[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

Frank Habicht geier at geier.ne.tz
Mon Mar 16 14:35:30 SAST 2015


On 3/8/2015 2:32 PM, Nishal Goburdhan wrote:
> one ISP that i know in ZA, actively scans its consumer base,
> including some of its colocation environments as a way to
> pre-emptively warn their users of issues.  of course this doesn't
> pickup everything, but according to the guy that does it, it does
> help them (he might be slightly biased, as it's technically his job
> on the line here ... ;-)) 

I'd like to comment on this - though a bit late.

I'm generally in agreement with this practice.

Where I work, we/I are not doing this ....
.... yet.

We're working through 3rd-party available lists of badness.
open dns resolvers from Team Cymru for instance,
openresolverproject, its NTP version, ...
also previously I have asked netflow about udp from port 123 going (out)
to upstreams, those sources would be in actual use as DDOS amplifiers.

Right now I make good use of
where you give your ASN, and get access based on whois contacts.
And then they show a good list of amplifiers on your network that are
publicly available on UDP ports 19,53,123,161,1900

After cleaning all that up,
and after confirming that we have an AUP that allows me to proactively
scan (which I believe I should be allowed, say weekly)...
... I think I would do that.
But only for IPs belonging to our network (originated by our ASN),
customers with own ASNs should take care of that themselves.


More information about the sdnog mailing list