I sent you a private reply, but also posting publicly… On Apr 9, 2013, at 4:55 PM, "A. Pishdadi" <apishdadi@gmail.com> wrote:
In the last 2 weeks we have seen double the amount of ddos attacks, and way bigger then normal. All of them being amplification attacks. I think the media whoring done during the spamhaus debacle motivated more people to invest time building up there openresolver list, since really no one has disclosed attacks of that size and gave the blueprints of how to do it. Now we know the attack has been around for awhile but no one really knew how big they could take it until a couple weeks ago..
Now I know your openresolver DB is meant to get them closed but it would take only a small amount of someones day to write a script to crawl your database.. You go to fixedorbit.com or something of the sort, look up the as's of the biggest hosting companies, plop there list of ip allocaitons in to a text file, run the script and boom i now have the biggest open resolver list to feed my botnet.. Maybe you should require some sort of CAPTCHA or registration to view that database. While im sure people have other ways of gathering up the open resolvers , you just took away all the work and handed it to them on a silver platter. While i am and others surely are greatful for the data, i think a little more thought should be put in how you are going to deliver the data to who should have it, and that would be the network / AS they are hanging off of.
Both systems that return a referral to root and that do full recursion are being abused in attacks. Honestly, if you send 100kpps to 2^32 IPs it would take ~12 hours. If you have 10 hosts to scan at a lower rate and skip all the 'unused' space, e.g.: 0/8 10/8 127/8 224/4 you cut down the time as well. I won't say exactly how long my weekly process takes, but it doesn't take long if you wanted to replicate the data. About 1:122 hosts responds in some fashion. That means for any given /24, expect there to be about 2 responses. While that may not be the case for some blocks, there's a good chance something is responding nearby. At some point the lack of scoping your response will result in a real problem for the person being attacked. Your hosts will get used in an attack. It's not really an IF question anymore. - jared