On Aug 8, 2013, at 2:07 PM, Blake Dunlap <ikiris () gmail com> wrote:
On a related note, how are you actually getting this data?
I would point you at the streaming archive, but I'm not sure where they
went. Perhaps they can post them to Youtube?
Anyways, the alternate set of IPs responding is actually increasing over
What you have said previously ( Number of unique IPs that spoofed a
packet to me. (eg: I sent a packet to 126.96.36.199 and 188.8.131.52 responded). )
doesn't even make sense.
Many CPE devices will perform NAT on udp/53 packets received on their WAN
interface and forward them to their configured DNS server. Some will just
take the source IP and copy it into the packet. Because it comes in on
their WAN interface, it will instead of copying the inside NAT address just
copy my source IP from the weekly scan and use that. Since it's on the
outside, it doesn't copy it's outside IP and put that in, it copies mine.
On Thu, Aug 8, 2013 at 12:51 PM, Jared Mauch <jared () puck nether net>
Oops, I pulled the wrong data (off by one column) out before a trip and
didn't realize it until now.
This is not the spoofer list, but the list of ASNs with open resolvers.
Let me reprocess it.
Apologies, corrected data being generated.
On Aug 8, 2013, at 1:29 PM, Jared Mauch <jared () puck nether net> wrote:
The following is a sorted list from worst to best of networks that
allow spoofing: (cutoff here is 25k)
(full list -