder vulnerability
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Apr 2 08:55:17 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20140402123809.1C6253C5B8FB@lawyers.icir.org>
Date: Wed, 2 Apr 2014 08:54:47 -0400
To: mallman@icir.org
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 2, 2014, at 8:38 AM, Mark Allman <mallman@icir.org> wrote:
>=20
> [catching up]
>=20
>> That's a good question, but I know that during the ongoing survey
>> within the Open Resolver Project [http://openresolverproject.org/],
>> Jared found thousands of CPE devices which responded as resolvers.
>=20
> Not thousands, *tens of millions*.
>=20
> Our estimate from mid-2013 was 32M such devices (detailed in an IMC
> paper last year; http://www.icir.org/mallman/pubs/SCRA13/). And, that
> roughly agrees with both the openresolverproject.org numbers and =
another
> (not public) study I know of. And, as if that isn't bad enough
> ... there is a 2010 IMC paper that puts the number at 15M. I.e., the
> instances of brokenness are getting worse---doubling in 3 years! UGH.
One observation: The OpenResolverProject collects responses that come =
from
ports that the query was not sent to (ie: device responds from UDP/12345 =
not
from UDP/53, which obviously is broken and doesn't "work", but they =
actually
return DNS payload which can be used for abuse).
Some good news though:
http://openresolverproject.org/breakdown-graph1.cgi
Since the start of 2014 there seem to be new CPE devices out there that =
are resolving this issue. The linear nature of the line in the decrease =
doesn't seem to be something like "ISPs" started blocking udp/53 to =
customers, which would appear more like a step function.
I'm aware of some other studies ongoing to fingerprint CPE and their =
behaviors/aggregated resolver dependencies. I expect to see some of =
that data presented at the upcoming DNS-OARC meeting in Warsaw.
Getting everyone to update their firmware on devices would go a long way =
as well. Some vendors have no software QA on this front so add/remove =
the response on the WAN interface as their releases march forward.
- Jared=
