Re: [nznog] Fwd: [outages] Open Resolver Project

On 11/06/2013, at 1:11 PM, David Robinson wrote:

On 11 June 2013 11:14, Peter Mott wrote:

...

...

2) Contact them again

They don't care, its working just fine for them Won't the customers care when they get all the overage or slow down when they blow their cap when used in a DDOS?

I'm a networking prostitute so can't name names[1], but where I'm spending some of my time currently, we have an interesting issue where an older CPE we have out with some customers is half participating in a DDOS attack. Half?: 1) Query comes in to the CPE for ANY? isc.org. 2) CPE asks our recursive nameservers (both of them, for some reason) for the same. 3) Our nameservers send a bunch of packets (about 3.5KB worth, from memory) to the CPE (remember, 2x because it asks both our nameservers). 4) CPE seems to check if it should be answering queries received on the WAN interface, and doesn't respond. It also appears to not cache the answer so next time (1) happens, the whole cycle goes again. So, the CPE doesn't participate in the attack and return results to the (presumably) spoofed source, but it uses up bandwidth. The other bit we're not sure about is how these CPEs are found - if they never respond, scanning for the CPE shouldn't help. Current theory is someone is scanning for a unique hostname and monitoring queries, but that has yet to be proven - plan is to put a CPE online, mirror packets, and investigate. Something worth noting that I haven't seen mentioned in this thread so far (I skim read it) - most of these open recursor attacks, that I've seen, are for ANY? isc.org - I assume because isc.org have a pretty large zone. You might want to as a first step block those queries at your border, if you have the facility to do so. As for our recursive nameservers, we've got about 3 different sets of IP addresses, for various legacy reasons. All of these are being hit with a large number of queries (that are as far as we can tell, legitimate) from people outside our network who are using our resolvers for what looks like a number of different reasons. Some of the resolvers have been on these addresses for over 10 years, so it's not surprising. There's going to be quite a challenge to lock those open resolvers down, and we're debating how to do it at the moment - the industry comms process will be interesting, I'm sure, and I'm sure many people on this list will have a busy day fixing up old boxes that can't when our messages have been ignored :-) Would be interested in any experience people have with something similar.. -- Nathan Ward [1] unless we're drinking beer.