mailing list archives
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 11 Aug 2013 17:40:28 +0200
* Jared Mauch:
The incidence rate is too high for it to be multihomed hosts.
Let me know if you want to look at the raw data. Very interesting stuff.
Or just look for 184.108.40.206 in the openresolverproject page.
Indeed, I could verify that 220.127.116.11 can indeed spoof one of my IP
addresses to the 18.104.22.168 DNS resolver. For a cache miss, I get a
query from a Google IP address and the 22.214.171.124 reply has a plausible
TTL, so I don't think it's spoofing the response.
Apparently, they're implementing DNS proxy by destination-NATting, and
because they listen also on the WAN interface, they get the source
This is quite scary.