[nsp-sec] 700K Open Resolver List

[Gabriel Iovino]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings all,

One month ago today (2009-04-13) the REN-ISAC sent ~179 notifications
regarding ~1,138 open DNS resolvers reported to be participating in DNS
amplification attacks.

Note: We did not verify that all 1,138 were actually open resolvers,
only a handful were manually verified. We did not receive any responses
claiming that an IP was not a open resolver.

Today we queried each one of the 1,138 to see how many are currently an
open resolver. It looks like 22% or 255 of the 1138 have been
reconfigured to *no longer* act as a open resolver.

I share this with all of you because I think it is interesting and I
believe if we can tie open resolvers with observed attacks, we have a
better chance to get organizations to reconfigure their DNS servers.

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

Stephen Gill wrote:
> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> I took a somewhat restrictive view of the pcaps we have and parsed out about
> 700K open resolvers used in the latest DNS amplifier attack across ~10K
> ASNs.  I believe there were closer to 1 Million total.
> 
> You can find the data split up by ASN here:
> 
> https://www.cymru.com/nsp-sec/Owned/recursive3/
> 
> ASNs affected:
> 
> https://www.cymru.com/nsp-sec/Owned/recursive3/asns.txt
> 
> Please do not download the entire list and only fetch the ones you have
> control or influence over.
> 
> Comments/questions welcome & have a great weekend!
> 
> Cheers,
> -- steve
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoLAtMACgkQwqygxIz+pTtLDwCgyQHIN0MrSDt9EP3yHi+BxLUf
tHAAoMm49XvsNkv1JNT5YApFiDX9JDBx
=V1mL
-----END PGP SIGNATURE-----