Replies below.

On Tue, Jun 11, 2013 at 12:13 PM, Lloyd Parkes <lloyd@must-have-coffee.gen.nz> wrote:

On 11/06/2013, at 11:02 AM, Dave Mill <dave@mill.net.nz> wrote:

...
Finally, some rough stats so far.

-Somewhere between 1 - 2% of our customers have this issue. This being so high surprised me!
-By tackling my "low hanging fruit" we resolved approx. 15% of the open resolvers. This was minimal effort.

-At our aimed rate of contact it will take 12 weeks for us to let all of the customers know they have this issue and offer advice on it.

Do you have any initial figures for the cleanup rate on your not-so-low hanging fruit?

That part is only being kicked off this week. Might have some better stats in say 4 weeks time (allowing 2 weeks for customers to fix issues).

�

What should we do about the customers who don't fix this issue within a reasonable time-frame once we've told them about it?

1) Do nothing

2) Contact them again
3) Block international port 53 requests going to them at our border routers (can be done with minimal effort and load on the routers in question - I'm quite against this though)

Do you have enough monitoring to be able to spot when a customer's open resolver is being used for a DDOS? If so, you can warn them that if they get pulled in to a DDOS attack you will disconnect them until they fix their resolver. Maybe you could tell them that even if you don't have enough monitoring.

We've looked in to our sflow logs on a few customers that we know a few things about. We can see customers of ours being used in what we believe is an amplification attack (many connections from 1 (presumably spoofed) IP, random src port, dst port is 53). We've also looked at the logs of customers of ours who are the target of a large amplification attack - that's pretty scary to see to say the least. From what little I've looked at I'm heading towards the conclusion that the majority of our customers with open DNS resolvers either have been used in DDoSs already or will in the future. If the open resolver project can compile lists of open dns resolvers then its pretty trivial for 'hackers' to come up with the same lists.

As an incentive to have customers fix this we're trying to use the "large amounts of unwanted traffic" reason where possible. With a well configured, "nice" botnet the traffic levels seem small, but when a botnet goes a bit haywire traffic levels can be very high.

Note, my option 3) is to block port 53 traffic to just these "bad" customers. I'm not in any way talking of blocking all inbound DNS traffic internationally. I still do not like option 3). Peter's option from an earlier email at first glance do seem sane - though still a high impact on customer satisfaction.

Cheers

Dave