Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)

• Previous message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Next message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Jared Mauch:

> The incidence rate is too high for it to be multihomed hosts.
>
> Let me know if you want to look at the raw data. Very interesting stuff.
>
> Or just look for 8.8.8.8 in the openresolverproject page.

Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP
addresses to the 8.8.8.8 DNS resolver.  For a cache miss, I get a
query from a Google IP address and the 8.8.8.8 reply has a plausible
TTL, so I don't think it's spoofing the response.

Apparently, they're implementing DNS proxy by destination-NATting, and
because they listen also on the WAN interface, they get the source
address wrong.

This is quite scary.

• Previous message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Next message (by thread): Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]