nanog mailing list archives

Re: new DNS forwarder vulnerability

From: Mark Andrews <marka () isc org>
Date: Thu, 03 Apr 2014 07:28:58 +1100


In message <C7E435C6-344F-49CD-9152-7A9EF2FA6662 () puck nether net>, Jared Mauch 
writes:


On Apr 2, 2014, at 8:38 AM, Mark Allman <mallman () icir org> wrote:


[catching up]

That's a good question, but I know that during the ongoing survey
within the Open Resolver Project [http://openresolverproject.org/],
Jared found thousands of CPE devices which responded as resolvers.


Not thousands, *tens of millions*.

Our estimate from mid-2013 was 32M such devices (detailed in an IMC
paper last year; http://www.icir.org/mallman/pubs/SCRA13/).  And, that
roughly agrees with both the openresolverproject.org numbers and another
(not public) study I know of.  And, as if that isn't bad enough
... there is a 2010 IMC paper that puts the number at 15M.  I.e., the
instances of brokenness are getting worse---doubling in 3 years!  UGH.


One observation: The OpenResolverProject collects responses that come from
ports that the query was not sent to (ie: device responds from UDP/12345
not
from UDP/53, which obviously is broken and doesn't "work", but they
actually
return DNS payload which can be used for abuse).

Some good news though:

http://openresolverproject.org/breakdown-graph1.cgi


I see axes, legend but no data points.  If I hover over various spots
on the graph I see data values pop up.

Since the start of 2014 there seem to be new CPE devices out there that
are resolving this issue.  The linear nature of the line in the decrease
doesn't seem to be something like "ISPs" started blocking udp/53 to
customers, which would appear more like a step function.

I'm aware of some other studies ongoing to fingerprint CPE and their
behaviors/aggregated resolver dependencies.  I expect to see some of that
data presented at the upcoming DNS-OARC meeting in Warsaw.

Getting everyone to update their firmware on devices would go a long way
as well.  Some vendors have no software QA on this front so add/remove
the response on the WAN interface as their releases march forward.

- Jared


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: new DNS forwarder vulnerability Mark Allman (Apr 02)
- Re: new DNS forwarder vulnerability Jared Mauch (Apr 02)
  - Re: new DNS forwarder vulnerability Mark Andrews (Apr 02)