[nsp-sec] Daily Reports Summary for week ending 2010-11-22

Kevin Oberman oberman at es.net
Mon Nov 22 12:57:20 EST 2010 

> Date: Mon, 22 Nov 2010 10:37:37 -0500
> From: Tim Wilde <twilde at cymru.com>
> 
> On 11/22/2010 10:27 AM, Kevin Oberman wrote:
> > Any reason for the huge jump in open resolvers yesterday? I am sure that
> > there were not that many new ones created and can't possibly explain a
> > just from about 100,000 to over 3 million, if I believe the plot on the
> > open resolvers page:
> > (https://www.cymru.com/nsp-sec/dailyreports/openresolvers.html) 
> > 
> > It looks far more dramatic than the numbers in this report:
> > report       UniqueIPs   Change  ASNs  bogon  noroute    UniqueIPs  ASNs
> > Openresolver 3,587,046  +390.8% 18647      0      112      730,865 10111
> > 
> > But, in either case, something seems to have sharply affected the
> > numbers beyond a few million folks deciding to turn on DNS and not
> > restricting access. over the course of a week. I have confirmed that the
> > systems that just showed up yesterday in my reports are legitimate, so
> > it is probably not a matter of false positives.
> 
> Hey Kevin & Teams,
> 
> Sorry, I forgot to explain this in my below-report commentary this week.
>  This is the result of a periodic full re-scanning of open resolvers.
> Our normal scanning is the base line on the graphs, while those spikes
> you see periodically are re-scans that are performed on a larger list.
> So there wasn't a jump in open resolvers so much as a jump in detected
> open resolvers, and even that wasn't a surprise, just a periodic
> re-scanning.  I hope this helps!
> 
> Regards,
> Tim

Tim,

Yes, this explains it nicely. I was expecting some comment in the weekly
message, and I'm not familiar with the methodology used in generating
this list, so I was not sure of the cause. 

These are the hardest of the issues I see reported to get fixed. They
are almost invariably Microsoft servers and must be either recursive or
not. Of course, they only have one server/set of servers and have to
have them recursive for their internal folks, so can't turn off
recursion. I suggest that they install a second server for external
access and block external access to the recursive server, but small
shops cry "budgetary issues", and nothing seems to happen. :-(

Suggestions that they install some other software are non-starters as
they are all Microsoft shops and simply reject any open-source software
out of hand. **Sigh**
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the nsp-security mailing list