编辑: Mckel0ve 2019-07-04
Open Resolvers in COM/NET Resolution! ! Duane Wessels, Aziz Mohaisen! DNS-OARC

2014 Spring Workshop! Warsaw, Poland! Verisign Public! Outine! ?? Why do we care about Open Resolvers?! ?? Surveys at Verisign! ?? Characterizing Open Resolvers! ?? Intersection with COM/NET query sources! ?? Geographic distribution! ?? Discussion! Verisign Public! Why do we care?! ?? Exploited in DDoS attacks! ?? Makes cache poisoning attacks much easier! ?? Cache snooping! ?? Analogous to open mail relays! ?? Note: we're talking about unintentionally open resolvers here…! 3! Verisign Public! Two Surveys of IPv4 ? Open Resolvers! Verisign Public! Models! ?? Target forwards query directly to Authority! Prober! Auth! NS! Target! Q1! Q2! R1! R2! Verisign Public! Models! ?? Target forwards to a "forwarder"! Prober! Auth! NS! Target! Forwarder! Q1! Q2! R1! R2! Verisign Public! ?? From Amazon Web Services! ?? Took

173 Hours! ?? 2013-10-28 14:00 C 2013-11-04 18:00! ?? Sent 3,676,739,504 Q1 probes! ?? All IPv4 space, except class D/E, RFC1918 and do-not-probe list! ?? Received 43,538,209 Q2's! ?? For 28,897,054 distinct probes! ?? From 277,049 distinct IP addresses! ?? Received 34,604,998 R2's! ?? For 32,040,586 distinct probes! ?? From 31,424,854 distinct IP addresses! October

2013 Survey! Verisign Public! Verisign Public! 6000! 55! 70! Verisign Public! ?? From Verisign! ?? Took

17 hours! ?? 2014-05-01 18:20 C 2014-05-02 11:30! ?? Sent 3,676,724,690 Q1 probes! ?? All IPv4 space, except class D/E, RFC1918, and do-not-probe list! ?? Received 38,079,578 Q2's! ?? For 24,553,785 distinct probes! ?? From 230,417 distinct IP addresses! ?? Received 28,426,251 R2's! ?? For 27,905,762 distinct probes! ?? From 27,281,623 distinct IP addresses! May

2014 Survey! Verisign Public! 60200! 460! 620! Verisign Public! ?? Data is collected with pcap while scan runs! ?? Pcap ?les are then parsed into whitespace delimited text! ?? Separate ?les for Q1, Q2, R1, R2! ?? The text ?les are loaded onto Hadoop! ?? Analyzed with Hive (SQL statements)! ?? Lots of large, multi-table joins! Data Analysis! Verisign Public! Closed Targets! ?? When the probe results in neither a Q1 nor an R2.

! ! Prober! Auth! NS! Target! Forwarder! Oct 2013! May 2014! Closed'%' 99.1' 99.2' Verisign Public! Open Targets! ?? When the probe results in either a Q1 or an R2.! ! Oct 2013! May 2014! Open'Count' 33,660,906' 29,292,597' Oct$2013$ May$2014$ openresolverproject' 32,673,337' 27,454,609' Prober! Auth! NS! Target! Forwarder! Verisign Public! Simple Open Resolver! ?? Q2 source address equals Target address! ?? i.e., Target does not forward elsewhere! Prober! Auth! NS! Target! Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Verisign Public! Forwarder! ?? Q2 source address differs from Target address! ?? How many to Google?! Prober! Auth! NS! Target! Forwarder! Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Oct 2013! May 2014! Google'Fwds' 8.3'%' 8.9'%' Verisign Public! No Q2, R2 Error! ! Prober! Auth! NS! Target! Forwarder! RCODE! Oct 2013! May 2014! 1'FORMERR' 0'.0'%' 0.0'%' 2''SERVFAIL' 10.0'%' 9.1'%' 3'NXDOMAIN' 3.0'%' 3.6'%' 4'NOTIMPL' 0.0'%' 0.0'%' 5'REFUSED' 86.9'%' 87.3'%' 7' 0.0'%' 0.0'%' 9' 0.0'%' 0.0'%' 10' 0.0'%' Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Err'No'Forward' 10.8'%' 12.6'%' ?? Didn't get a Q2 query and got an Error response! ?? Usually REFUSED, which is good!! ! Verisign Public! Got Q2, but R2 error code! ?? Received the Q2 query, but then got an error response.! ?? Usually SERVFAIL! ! Prober! Auth! NS! Target! Forwarder! RCODE! Oct 2013! May 2014! 1'FORMERR' 0'.1'%' 0.4'%' 2''SERVFAIL' 77.5'%' 75.9'%' 3'NXDOMAIN' 0.4'%' 0.1'%' 4'NOTIMPL' 0.0'%' 5'REFUSED' 22.0'%' 23.6'%' 13' 0.0'%' Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Err'No'Forward' 10.8'%' 12.6'%' Err'w/'Forward' 0.7'%' 0.5'%' Verisign Public! R2 Blocked! ?? Received Q2! ?? But no R2! ! Prober! Auth! NS! Target! Forwarder! ?! Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Err'No'Forward' 10.8'%' 12.6'%' Err'w/'Forward' 0.7'%' 0.5'%' R2'Blocked' 4.8'%' 4.7'%' Verisign Public! Synthesized Answers! ?? No Q2! ?? R2 had an Answer section with an A record, but wrong value.! ?? Many answer with their own IP! ! Prober! Auth! NS! Target! Forwarder! Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Err'No'Forward' 10.8'%' 12.6'%' Err'w/'Forward' 0.7'%' 0.5'%' R2'Blocked' 4.8'%' 4.7'%' Synthesized' 3.4'%' 3.6'%' Verisign Public! Q2 Missing! ?? No Q2, but R2 had an Answer section with correct A record!! ?? How?! ?? Data collection problem! ?? Lucky guess! ! Prober! Auth! NS! Target! Forwarder! Oct 2013! May 2014! Simple' 0.6'%' 0.6'%' Forwarder' 79.8'%' 78.0'%' Err'No'Forward' 10.8'%' 12.6'%' Err'w/'Forward' 0.7'%' 0.5'%' R2'Blocked' 4.8'%' 4.7'%' Synthesized' 3.4'%' 3.6'%' Q2'Missing' 0.0'%' 0.0'%' Totals' 100'%' 100'%' ??

下载(注:源文件不在本站服务器,都将跳转到源网站下载)
备用下载
发帖评论
相关话题
发布一个新话题
大家都在看的话题