[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new DNS forwarder vulnerability

Subject: new DNS forwarder vulnerability
From: marka at isc.org (Mark Andrews)
Date: Thu, 03 Apr 2014 07:28:58 +1100
In-reply-to: Your message of "Wed, 02 Apr 2014 08:54:47 -0400." <[email protected]>
References: <[email protected]> <[email protected]>

In message <C7E435C6-344F-49CD-9152-7A9EF2FA6662 at puck.nether.net>, Jared Mauch 
writes:
>
> On Apr 2, 2014, at 8:38 AM, Mark Allman <mallman at icir.org> wrote:
>
> >
> > [catching up]
> >
> >> That's a good question, but I know that during the ongoing survey
> >> within the Open Resolver Project [http://openresolverproject.org/],
> >> Jared found thousands of CPE devices which responded as resolvers.
> >
> > Not thousands, *tens of millions*.
> >
> > Our estimate from mid-2013 was 32M such devices (detailed in an IMC
> > paper last year; http://www.icir.org/mallman/pubs/SCRA13/).  And, that
> > roughly agrees with both the openresolverproject.org numbers and another
> > (not public) study I know of.  And, as if that isn't bad enough
> > ... there is a 2010 IMC paper that puts the number at 15M.  I.e., the
> > instances of brokenness are getting worse---doubling in 3 years!  UGH.
>
> One observation: The OpenResolverProject collects responses that come from
> ports that the query was not sent to (ie: device responds from UDP/12345
> not
> from UDP/53, which obviously is broken and doesn't "work", but they
> actually
> return DNS payload which can be used for abuse).
>
> Some good news though:
>
> http://openresolverproject.org/breakdown-graph1.cgi

I see axes, legend but no data points.  If I hover over various spots
on the graph I see data values pop up.

> Since the start of 2014 there seem to be new CPE devices out there that
> are resolving this issue.  The linear nature of the line in the decrease
> doesn't seem to be something like "ISPs" started blocking udp/53 to
> customers, which would appear more like a step function.
>
> I'm aware of some other studies ongoing to fingerprint CPE and their
> behaviors/aggregated resolver dependencies.  I expect to see some of that
> data presented at the upcoming DNS-OARC meeting in Warsaw.
>
> Getting everyone to update their firmware on devices would go a long way
> as well.  Some vendors have no software QA on this front so add/remove
> the response on the WAN interface as their releases march forward.
>
> - Jared

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

References:
- new DNS forwarder vulnerability
  - From: mallman at icir.org (Mark Allman)
- new DNS forwarder vulnerability
  - From: jared at puck.nether.net (Jared Mauch)

Prev by Date: BGPMON Alert Questions
Next by Date: BGPMON Alert Questions
Previous by thread: new DNS forwarder vulnerability
Next by thread: real-world data about fragmentation
Index(es):
- Date
- Thread