[nsp-sec] ACK 700K Open Resolver List

[Scott A. McIntyre]

Hi,


ACK 286/3265/5417/5615/8737/...

And:

> notice that a number of DSL users on here which makes me think there  
> is another piece of
> cheap CPE on the market with an open recursor again (groan)

As part of the attack I mentioned here the other day, we've done a lot  
of digging.  A great number of our customers who were contributing to  
the attack against 67.21.67.126 have Siemens Efficient 58xx or 59xx  
series modems.  In the latter case, firmware less than 6.3 seems to  
automatically enable a "DNS Relay" feature which can *not* be  
disabled.  No interface option in the CLI or the HTTP interface seems  
to make that possible.

For the 58xx series Efficient modems we have not found a firmware  
version which has this DNS Relay disabled or, able to be disabled.

In 6.3 of the firmware the problem seems corrected and automatic  
relaying to the DNS server from the ISP doesn't take place.  It  
doesn't matter if you manually set the DNS in the modem, or if you  
take the provider assigned values (RADIUS/DHCP) -- the feature is just  
there and on.  :-(

In the case of a Zyxel 792, if you disable the internal firewall  
(because perhaps you have your own firewall behind the modem) the DNS  
relay feature kicks in and the modem happily helps out DNS  
amplification attacks.

Both of these modems seem to use similar underlying firmware/software,  
which I suspect is a factor here.

Hope this helps someone,

Scott A. McIntyre
XS4ALL Internet B.V.