On 13/02/14 17:14, Keith Mitchell wrote:
On 02/12/2014 06:37 PM, Wright, Matthew wrote:
List of open NTP servers from http://openntpproject.org/
Also http://www.openresolverproject.org
But it's not just about NTP and DNS, pretty much any UDP-based service
that can do amplification is in play, e.g SNMP, Chargen and I've even
seen "QOTD" (UDP 19).
Yep, one that hit us the other week was UDP Chargen. After seeing the
source port in flows, I tried a few of them on TCP 19 as well, and to my
surprise, there it was. And there was me thinking Chargen was a thing
of the 80's!
It'd be nice to be able to automatically pull the full lists from these
various scanning projects to use in statistical analysis as part of DDoS
mitigation (i.e. if my traffic has just shot up and the majority of it
is coming from IPs listed in these databases, I can take a pretty fair
bet at what's happening and start to rate limit or temporarily block
these sources). Anyone know if there is an interface for automated
downloading of the raw data? Is anyone involved in these projects on
list? It looks like you can request the data manually at the moment.
It'd also be good to discuss merging data from these projects into an
upstream 'open-generalbadstuff-project'.
Cheers,
Robin
