[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems

Subject: Open Resolver Problems
From: ahebert at pubnix.net (Alain Hebert)
Date: Mon, 25 Mar 2013 17:15:16 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

    Well,

On 03/25/13 16:45, Jared Mauch wrote:
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra at baylink.com> wrote:
>
>> ----- Original Message -----
>>> From: "Jared Mauch" <jared at puck.nether.net>
>>> Open resolvers pose a security threat.
>> Could you clarify, here, Jared?
>>
>> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
>>
>> Or is it merely "customer zone servers which are misconfigured to recurse",
>> as has always been problematic?
>>
>> That is: is this just a reminder we never closed the old hole, or 
>> notification of some new and much nastier hole?
> There have been some moderate size attacks recently that I won't go into detail here about.  The IPs that are on the website are certainly being used/abused.  A recent attack saw a 90% match rate against the "master list" here.  This means your open resolver is likely being used.
>
> Anything to raise the bar here will minimize the impact to those networks under attack.  Turn on RPF facing your colocation and high-speed server lans.  We all know hosts become compromised.  Help minimize the impact of these attacks by 
>
> a) doing BCP-38
> b) locking down your recursive servers to networks you control
> c) locking down your authority servers to not provide the same answer 15x in a second to the same querying IP.  If it's asking that same question 15x, then it's not you that's broken, it's that client.  (Or it's being abused).
>
> - Jared

    I think most of the audience here knows and are sensitive about it.

    The problems come from from those who don't give a *shit*... And
they've been not giving a *shit* it for years.

    The magic is in "how" to make them care.

    Do the industry need to go "a la PCI-DSS" for Peers?

    PS: My pico ISP is soooo on your list Jared =D  Not for long hopefully.

-----
Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

Follow-Ups:
- Open Resolver Problems
  - From: marka at isc.org (Mark Andrews)
- Open Resolver Problems
  - From: jared at puck.nether.net (Jared Mauch)

References:
- Open Resolver Problems
  - From: jra at baylink.com (Jay Ashworth)
- Open Resolver Problems
  - From: jared at puck.nether.net (Jared Mauch)

Prev by Date: Fake or Real Google servers from China Hong Kong (116.92.194.14x)?
Next by Date: Fake or Real Google servers from China Hong Kong (116.92.194.14x)?
Previous by thread: Open Resolver Problems
Next by thread: Open Resolver Problems
Index(es):
- Date
- Thread