[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
- Subject: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
- From: fw at deneb.enyo.de (Florian Weimer)
- Date: Sun, 11 Aug 2013 17:40:28 +0200
- In-reply-to: <[email protected]> (Jared Mauch's message of "Sun, 11 Aug 2013 11:08:46 -0400")
- References: <CAJvB4t=MFhVNpmBwKdMrcc5ZCQkO1LSpNbsqtJu27WjQd=cpJA@mail.gmail.com> <CE1EA166.16075%[email protected]> <CAJvB4tngwy0rMwvnUSMkEYGPevE8wRBxZBGfKF8vjGA1JpEOHA@mail.gmail.com> <CA+2UFhksZz9Kb0LRO29STMzj-KZchD94ZxvqibMW=R8tAV_ufw@mail.gmail.com> <[email protected]> <CAJvB4tk2S=D+z_kn_6_tEpGiB2feYGbXTBhimtgZfZ5ikTB7yg@mail.gmail.com> <CAAAwwbWCSsp1a7U43NLU=fwMeGXrSUGZEm0ZVwSkiaEmRDKgXg@mail.gmail.com> <CA+2UFhntL-iKdGc7Ev9UbPB-y5QkO5eA=nxFfsmNMq50ZUkPqA@mail.gmail.com> <[email protected]> <[email protected]> <CAEmG1=o_E5K3n8MjmovCE7c2GsYELHX1fb_bsgKQZHFYt_E1oQ@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]>
* Jared Mauch:
> The incidence rate is too high for it to be multihomed hosts.
>
> Let me know if you want to look at the raw data. Very interesting stuff.
>
> Or just look for 8.8.8.8 in the openresolverproject page.
Indeed, I could verify that 5.61.0.0 can indeed spoof one of my IP
addresses to the 8.8.8.8 DNS resolver. For a cache miss, I get a
query from a Google IP address and the 8.8.8.8 reply has a plausible
TTL, so I don't think it's spoofing the response.
Apparently, they're implementing DNS proxy by destination-NATting, and
because they listen also on the WAN interface, they get the source
address wrong.
This is quite scary.