Open Resolvers pseudo Honey Pot (Was: Open Resolver Problems)

Mark Andrews marka at isc.org
Thu May 9 23:03:56 UTC 2013


In message <518BD982.60709 at pubnix.net>, Alain Hebert writes:
>     ( Ok, ok, another bad customer =D )
> 
> Starting today at 5h15m EST...
> 
>     There is a bigger than usual DDoS amplification against the IP's
> listed below.
> 
>     Granted root servers query is barely 1k while the usual isc.org is
> 3.5k and this is a "possible" 15Mbps from this one source but still :(

	With a validating resolver

	"dig any . +edns" return a 1872 byte payload.
	"dig any . +dnssec" return a 2030 byte payload.
	(difference is NS RRSIG records)

	Getting the DNSKEY records included isn't hard.  Throw a
	single DNSKEY query into the stream once a day/hour
	and it will be cached for 48 hours.

	If you have the SOA cached as well it gets to

	"dig any . +edns" return a 2087 byte payload.
	"dig any . +dnssec" return a 2245 byte payload.
 
	Mark

> PS:
> 
>     If you're a Tier and wish to track down the *^%$*#@ source ISP's to
> explain to them the joy of BCP38...
> 
>     Contact me off list, from your corporate email address, and I'll
> provide you with the IP of that server.
> 
> ----- IP are targeted for DDoS amplification.
> 
> Format:
> 
> <IP>
>     <query count during 10 seconds> [query]
> 
> 94.23.42.215
>         2128 . IN ANY +E
> 208.98.25.130
>         3079 . IN ANY +E
> 188.134.46.102
>         2639 . IN ANY +E
> 108.61.239.105
>         2270 . IN ANY +E
> 95.129.166.186
>         2416 . IN ANY +E
> 176.9.210.53
>         2839 . IN ANY +E
> 145.53.65.130
>         2326 . IN ANY +E
> 99.198.100.86
>         1223 . IN ANY +E
> 37.59.72.74
>         2508 . IN ANY +E
> 199.83.133.42
>         2392 . IN ANY +E
> 74.63.248.210
>         1481 . IN ANY +E
> 173.199.68.62
>         1178 . IN ANY +E
> 82.80.17.4
>         2666 . IN ANY +E
> 188.162.228.50
>         1075 . IN ANY +E
> 79.225.4.183
>         1014 . IN ANY +E
> 78.108.79.171
>         1291 . IN ANY +E
> 31.53.123.192
>         1093 . IN ANY +E
> 90.3.194.151
>         1245 . IN ANY +E
> 27.50.70.191
>         1304 . IN ANY +E
> 198.7.63.39
>         1579 . IN ANY +E
> 81.220.28.129
>         1103 . IN ANY +E
> 198.105.218.12
>         1110 . IN ANY +E
> 86.160.85.37
>         1128 . IN ANY +E
> 184.95.35.194
>         1237 . IN ANY +E
> 134.255.237.244
>         1245 . IN ANY +E
> 178.32.36.67
>         1588 . IN ANY +E
> 204.45.55.8
>         1419 . IN ANY +E
> 95.211.209.182
>         1520 . IN ANY +E
> 80.192.224.22
>         1430 . IN ANY +E
> 24.244.248.8
>         1414 . IN ANY +E
> 79.71.69.165
>         1090 . IN ANY +E
> 24.244.248.57
>         1364 . IN ANY +E
> 82.132.226.216
>         1079 . IN ANY +E
> 69.162.97.99
>         1601 . IN ANY +E
> 
> -----
> Alain Hebert                                ahebert at pubnix.net   
> PubNIX Inc.        
> 50 boul. St-Charles
> P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
> Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list