Re: [nznog] Open resolvers again

And here is an example of consumer complaining about excessive usage and complaining about his ISP. http://www.geekzone.co.nz/forums.asp?forumid=81&topicid=111127 He then realises his pfsense box is actually servicing DNS requests for his own network - and to the world. He even admits later responses were being sent out to CloudFlare IP addresses, which seems to indicate his DNS was part of those attacks. Slingshot was nice to waive some of the fees. Customers should read the T&Cs where ISPs say they have to keep their devices safe - this is not only from malware but also from misconfigurations introduced by the users themselves... Cheers Mauricio Freitas www.geekzone.co.nz www.freitasm.com www.twitter.com/freitasm -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Hamish MacEwan Sent: Saturday, 3 November 2012 10:59 a.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Open resolvers again On 2 November 2012 10:05, Juha Saarinen wrote:

http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

The article notes without elaboration: "In order to increase your attack's volume, you could try and add more compromised machines to your botnet. That is becoming increasingly difficult. " Is that good news, or have botted devices reached saturation? That there aren't any un-botted left to be taken. And I'm a bit confused, "That's a 64 byte query that resulted in a 3,223 byte response." My understanding was at a certain size of response, DNS switched to TCP to return results, but maybe the unsolicited response handshake is accepted blindly?

Juha Saarinen AITTP

Hamish. -- http://hamish.kiwi.me _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog