Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
fw at deneb.enyo.de
Sun Aug 11 15:40:28 UTC 2013
* Jared Mauch:
> The incidence rate is too high for it to be multihomed hosts.
> Let me know if you want to look at the raw data. Very interesting stuff.
> Or just look for 188.8.131.52 in the openresolverproject page.
Indeed, I could verify that 184.108.40.206 can indeed spoof one of my IP
addresses to the 220.127.116.11 DNS resolver. For a cache miss, I get a
query from a Google IP address and the 18.104.22.168 reply has a plausible
TTL, so I don't think it's spoofing the response.
Apparently, they're implementing DNS proxy by destination-NATting, and
because they listen also on the WAN interface, they get the source
This is quite scary.
More information about the NANOG