On Thu, 5 Oct 2006 12:20:40 -0400 (EDT)
Dean Anderson <[EMAIL PROTECTED]> wrote:
> --and I probably wouldn't initially suspect ultradns of bad
> intentions, and wouldn't complain even if I had noticed. This seems
> to refute your claim that such scanning can't be detected. Your
Although we've done some probes from UltraDNS systems, the millions of
probes I was referring to did not originate from an UltraDNS system.
And while I'd like to think UltraDNS (now Neustar) is widely known,
generally trusted and respected, thank you, many people, even those
responsible for DNS within their organization, don't know who we are.
> > I've done some extensively probing (in the millions) for open
> > recursors to large sets of addresses (sound found using the example
> > methods above) and I've gotten a single email from a remote admin
> > wondering what was going on. [[ In fact, their inquiry was only for
a corner case fingerprint attempt. They didn't realize they were
even running an open recursor and that it had been used in a
reflective amplification attack. Furthermore, I had later found
out this open recursor was not authoriative for anything, at least
not facing the public Internet. ]]
> And its not even a big problem that anyone is looking for in their
> logs. Yet someone still noticed.
I fixed that quote for you. :-)
> Such large scans are recorded in various logs, even if they aren't
> generating complaints at present. However, perhaps we should
> encourage a lot of people should go back through their logs to see if
> we can find the scanner and identify the culprit of these attacks.
That might be useful. However, in my experience many DNS operators
are not logging queries. That is beginning to change slowly as the
value of having that data is being realized (and not just for this
issue) for those that can enable it. Some have resorted to passive
packet capture. Duane Wessels (again), had an interesting idea for
a "dnsflow" system, that might operate like NetFlow, generating
summary DNS query and/or answer data to a collector. I had made the
suggestion for a popular implementation to generate "sampled" query
log messages. This an interesting side discussion and might be
better put on a more operation-oriented list though.
Please note, I have made no claim that probing cannot be detected as
you stated. I do suggest that this sort of probing is not currently
being detected by an overwhelming majority of operators.
John
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
