[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

[Ahmad Yassin]

On Sun, Mar 8, 2015 at 2:32 PM Nishal Goburdhan <nishal at controlfreak.co.za>
wrote:

> one ISP that i know in ZA, actively scans its consumer base, including
> some of its colocation environments as a way to pre-emptively warn their
> users of issues.  of course this doesn't pickup everything, but according
> to the guy that does it, it does help them (he might be slightly biased, as
> it's technically his job on the line here ... ;-))
>
would this be something that you think the local ISPs should / could do?
>

IMHO, they shouldn't. ISPs should mind their own business. And I don't
think that includes being a vulnerability scanner for customers unless it
is an agreed service they got the customer's consent about (and maybe made
him pay for). But I don't think that's something I'll use the help of an
ISP in.


> and they thought MU to be too small, and uninteresting, to be of value to
> the dDOS crowd.   (not true, as they will likely find out...)
>

That's how dDoS criminals feed their children I suppose :)


> so, you're saying that ISPs/operators should be paying more attention to
> the CPEs that they hand out?   (i support this idea, btw!).
> what would be the kinds of testing that you think should be done against
> these?
>
>
What are they doing now anyway? Are they just negotiate the pricing and
business forecast and boom -it's in the market? I'm no expert on the
matter, but I can suggest at least:
- Basic port scan. No little daemon should be listening unless told to.
- Known vulnerabilities scan.
- Default passwords change. I know one ISP at least here does that, but the
new password is **very** predictable (at least for neighbors!).

And the list could go on I suppose...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20150308/0003f023/attachment.html>