On 11/06/2013, at 11:02 AM, Dave Mill <dave@mill.net.nz> wrote:
...
Finally, some rough stats so far.

-Somewhere between 1 - 2% of our customers have this issue. This being so high surprised me!
-By tackling my "low hanging fruit" we resolved approx. 15% of the open resolvers. This was minimal effort.
-At our aimed rate of contact it will take 12 weeks for us to let all of the customers know they have this issue and offer advice on it.

Do you have any initial figures for the cleanup rate on your not-so-low hanging fruit?

What should we do about the customers who don't fix this issue within a reasonable time-frame once we've told them about it?

1) Do nothing
2) Contact them again
3) Block international port 53 requests going to them at our border routers (can be done with minimal effort and load on the routers in question - I'm quite against this though)

Do you have enough monitoring to be able to spot when a customer's open resolver is being used for a DDOS? If so, you can warn them that if they get pulled in to a DDOS attack you will disconnect them until they fix their resolver. Maybe you could tell them that even if you don't have enough monitoring.

Cheers,
Lloyd