Wednesday, September 25, 2013

I'm scanning udp/53 right now

So I'm scanning the Internet with a DNS version request, because it'd be a useful datapoint in my Friday #Brucon talk mentioning that BIND is still the overwhelming favorite DNS server on the Internet. The abuse reports are an interesting read, such as one that claims "This activity is neither just a scanning nor unexpected attempts, but a sophisticated attack". Nope, it's just scanning, and terribly unsophisticated.
The scan is far from complete, but early results are the following top results:
   97087 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6
   61689 dnsmasq-2.52
   56813 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6
   42333 dnsmasq-2.40
   35749 9.7.3
   31467 none
   25535 yamutech-bind
   24592 Nominum Vantio 5.3.0.0
   24193 dnsmasq-2.51
   23174 skbroadband
   20005 Nominum Vantio 4.3.0.2
   19836 9.8.1-P1
   18790 Cyber World Leader Kornet!
   17901 Why query me?Your IP had been logged!
   17137 unknown
   15553 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
   14760 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.5
   13178 dnsmasq-2.45
   13089 dnsmasq-2.48
   11498 Hello!

These are the raw strings, which have narrow version numbers. I need to re-process this to get distinct products like "Nominum" or "dnsmasq" or "BIND". BIND (with numbers like 9.7.3) appears to be the leader so far. The 'dnsmasq' system is not a server but a forwarder often used in home gateways. This tells me that there are a bazillion home devices that can be exploited for bad stuff like DNS reflection.

I'm sending a packet that is equivalent to "dig chaos txt version.bind" at every IP address, 0.0.0.0/0, minus our "exclude" ranges of people who have asked us not to scan them. I'm using the code at https://github.com/robertdavidgraham/masscan, with the settings "-pU:53 --banners".

Our scans are coming from 209.126.230.72. This has changed from our previous scans (from v), but we won't be changing it again for a long time. It's a good IP address to add to your firewalls if you want to opt-out of our scans. Also, you can just email us and we'll add you to our exclude list.


2 comments:

  1. Here is what it looks like from our end - if you're curious. This is for 4 non sequential /24's.
    http://imgur.com/2ticeFM

    ReplyDelete
  2. What timezone is that?

    ReplyDelete

Note: Only a member of this blog may post a comment.