[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

[Nishal Goburdhan]

On 07 Mar 2015, at 21:40, Ahmad Yassin <amyassin77 at gmail.com> wrote:

> It is not about being a target of the attack, it is about participating in the attack as an open resolver without my consent (or getting paid by criminals lol).. Of course I'm not right now cuz I'm not reachable from the wild internet (supposedly), but for those 17 million AORs, maybe...

true!  and most average internet users would never bother changing settings on the home equipment ! 

one ISP that i know in ZA, actively scans its consumer base, including some of its colocation environments as a way to pre-emptively warn their users of issues.  of course this doesn't pickup everything, but according to the guy that does it, it does help them (he might be slightly biased, as it's technically his job on the line here ... ;-))
would this be something that you think the local ISPs should / could do?
an ISP i know in MU happily distributed CPEs that had known vulnerabilities.  when i pointed this out to them, they were uninterested, as i was the only person complaining, and they thought MU to be too small, and uninteresting, to be of value to the dDOS crowd.   (not true, as they will likely find out...)


> The problem here is the equipments sold by ISPs (or given) which operate services the users are not aware of (and even worse, they operate it wrongly!). Of course a control freak would buy his own equipments and control the services he/she operates...

so, you're saying that ISPs/operators should be paying more attention to the CPEs that they hand out?   (i support this idea, btw!).  
what would be the kinds of testing that you think should be done against these?

--n.