Open Resolver Problems

[jared at puck.nether.net (Jared Mauch)]

On Mar 31, 2013, at 5:09 PM, Jimmy Hess <mysidia at gmail.com> wrote:

> On 3/29/13, Scott Noel-Hemming <frogstarr78 at gmail.com> wrote:
>>> Some of us have both publicly-facing authoritative DNS, and inward
>>> facing recursive servers that may be open resolvers but can't be
>>> found via NS entries (so the IP addresses of those aren't exactly
>>> publicly available info).
>> Sounds like your making the faulty assumption that an attacker would use
>> normal means to find your servers.
> 
> A distributed scan of the entire IPv4 space for all internet IPs
> running open DNS servers is fairly doable;  actually a long term scan
> taking 100 to 200 days of continuous DNS scanning  is completely
> trivial.

I updated the openresolverproject.org data in less than 8 hours.

The system would scan 1.0.0.0 , 1.0.0.1 ? in sequence.

Next time it runs, it's going to use a slightly different method which may expose a few more servers.

The 2013-Mar-31 data showed:

2,471,484  servers returned refused. (369k change downward)
20,675,738 with correct answer in packet.

If I extrapolate 369k/week closing, everything will be closed in about a year.

(Compared to 2.1 mil refused the week before; compared to 21.4 Million with correct answer in packet the week before).

I know many people are working on their respective hosts and/or network to close things down.

Many thanks to everyone that is treating this as a critical issue to close these hosts.

- jared