On Tue, 3 Oct 2006, John Kristoff wrote: > On Mon, 2 Oct 2006 23:34:39 -0400 (EDT) > Dean Anderson <[EMAIL PROTECTED]> wrote: > > > > That kind of search will be noticed by somebody. Ask the open relay > > scanners. > > Evidence suggests otherwise. Did you notice any probes a few months > ago to:
Actually, everyone who does this scanning, is noticed by _some_ one. Some complain, some just have logs. Many have logs that are either not reviewed, but exist, or are reviewed and noticed, but no complaints are issued. > 130.105.19.3 > 130.105.11.3 > 198.3.136.10 As I told you in May, I'm not one of the people looking for this scanning at the moment. However, like many, I do keep logs. No doubt your scanning generated some log messages that could be retrieved to identify you as the scanner. Below you note that your scanning has also been noticed and complained of--and I probably wouldn't initially suspect ultradns of bad intentions, and wouldn't complain even if I had noticed. This seems to refute your claim that such scanning can't be detected. Your claim of non-detection is somewhat similar to claims made by some open relay zealots. Some people back then actually, genuinely believed that open relay abuse couldn't be detected, and performed abuse from their desktop work computers. (see information about Chris Neill at www.iadl.org.) Neill was particularly obtuse in that he continued abuse even after he was notified that we could detect his abuse, and was told to stop by his management. I recall he was kind of stunned by the revelation, but he continued abuse until he was fired, anyway. I also note that two open relay anti-spam sites that claimed to be "legitimate open relay scanners" were involved in conducting the abuse of open relays. They used their "anti-spam" moniker as a cover for their abuse activities. If public DNS recursors were to become a problem of abuse, operators have the same recourse as did open relay operators: They change IP addresses occasionally and distribute those changes to customers/users. Then abusers have to continuously scan for such servers, and this scanning will be both detectable and non-scalable. (One can't keep scanning the entire internet and not be noticed, especially once people begin actively looking for scanning) Similarly, open recursor scanning will become anathema just like open relay scanning. People will start watching for route cache entries to UDP port 53 instead of (or in addition to) TCP port 25, and setup up traps at UDP 53 to detect scanners, etc. So there is already a solution to open recursor abuse. Of course, none of this works for the private recursors or the authority servers. As explained, this is why abusers interested in real harm would choose these servers. I'm sorry I don't have any solutions for these cases. I'm thinking about it, though. I think that one must go after the launch mechanism. Either a host controlled legitimately by the attacker or a botnet. One has to follow the botnet to get the botnet operator. > I've done some extensively probing (in the millions) for open > recursors to large sets of addresses (sound found using the example > methods above) and I've gotten a single email from a remote admin > wondering what was going on. And its not even a big problem that anyone is looking for in their logs. Yet someone still noticed. > While it is possible that there were bots internal to that network > using it for the attack, it seems very unlikely. I don't know why this would be unlikely. It is also possible the attacker knew something of this network and this server. Maybe one should query to see if they had any disgruntled employees or ex-employees or customers. > Accepting that, one can easily surmise how that open recursor was > found by the attacker. Such large scans are recorded in various logs, even if they aren't generating complaints at present. However, perhaps we should encourage a lot of people should go back through their logs to see if we can find the scanner and identify the culprit of these attacks. > FYI... Duane Wessels gave a nice, concise talk about his work in > finding open resolvers and I highly recommend reviewing the slides if > you haven't seen them yet. > > <http://public.oarci.net/files/wessels-openresolvers.pdf> Thanks, will do. -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
