[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Open Resolver Problems


On 03/25/13 16:45, Jared Mauch wrote:
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra at baylink.com> wrote:
>> ----- Original Message -----
>>> From: "Jared Mauch" <jared at puck.nether.net>
>>> Open resolvers pose a security threat.
>> Could you clarify, here, Jared?
>> Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?
>> Or is it merely "customer zone servers which are misconfigured to recurse",
>> as has always been problematic?
>> That is: is this just a reminder we never closed the old hole, or 
>> notification of some new and much nastier hole?
> There have been some moderate size attacks recently that I won't go into detail here about.  The IPs that are on the website are certainly being used/abused.  A recent attack saw a 90% match rate against the "master list" here.  This means your open resolver is likely being used.
> Anything to raise the bar here will minimize the impact to those networks under attack.  Turn on RPF facing your colocation and high-speed server lans.  We all know hosts become compromised.  Help minimize the impact of these attacks by 
> a) doing BCP-38
> b) locking down your recursive servers to networks you control
> c) locking down your authority servers to not provide the same answer 15x in a second to the same querying IP.  If it's asking that same question 15x, then it's not you that's broken, it's that client.  (Or it's being abused).
> - Jared

    I think most of the audience here knows and are sensitive about it.

    The problems come from from those who don't give a *shit*... And
they've been not giving a *shit* it for years.

    The magic is in "how" to make them care.

    Do the industry need to go "a la PCI-DSS" for Peers?

    PS: My pico ISP is soooo on your list Jared =D  Not for long hopefully.

Alain Hebert                                ahebert at pubnix.net   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443