Thanks, this is quite interesting. I never would have expected that kind of behavior.
-Blake On Thu, Aug 8, 2013 at 3:37 PM, Jared Mauch <ja...@puck.nether.net> wrote: > > On Aug 8, 2013, at 2:07 PM, Blake Dunlap <iki...@gmail.com> wrote: > > > On a related note, how are you actually getting this data? > > Sure: > > > https://www.nanog.org/sites/default/files/tue.lightning3.open_resolver.mauch_.pdf > > I would point you at the streaming archive, but I'm not sure where they > went. Perhaps they can post them to Youtube? > > Anyways, the alternate set of IPs responding is actually increasing over > time: > > http://openresolverproject.org/breakdown-graph2.cgi > > > What you have said previously ( Number of unique IPs that spoofed a > packet to me. (eg: I sent a packet to 1.2.3.4 and 5.6.7.8 responded). ) > doesn't even make sense. > > Many CPE devices will perform NAT on udp/53 packets received on their WAN > interface and forward them to their configured DNS server. Some will just > take the source IP and copy it into the packet. Because it comes in on > their WAN interface, it will instead of copying the inside NAT address just > copy my source IP from the weekly scan and use that. Since it's on the > outside, it doesn't copy it's outside IP and put that in, it copies mine. > > - Jared > > > On Thu, Aug 8, 2013 at 12:51 PM, Jared Mauch <ja...@puck.nether.net> > wrote: > > Oops, I pulled the wrong data (off by one column) out before a trip and > didn't realize it until now. > > > > This is not the spoofer list, but the list of ASNs with open resolvers. > > > > Let me reprocess it. > > > > Apologies, corrected data being generated. > > > > - Jared > > > > On Aug 8, 2013, at 1:29 PM, Jared Mauch <ja...@puck.nether.net> wrote: > > > > > The following is a sorted list from worst to best of networks that > allow spoofing: (cutoff here is 25k) > > > > > > (full list - > http://openresolverproject.org/full-spoofer-asn-list-201307.txt ) > > > > > > > >
