I am putting the finishing touches on a presentation I will be making later this week at the DNS-OARC meeting, but I also wanted to ask anyone here if they had data/ideas of items they are interested in seeing from the Open Resolver Project. We perform a weekly scan of the IPv4 space looking for DNS servers that can be used in an amplification attack. Some interesting data: about 46% of the IPs that respond to a DNS query do not respond from port 53, meaning they are "broken" in some interesting way. I encourage folks to check your IP space here: http://openresolverproject.org/ You can also e-mail the project to get direct access to per-ASN reports. That email needs to come from a contact in the RIR object, or from a corporate address that can be easily identified as related to your org. If you are an ISAC or similar, we can also assist you. Thanks, - jared
On Thu, 9 May 2013, Jared Mauch wrote:
Some interesting data: about 46% of the IPs that respond to a DNS query do not respond from port 53, meaning they are "broken" in some interesting way.
Maybe I'm not being very imaginative, but how can something from !53 be considered a DNS response to a query sent to port 53? Can you give some examples of the sorts of packets that fall into this rather large % of ill-behaved hosts? Are you sure you're not treating things like icmp port unreachable as a "!udp/53 src response"? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On May 9, 2013, at 7:32 PM, Jon Lewis <jlewis@lewis.org> wrote:
On Thu, 9 May 2013, Jared Mauch wrote:
Some interesting data: about 46% of the IPs that respond to a DNS query do not respond from port 53, meaning they are "broken" in some interesting way.
Maybe I'm not being very imaginative, but how can something from !53 be considered a DNS response to a query sent to port 53? Can you give some examples of the sorts of packets that fall into this rather large % of ill-behaved hosts? Are you sure you're not treating things like icmp port unreachable as a "!udp/53 src response"?
IP1:Port:IP-Probed:Responding-IP:time_t:RCODE:RA:CorrectAnswerInPacket Here's a sample excerpt: IP1:14474:122.177.40.2:NULL:1367712184.690540:0:1:1 IP1:10316:123.26.39.2:NULL:1367712184.690683:0:1:1 IP1:15218:5.11.41.2:NULL:1367712184.691114:0:1:1 IP1:21388:186.31.41.2:NULL:1367712184.691402:0:1:1 IP1:11161:87.21.41.2:NULL:1367712184.691693:0:1:1 IP1:23884:88.249.40.2:NULL:1367712184.692264:0:1:1 IP1:12707:77.51.41.2:NULL:1367712184.692833:0:1:1 IP1:16290:190.86.41.2:NULL:1367712184.693118:0:1:1 IP1:10169:151.48.41.2:NULL:1367712184.694703:0:1:1 IP1:20885:112.209.40.2:NULL:1367712184.694992:0:1:1 I have the raw packet data for these. They were on a UDP socket, not some tcpdump output parsing snafuā¦ :) I have many more of these in the dataset. I'm thinking about flagging those that aren't from udp/53 and giving a pointer to things like CPE device firmware that causes problem. I've got a lot of private data on that which I can't share, either because the vendor is delivering fixed firmware or something else. - Jared
On 5/9/13, Jared Mauch <jared@puck.nether.net> wrote: On a totally unrelated note... the document at that URL looks visually almost exactly like the CentOS stock apache 2 test page. It's, so similar in appearance, that when opening it, at first, I thought it a broken link instead of an actual website....
I encourage folks to check your IP space here:
-- -JH
On May 9, 2013, at 8:26 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On 5/9/13, Jared Mauch <jared@puck.nether.net> wrote:
On a totally unrelated note... the document at that URL looks visually almost exactly like the CentOS stock apache 2 test page.
It's, so similar in appearance, that when opening it, at first, I thought it a broken link instead of an actual website....
I think it looks very minimal for a webpage :) If you want to sign-up with your HTML skills, let me know off list. I want to make getting the data simple. I'm also thinking of making an alert pop up if the exact IP you visit from is in the databaseā¦ A few weeks ago I fingerprinted all the DNS servers. All DNS servers in the database: http://openresolverproject.org/version.bind.20130421.final.txt All Open Resolvers in the database: http://openresolverproject.org/version.bind.report.txt - Jared
participants (3)
-
Jared Mauch
-
Jimmy Hess
-
Jon Lewis