[LINK] Open recursive servers, aka, open resolvers

stephen at melbpc.org.au stephen at melbpc.org.au
Sun Mar 31 02:01:50 AEDT 2013


<http://www.nytimes.com/2013/03/30/technology/devices-like-cable-boxes-
figured-in-internet-attack.html?nl=todaysheadlines&emc=edit_th_20130330>

(Quote, NYTimes)

"The real enablers of the attack were the operators of more than 27 million 
computers around the globe who left their equipment wide open to a 
motivated attacker. Those enablers are not just companies, but regular 
people with home cable boxes.

The servers the attackers used — what the Internet community calls open 
recursive servers or, more commonly, open resolvers — are simply home 
Internet devices, corporate servers, or virtual machines in the cloud that 
have been sloppily configured to accept messages from any device around the 
globe.

In this week’s attack on Spamhaus and the company hired to fight it, 
CloudFlare, attackers made use of more than 100,000 open resolvers to 
inflict an attack that reached 300 billion bits per second, the largest 
such attack ever reported. 

When they could not take down those targets, they aimed and fired open 
resolvers at the world’s major Internet exchanges, first London, then 
Amsterdam, Frankfurt and then Hong Kong.

"At some point, we thought, ‘They are going to hit everything at once,'" 
said Matthew Prince, the chief executive of CloudFlare. "That’s the 
nightmare scenario that hasn’t happened — yet. We’ve now seen an attack 
that begins to illustrate the full extent of the problem."

Closing an open resolver, unfortunately, is not as simple as flipping a 
switch or downloading some software. Finding out if your home cable box is 
an open resolver, for instance, requires you to call your cable company and 
tell them that you do not want to be running an open resolver — a tough 
request when most of the world’s population does not even know what an open 
resolver is.

Recent efforts have been made to increase awareness of the issue. 

Computer security experts have recently started "naming and shaming" the 
operators of open resolvers. 

The DNS Measurement Factory, one such group, published a survey of top 
offenders by network. And more recently, the Open Resolver Project 
published a full list of the 27 million open servers online..  

(/quote NYTimes)

And:  http://openresolverproject.org

"Open Recursive Resolvers pose a significant threat to the global network 
infrastructure. 

* If you are a member of the general public: Directions on securing
  nameservers can be found at Team Cymru: 
  http://www.team-cymru.org/Services/Resolvers/instructions.html

* If you are in the security community: Please contact dns-scan /at/
  puck.nether.net or if you know the host owner, engage him for access
  to raw data. What can I do? Configure BCP-38 on all CPE and Datacenter
  equipment edges that have fixed IP ranges. This could be as simple as
  setting ip verify unicast source reachable-via rx on a router interface.
  Any staticly routed customer should receive this setting by default.
  Configure your DNS servers with DNS RRL. Knot DNS and NLNetLabs NSD
  include this as a standard option now. BIND requires a patch. 
  For more information check the Rate Limits in DNS Website
  http://www.redbarn.org/dns/ratelimits


So, Naming and Shaming ...

<http://dns.measurement-factory.com/surveys/openresolvers/ASN-
reports/latest.html> ..

This table shows (some of the Australian) known open resolvers for each 
autonomous system, as of Sat Mar 30th 2013.

Count   ASN

40 |   7543 | PI-AU Pacific Internet (Australia) Pty Ltd
 2 |   7615 | FORTANA-AS-AP Fortana Networks Australia Pty Ltd
 1 |  18108 | FUJITSU-AP FujitsuAustraliaLtd
 2 |  38458 | MLA-AS-AU-AP Meat and Livestock Australia Ltd
 2 |   7570 | AARNET-NSW-RNO Australian Academic and Reasearch Network 
 1 |  17757 | HPAUS-AP HP Australia
 1 |  38285 | DODO-AS-AP Dodo Australia Pty Ltd
33 |   9942 | COMINDICO-AP SOUL Converged Communications Australia
14 |  45261 | EATDATA-AP East Australia Transit and Data
 5 |  24443 | ISPNET-AS-AU ISP Networks Pty Ltd Service Provider Australia
 4 |  55736 | WEBVISIONS-AU-AS-AP Webvisions Australia
 3 |   3680 | NOVELL-AUSTRALIA Novell is connected to ATT&T in Sydney
 3 |  24437 | UWA-AS-AP University of Western Australia
 1 |  38803 | GOLDENIT-PTY-LTD-AUSTRALIA-AP Goldenit Pty ltd Australia
 5 |  24443 | ISPNET-AS-AU ISP Networks Pty Ltd Service Provider Australia

etc ..

Cheers,
Stephen



Message sent using MelbPC WebMail Server






More information about the Link mailing list