[dns-operations] Source code to identify the fake DNS packets from China Re: Odd behaviour on one node in I root-server (facebook, youtube & twitter)

[John Kristoff]

On Mon, 29 Mar 2010 15:21:01 -0400
David Dagon <dagon at cc.gatech.edu> wrote:

>    a) Entire CIDRs (large ones: /16s, etc.) in China are open
>       recursive, at least for qnames matching those three strings.

They wouldn't be open recursive then, they'd effectively be claiming
authority, either implicitly or explicitly.

>       Of course, there are tens of millions of open recursives
>       already.  But this behavior makes nearly every host in China

Are you certain about tens of millions?  That would be much higher than
what has others have found in the recent past.  Duane's latest estimate
from October 2009 is just over 13 million.

>       People far more clever in designing attacks than me might use
>       this.  For example, this property might be used to congest low
>       bandwidth segments in China, and complicate filtering as a
>       remediation (since there are no longer just a few open
>       recursives to filter, but entire networks).

These that claim authority for a select set of names don't appear to be
amplifying the query by much so the risk appears to largely relegated
to the reflection aspect, which may still be of some concern.

John