[dns-operations] finding open resolvers

John Kristoff jtk at cymru.com
Mon Jul 27 15:42:32 UTC 2009


Hi folks,

We're making a renewed effort to consider and work on the potential
problem with open resolvers, particularly their use in distributed
amplification and reflection attacks that have not gone away.  I'd like
to solicit feedback and input into making our efforts as fruitful as
can be.

There are a few techniques of finding and discovering open resolvers
that have been detailed in other venues.  Some of you might have seen
myself and others send query probes to the entire address space in the
past.  There are some obvious advantages and disadvantages with that
approach.  Its clearly not very efficient so we're not doing full
address space probes at this time.  Ideally we'd like to only test for
an open resolver on an address that has been one in the past or might
be more likely to be one than just a random address.  This is where we
can use some additional help.

In my experience, selecting a random set of IPv4 addresses from a pool
designated as non-bogon and probing them for an open resolver yields
less than 1%.  It might still be fruitful to do some of this, since its
very easy to do, mostly harmless and still provides some returns, but it
would be nice to be less annoying to those who watch packets crossing
their nets closely.

We've also taken lists of addresses from zone files and looked at
lists of hosts that have been seen probing large caching servers and
tested them. The return rate is higher, but still less than ideal.  The
highest return rate we've seen are usually the source addresses
reported by those who have been on the receiving end of an attack. If
that has been you or someone you know, and wouldn't mind sharing those
sources with us now or in the future, we'd love to receive a copy to
test.  And as always, don't hesitate to first ask our help in making
the attack go away, we're worry about testing for open resolvers
later.  :-)

We've been working on a monitoring and reporting system that we hope
will be useful and of course used to help locate and mitigate
unnecessary open resolvers on the public net.  Anyone who needs data
for their netblocks or ASNs is of course free to contact us and we'll
be happy to provide it simply for the asking.  Some additional detail
and motivation is here if you're interested:

  <http://www.team-cymru.org/Services/Resolvers/>

John



More information about the dns-operations mailing list