It would also be useful to be able to run resolver scans via ASN or larger block reports too. Limited to a /22 takes a fair old while.
Peter Knapp -----Original Message----- From: uknof [mailto:[email protected]] On Behalf Of Robin Williams Sent: 13 February 2014 18:05 To: Keith Mitchell Cc: [email protected] Subject: Re: [uknof] DNS/NTP <censured>, a solution ! On 13/02/14 17:14, Keith Mitchell wrote: > On 02/12/2014 06:37 PM, Wright, Matthew wrote: >> List of open NTP servers from http://openntpproject.org/ > Also http://www.openresolverproject.org > > But it's not just about NTP and DNS, pretty much any UDP-based service > that can do amplification is in play, e.g SNMP, Chargen and I've even > seen "QOTD" (UDP 19). > > Yep, one that hit us the other week was UDP Chargen. After seeing the source port in flows, I tried a few of them on TCP 19 as well, and to my surprise, there it was. And there was me thinking Chargen was a thing of the 80's! It'd be nice to be able to automatically pull the full lists from these various scanning projects to use in statistical analysis as part of DDoS mitigation (i.e. if my traffic has just shot up and the majority of it is coming from IPs listed in these databases, I can take a pretty fair bet at what's happening and start to rate limit or temporarily block these sources). Anyone know if there is an interface for automated downloading of the raw data? Is anyone involved in these projects on list? It looks like you can request the data manually at the moment. It'd also be good to discuss merging data from these projects into an upstream 'open-generalbadstuff-project'. Cheers, Robin
