DNS Amplification in the eyes of a hosting provider
An operator from an unnamed hosting provider did collect some data about DNS amplification attacks and send me a copy. This data draws a horrible picture of the real situation out there.
They scanned 157322 IPs of their hosting customers with DNS queries. 10917 of them run an open, unsecured DNS resolver which processes recursive questions from anybody. So nearly 7% of all hosted systems are potential reflection and amplification relays.
Further scanning those systems with Nessus/nmap reveals an awful number of really old systems:
System | Anzahl |
---|---|
SuSE-10.1 mit Plesk 8.1 | 173 |
SuSE-9.3 mit Plesk 8.0 | 204 |
CentOS 5.X with Plesk 8.3 | 235 |
SuSE-10.2 mit Plesk 8.2 | 238 |
The customers might not know or notice that they are misused, but they accumulate an impressive amount of bandwidth. So let's have a look at the traffic on port 53 crossing the border of this autonomous system:
Location | Mbps "open relays" | Mbps "total" | Percentage |
---|---|---|---|
RZ1 | 63,30 | 230,00 | 28% |
RZ2 | 13,50 | 15,80 | 85% |
RZ3 | 26,90 | 75,50 | 36% |
RZ2 is the oldest location containing most of the oldest servers. Obviously there are the majority of unpatched and vulnerable systems.
If you like, please share your data with me.
Total 2 comments