I sent you a private reply, but also posting publicly…
On Apr 9, 2013, at 4:55 PM, "A. Pishdadi" <apishd...@gmail.com> wrote: > In the last 2 weeks we have seen double the amount of ddos attacks, and way > bigger then normal. All of them being amplification attacks. I think the > media whoring done during the spamhaus debacle motivated more people to > invest time building up there openresolver list, since really no one has > disclosed attacks of that size and gave the blueprints of how to do it. Now > we know the attack has been around for awhile but no one really knew how big > they could take it until a couple weeks ago.. > > Now I know your openresolver DB is meant to get them closed but it would take > only a small amount of someones day to write a script to crawl your > database.. You go to fixedorbit.com or something of the sort, look up the > as's of the biggest hosting companies, plop there list of ip allocaitons in > to a text file, run the script and boom i now have the biggest open resolver > list to feed my botnet.. Maybe you should require some sort of CAPTCHA or > registration to view that database. While im sure people have other ways of > gathering up the open resolvers , you just took away all the work and handed > it to them on a silver platter. While i am and others surely are greatful for > the data, i think a little more thought should be put in how you are going to > deliver the data to who should have it, and that would be the network / AS > they are hanging off of. Both systems that return a referral to root and that do full recursion are being abused in attacks. Honestly, if you send 100kpps to 2^32 IPs it would take ~12 hours. If you have 10 hosts to scan at a lower rate and skip all the 'unused' space, e.g.: 0/8 10/8 127/8 224/4 you cut down the time as well. I won't say exactly how long my weekly process takes, but it doesn't take long if you wanted to replicate the data. About 1:122 hosts responds in some fashion. That means for any given /24, expect there to be about 2 responses. While that may not be the case for some blocks, there's a good chance something is responding nearby. At some point the lack of scoping your response will result in a real problem for the person being attacked. Your hosts will get used in an attack. It's not really an IF question anymore. - jared
