[dns-operations] open resolver versio.bind responses
Jason_Livingood at cable.comcast.com
Wed Apr 17 12:21:23 UTC 2013
On 4/16/13 12:58 PM, "Jared Mauch" <jared at puck.nether.net> wrote:
>There is plenty of hope. I've seen the following actions taken:
Agree. We at Comcast in the US are looking closely at this. We recently
finished blocking SNMP for example
(http://www.bitag.org/report-snmp-ddos-attacks.php), following similar
amplification attacks using that protocol and abusing customer owned
equipment that has SNMP on by default. However, mitigating tactics take
time to plan & execute in large networks of course.
>a) Hosting providers emailed customer base, said close your open resolver
>or we shut your host
>b) ISPs have implemented spoofing filters. NTT is one of them that has
>cranked the filters up as a result (at least on static routed customers).
>c) National CERTs have contacted the project and obtained lists of
>hosts/machines in their control.
>d) LARGE ISPs have contacted for lists of resolvers, including at least
>one major provider in the US.
>e) At least one ISP today emailed me about their former customers
>freaking out when they were notified of upcoming DNS server changes which
>might impact them (people restricting or closing open resolvers).
>I certainly understand the concerns here regarding mitigation and
>outreach, but things are happening.
>My changes in measurement technique aren't helping accurately measure
>this, but there should be some good data in the next few weeks as I've
>made the last tweak. The good news is the # of folks returning REFUSED
>keeps going up.
Which is one reason it will be *really* interesting to see the numbers
charted over time, so we can observe what the trends are. I'm sure a savvy
researcher may even find enough interesting data to write a paper or two.
PS - This is a good project website and overall effort -- keep it up!
More information about the dns-operations