[nsp-sec] DDoS traceback to identify open resolvers

[Jason Chambers]

On 6/5/13 9:59 PM, Eric Ziegast wrote:
>
> Short answer: Yes, please contact me to help prototype this feed based
> on your data so that others can replicate what you do.
>

Will do.

(..cut..)

>
> People already know where all of the millions of open resolvers are
> (thanks Jared!).  Knowing which thousands of resolvers are actively
> being used in an attack will help prioritize data seen on
> openrecursorproject.org or feed data from ShadowServer (and others)
> for ISPs to mitigate.  It's easier for an ISP to tell their customer,
> "you need to take down your open resolver ", if they can add in that
> notification, "because it is actively being used to attack others and
> violating our AUP", rather than just, "because it's best practice to
> not run open recursive reolsvers".
>

I can say that definitely helps here at UCLA.

> Knowing in real time which IPs are under attack will help better ISPs
> and companies and firewall endors grep their flow data for bot source
> tracebacks and feed that back for use by the security industry and law
> enforcement for attribution.

Yep, cool, see below.

(..cut..)

>
> Also, if anyone *intentionally* runs an open recursive nameserver,
> please contact me.  I'll first start by trying to convince you *not*
> to run one, but if I can't, data from your nameserver will be helpful
> toward this collaborative effort.
>

I was thinking of encouraging some people in the REN space to setup a 
"honeypot" style recursive server with rate-limiting to qualify as 
"open" to scanners but near worthless during a DoS.

Bad idea ?  In addition to tracking open recursive servers I thought it 
would be interesting to regularly track all the DoS targets; if and when 
a botnet is disrupted it would work something like a "damages database" 
to add towards whatever LEO uses to justify indictment.  I'm sure there 
are other uses as well.

--Jason