[dns-operations] open resolver versio.bind responses

Livingood, Jason Jason_Livingood at cable.comcast.com
Wed Apr 17 12:21:23 UTC 2013

On 4/16/13 12:58 PM, "Jared Mauch" <jared at puck.nether.net> wrote:

>There is plenty of hope.  I've seen the following actions taken:

Agree. We at Comcast in the US are looking closely at this. We recently
finished blocking SNMP for example
(http://www.bitag.org/report-snmp-ddos-attacks.php), following similar
amplification attacks using that protocol and abusing customer owned
equipment that has SNMP on by default. However, mitigating tactics take
time to plan & execute in large networks of course.

>a) Hosting providers emailed customer base, said close your open resolver
>or we shut your host
>b) ISPs have implemented spoofing filters.  NTT is one of them that has
>cranked the filters up as a result (at least on static routed customers).
>c) National CERTs have contacted the project and obtained lists of
>hosts/machines in their control.
>d) LARGE ISPs have contacted for lists of resolvers, including at least
>one major provider in the US.
>e) At least one ISP today emailed me about their former customers
>freaking out when they were notified of upcoming DNS server changes which
>might impact them (people restricting or closing open resolvers).
>I certainly understand the concerns here regarding mitigation and
>outreach, but things are happening.
>My changes in measurement technique aren't helping accurately measure
>this, but there should be some good data in the next few weeks as I've
>made the last tweak.  The good news is the # of folks returning REFUSED
>keeps going up.

Which is one reason it will be *really* interesting to see the numbers
charted over time, so we can observe what the trends are. I'm sure a savvy
researcher may even find enough interesting data to write a paper or two.


PS - This is a good project website and overall effort -- keep it up!

>- Jared

More information about the dns-operations mailing list