[nsp-sec] 700K *abused* resolver list?

Stephen Gill gillsr at cymru.com
Wed Apr 15 13:10:53 EDT 2009 

Its a matter of scale...

With open recursive servers you can reach 70+:1 amplification.  With root
referrals a lot less, but still a decent ratio assuming you have enough
firepower to start with.

-- steve

On 4/15/09 9:30 AM, "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> ----------- nsp-security Confidential --------
> 
> I believe this attack is using the new pattern that Joe outlines here:
> http://www.secureworks.com/research/threats/dns-amplification/?threat=dns-ampl
> ification
> 
> Which doesn't need open resolvers as you state below.
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at qwest.com gcia
> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Mike Lewinski
>> Sent: Tuesday, April 14, 2009 12:22 PM
>> To: NSP-SEC List
>> Subject: Re: [nsp-sec] 700K *abused* resolver list?
>> 
>> ----------- nsp-security Confidential --------
>> 
>> Mike Lewinski wrote:
>> 
>>> I'm thinking that additional-from-auth and
>> additional-from-cache may not
>>> be available on some of the older BIND 8s that are out
>> there? It may 
>>> also not be advisable for people who are running combined
>> auth/caching 
>>> servers? Advice appreciated, TIA!
>> 
>> Replying to myself because the list is a little slow today
>> and I've done 
>> more research....
>> 
>> Closing recursion alone isn't enough, and mere presence of an
>> IP address 
>> on the 700K list may not be an accurate indicator of open vs closed
>> resolver?
>> 
>> http://www.secureworks.com/research/threats/dns-amplification
>> 
>> I see no functional difference querying "." vs "um."
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>> 
>> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com

More information about the nsp-security mailing list