[nsp-sec] DDoS traceback to identify open resolvers

Eric Ziegast ziegast at isc.org
Thu Jun 6 00:59:37 EDT 2013 

On 6/6/13 1:01 AM, Jason Chambers wrote:
> Would NSP/ISPs have any interest in a feed of DNS Amp DoS targets for
> use in traceback ?   I was thinking how we might use the visibility we
> have at the enterprise level to help identify more open resolvers and
> the botnets that use them.

Short answer: Yes, please contact me to help prototype this feed based
on your data so that others can replicate what you do.

  Eric Ziegast
  ziegast at isc.org
  https://sie.isc.org
  +1-650-423-1363

Longer:

People already know where all of the millions of open resolvers are
(thanks Jared!).  Knowing which thousands of resolvers are actively
being used in an attack will help prioritize data seen on
openrecursorproject.org or feed data from ShadowServer (and others)
for ISPs to mitigate.  It's easier for an ISP to tell their customer,
"you need to take down your open resolver ", if they can add in that
notification, "because it is actively being used to attack others and
violating our AUP", rather than just, "because it's best practice to
not run open recursive reolsvers".

Knowing in real time which IPs are under attack will help better ISPs
and companies and firewall endors grep their flow data for bot source
tracebacks and feed that back for use by the security industry and law
enforcement for attribution.

ISC has some visibility into some of these attacks from the view of
providing nameservice for isc.org/ANY and ripe.net/ANY and have access
to at least one open recursive nameserver.  ISC Security is developing
a real-time "these are the nameservers that are being used" feed on
the Security Information Exchange (SIE) as well as a DNS RPZ zone that
can help authoritative nameservice providers differentiate lookups and
provide alternative educational answers to clients who are using open
recursive servers actively being used in attacks (think
DCWG/Facebook/Google/"dns-ok" alternative answers).


Also, if anyone *intentionally* runs an open recursive nameserver,
please contact me.  I'll first start by trying to convince you *not*
to run one, but if I can't, data from your nameserver will be helpful
toward this collaborative effort.

--
Eric Ziegast

More information about the nsp-security mailing list