Re: Open Resolver Problems

[Mark Andrews <marka () isc org>]

In message <5150BE64.2020907 () pubnix net>, Alain Hebert writes:
>     Well,
>
> On 03/25/13 16:45, Jared Mauch wrote:
> > On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra () baylink com> wrote:
> >
> > > ----- Original Message -----
> > > > From: "Jared Mauch" <jared () puck nether net>
> > > > Open resolvers pose a security threat.
> > > Could you clarify, here, Jared?
> > >
> > > Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
> > >
> > > Or is it merely "customer zone servers which are misconfigured to recurse",
> > > as has always been problematic?
> > >
> > > That is: is this just a reminder we never closed the old hole, or 
> > > notification of some new and much nastier hole?
> > There have been some moderate size attacks recently that I won't go into detail here about.  The IPs that a
> re on the website are certainly being used/abused.  A recent attack saw a 90% match rate against the "master 
> list" here.  This means your open resolver is likely being used.
> > Anything to raise the bar here will minimize the impact to those networks under attack.  Turn on RPF facing
>  your colocation and high-speed server lans.  We all know hosts become compromised.  Help minimize the impact
>  of these attacks by 
> > a) doing BCP-38
> > b) locking down your recursive servers to networks you control
> > c) locking down your authority servers to not provide the same answer 15x in a second to the same querying 
> IP.  If it's asking that same question 15x, then it's not you that's broken, it's that client.  (Or it's bein
> g abused).
> > - Jared
>
>     I think most of the audience here knows and are sensitive about it.
>
>     The problems come from from those who don't give a *shit*... And
> they've been not giving a *shit* it for years.
>
>     The magic is in "how" to make them care.

There is only one way sure way to make them care which is to cut
them off for a period and repeat the punishment if they fail to
clean up their act.  You give them notice.  You publicise that you
are going to do it unless they address their issue by date X.  On
date X you stop accepting routes through them or to them unless
they have cleaned up their act.  At the end of the period you start
accepting traffic again.

You leave the open recursive servers open.  They are your canaries.

BCP 38 was published in May 2000.  There is no excuse for any ISP
to not have the requisite equipement to do this.

>     Do the industry need to go "a la PCI-DSS" for Peers?
>
>     PS: My pico ISP is soooo on your list Jared =D  Not for long hopefully.
>
> -----
> Alain Hebert                                ahebert () pubnix net   
> PubNIX Inc.        
> 50 boul. St-Charles
> P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org