nanog mailing list archives
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
From: Blake Dunlap <ikiris () gmail com>
Date: Thu, 8 Aug 2013 20:13:56 -0500
Thanks, this is quite interesting. I never would have expected that kind of behavior. -Blake On Thu, Aug 8, 2013 at 3:37 PM, Jared Mauch <jared () puck nether net> wrote:
On Aug 8, 2013, at 2:07 PM, Blake Dunlap <ikiris () gmail com> wrote:On a related note, how are you actually getting this data?Sure: https://www.nanog.org/sites/default/files/tue.lightning3.open_resolver.mauch_.pdf I would point you at the streaming archive, but I'm not sure where they went. Perhaps they can post them to Youtube? Anyways, the alternate set of IPs responding is actually increasing over time: http://openresolverproject.org/breakdown-graph2.cgiWhat you have said previously ( Number of unique IPs that spoofed apacket to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). ) doesn't even make sense. Many CPE devices will perform NAT on udp/53 packets received on their WAN interface and forward them to their configured DNS server. Some will just take the source IP and copy it into the packet. Because it comes in on their WAN interface, it will instead of copying the inside NAT address just copy my source IP from the weekly scan and use that. Since it's on the outside, it doesn't copy it's outside IP and put that in, it copies mine. - JaredOn Thu, Aug 8, 2013 at 12:51 PM, Jared Mauch <jared () puck nether net>wrote:Oops, I pulled the wrong data (off by one column) out before a trip anddidn't realize it until now.This is not the spoofer list, but the list of ASNs with open resolvers. Let me reprocess it. Apologies, corrected data being generated. - Jared On Aug 8, 2013, at 1:29 PM, Jared Mauch <jared () puck nether net> wrote:The following is a sorted list from worst to best of networks thatallow spoofing: (cutoff here is 25k)(full list -http://openresolverproject.org/full-spoofer-asn-list-201307.txt )
Current thread:
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have), (continued)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Christopher Morrow (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Florian Weimer (Aug 11)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Heather Schiller (Aug 22)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Valdis . Kletnieks (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Blake Dunlap (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)
- Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have) Jared Mauch (Aug 08)