[LINK] Open recursive servers, aka, open resolvers
stephen at melbpc.org.au
stephen at melbpc.org.au
Sun Mar 31 02:01:50 AEDT 2013
<http://www.nytimes.com/2013/03/30/technology/devices-like-cable-boxes-
figured-in-internet-attack.html?nl=todaysheadlines&emc=edit_th_20130330>
(Quote, NYTimes)
"The real enablers of the attack were the operators of more than 27 million
computers around the globe who left their equipment wide open to a
motivated attacker. Those enablers are not just companies, but regular
people with home cable boxes.
The servers the attackers used what the Internet community calls open
recursive servers or, more commonly, open resolvers are simply home
Internet devices, corporate servers, or virtual machines in the cloud that
have been sloppily configured to accept messages from any device around the
globe.
In this weeks attack on Spamhaus and the company hired to fight it,
CloudFlare, attackers made use of more than 100,000 open resolvers to
inflict an attack that reached 300 billion bits per second, the largest
such attack ever reported.
When they could not take down those targets, they aimed and fired open
resolvers at the worlds major Internet exchanges, first London, then
Amsterdam, Frankfurt and then Hong Kong.
"At some point, we thought, They are going to hit everything at once,'"
said Matthew Prince, the chief executive of CloudFlare. "Thats the
nightmare scenario that hasnt happened yet. Weve now seen an attack
that begins to illustrate the full extent of the problem."
Closing an open resolver, unfortunately, is not as simple as flipping a
switch or downloading some software. Finding out if your home cable box is
an open resolver, for instance, requires you to call your cable company and
tell them that you do not want to be running an open resolver a tough
request when most of the worlds population does not even know what an open
resolver is.
Recent efforts have been made to increase awareness of the issue.
Computer security experts have recently started "naming and shaming" the
operators of open resolvers.
The DNS Measurement Factory, one such group, published a survey of top
offenders by network. And more recently, the Open Resolver Project
published a full list of the 27 million open servers online..
(/quote NYTimes)
And: http://openresolverproject.org
"Open Recursive Resolvers pose a significant threat to the global network
infrastructure.
* If you are a member of the general public: Directions on securing
nameservers can be found at Team Cymru:
http://www.team-cymru.org/Services/Resolvers/instructions.html
* If you are in the security community: Please contact dns-scan /at/
puck.nether.net or if you know the host owner, engage him for access
to raw data. What can I do? Configure BCP-38 on all CPE and Datacenter
equipment edges that have fixed IP ranges. This could be as simple as
setting ip verify unicast source reachable-via rx on a router interface.
Any staticly routed customer should receive this setting by default.
Configure your DNS servers with DNS RRL. Knot DNS and NLNetLabs NSD
include this as a standard option now. BIND requires a patch.
For more information check the Rate Limits in DNS Website
http://www.redbarn.org/dns/ratelimits
So, Naming and Shaming ...
<http://dns.measurement-factory.com/surveys/openresolvers/ASN-
reports/latest.html> ..
This table shows (some of the Australian) known open resolvers for each
autonomous system, as of Sat Mar 30th 2013.
Count ASN
40 | 7543 | PI-AU Pacific Internet (Australia) Pty Ltd
2 | 7615 | FORTANA-AS-AP Fortana Networks Australia Pty Ltd
1 | 18108 | FUJITSU-AP FujitsuAustraliaLtd
2 | 38458 | MLA-AS-AU-AP Meat and Livestock Australia Ltd
2 | 7570 | AARNET-NSW-RNO Australian Academic and Reasearch Network
1 | 17757 | HPAUS-AP HP Australia
1 | 38285 | DODO-AS-AP Dodo Australia Pty Ltd
33 | 9942 | COMINDICO-AP SOUL Converged Communications Australia
14 | 45261 | EATDATA-AP East Australia Transit and Data
5 | 24443 | ISPNET-AS-AU ISP Networks Pty Ltd Service Provider Australia
4 | 55736 | WEBVISIONS-AU-AS-AP Webvisions Australia
3 | 3680 | NOVELL-AUSTRALIA Novell is connected to ATT&T in Sydney
3 | 24437 | UWA-AS-AP University of Western Australia
1 | 38803 | GOLDENIT-PTY-LTD-AUSTRALIA-AP Goldenit Pty ltd Australia
5 | 24443 | ISPNET-AS-AU ISP Networks Pty Ltd Service Provider Australia
etc ..
Cheers,
Stephen
Message sent using MelbPC WebMail Server
More information about the Link
mailing list