Comments on: Global 53/udp port scan coming soon to a computer near you http://blog.anta.net/2007/04/29/global-53udp-port-scan-coming-soon-to-a-computer-near-you/ Internetworking, security, safety. Wed, 19 Nov 2008 04:16:04 +0000 http://wordpress.org/?v=2.6.3 By: Anonymous http://blog.anta.net/2007/04/29/global-53udp-port-scan-coming-soon-to-a-computer-near-you/#comment-14 Anonymous Mon, 30 Apr 2007 11:01:00 +0000 http://blog.anta.net/2007/04/29/global-53udp-port-scan-coming-soon-to-a-computer-near-you/#comment-14 Erka, Thank you for your comments. They are highly appreciated. The targets of the planned scan would apparently be situated in a vast number of different jurisdictions around the globe. In such a context, the Finnish precedent is only a faint background image. My main purpose was to illustrate that a port scan may be viewed very seriously not only by its target organization, but also in a court of law. Although your team is doing the sysadmin community an important favor by sharing information about the event to be, some administrators may still consider the scan hostile. Perhaps they will not have heard about it beforehand, or perhaps they will hold that as a matter of principle and consistence, nobody has any business probing their networks, whatever the stated reason. You probably remember that in the days when open SMTP relays were a similar, substantial issue, *bulk* probing for such relays was considered quite controversial. At any rate, I could not agree more with you that open DNS servers pose a very significant threat of continued denial of service attacks by proxy. Let’s continue to spread the word of warning. Best regards, and may you have a happy Vappu, Thor Erka,
Thank you for your comments. They are highly appreciated.
The targets of the planned scan would apparently be situated in a vast number of different jurisdictions around the globe. In such a context, the Finnish precedent is only a faint background image. My main purpose was to illustrate that a port scan may be viewed very seriously not only by its target organization, but also in a court of law.
Although your team is doing the sysadmin community an important favor by sharing information about the event to be, some administrators may still consider the scan hostile. Perhaps they will not have heard about it beforehand, or perhaps they will hold that as a matter of principle and consistence, nobody has any business probing their networks, whatever the stated reason.
You probably remember that in the days when open SMTP relays were a similar, substantial issue, *bulk* probing for such relays was considered quite controversial.
At any rate, I could not agree more with you that open DNS servers pose a very significant threat of continued denial of service attacks by proxy. Let’s continue to spread the word of warning.
Best regards, and may you have a happy Vappu,
Thor

]]> By: Anonymous http://blog.anta.net/2007/04/29/global-53udp-port-scan-coming-soon-to-a-computer-near-you/#comment-13 Anonymous Mon, 30 Apr 2007 09:54:00 +0000 http://blog.anta.net/2007/04/29/global-53udp-port-scan-coming-soon-to-a-computer-near-you/#comment-13 Folks, It is my duty to let you know that the original CERT-FI blog article included an unfortunate error: The query is NOT for a PTR record rather than a special A record. Forward-lookup, that is. The query source address in turn should resolve to a clueful name hinting about the intent of the project. We issued a new blog entry stating our original mistake (only in Finnish): http://www.cert.fi/tietoturvanyt/2007/04/P_17.html Let me apologise for the mishap. We try to be more observant in the future. The main point, however is that a large population of misconfigured (open) resolvers servers pose a clear and present danger to the Internet. Every effort to find and help configure/patch them is warmly welcomed. For more information please refer to e.g.: http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf http://www.auscert.org.au/render.html?it=80 http://www.cert-in.org.in/training/1stmay06/dotIN-DNS-DDoS.pdf http://www.cymru.com/Documents/secure-bind-template.html http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf Thor, I'm not quite sure why you brought the Finnish Supreme Court ruling into the discussion as UltraDNS obviously is not mapping the servers with malicious intent. I for one wouldn't make such a claim. Best Regards, Erka Koivunen Head of CERT-FI Folks,
It is my duty to let you know that the original CERT-FI blog article included an unfortunate error: The query is NOT for a PTR record rather than a special A record. Forward-lookup, that is. The query source address in turn should resolve to a clueful name hinting about the intent of the project.
We issued a new blog entry stating our original mistake (only in Finnish):
http://www.cert.fi/tietoturvanyt/2007/04/P_17.html
Let me apologise for the mishap. We try to be more observant in the future.
The main point, however is that a large population of misconfigured (open) resolvers servers pose a clear and present danger to the Internet. Every effort to find and help configure/patch them is warmly welcomed. For more information please refer to e.g.:
http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
http://www.auscert.org.au/render.html?it=80
http://www.cert-in.org.in/training/1stmay06/dotIN-DNS-DDoS.pdf
http://www.cymru.com/Documents/secure-bind-template.html
http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
Thor, I’m not quite sure why you brought the Finnish Supreme Court ruling into the discussion as UltraDNS obviously is not mapping the servers with malicious intent. I for one wouldn’t make such a claim.
Best Regards,
Erka Koivunen
Head of CERT-FI

]]>