Your network was found to be vulnerable to infiltration via spoofed-source packe

[icecream-guy]

Anyone seen this?  not sure if if is legit or not. it's kinda vague

Code Select Expand


Your network was found to be vulnerable to infiltration via spoofed-source packets. This email contains a brief description of our experiment and the results specific to your network.
Dear admin of AS3XXX,

We are researchers from Brigham Young University's Internet Measurement and Anti-Abuse Laboratory [1]. During December 2019, we conducted a large-scale Internet measurement experiment. The intent of this experiment was to determine the pervasiveness of networks failing to filter spoofed incoming traffic appearing to originate from within their own networks. This oversight allows attackers to infiltrate the network and impersonate internal resources. This in turn facilitates attacks which could otherwise be prevented, such as DNS cache poisoning or the NXNS attack, a powerful new denial of service technique. Our methodology relied on sending DNS queries with spoofed source addresses to known DNS resolvers. The queries were for domains under our control; as such if we observed a corresponding query at our authoritative server, we were able to determine that our spoofed queries successfully infiltrated the network.

Unfortunately, it appears that AS3XXX is vulnerable to this class of attack. 2 of the known resolvers within your autonomous system acted on our spoofed queries, indicating that our spoofed queries successfully infiltrated the network. Even if these resolvers are configured to resolve queries from any host, this indicates a vulnerability, as the traffic would have been blocked at the network border had DSAV been in place. The solution--DSAV, or Destination-Side Source Address Validation--is to simply filter out incoming traffic that appears to have originated from within the network.

Our work has been accepted to the Internet Measurement Conference (IMC) 2020, which will begin near the end of this month on October 27. While we will present our results in-aggregate only and will not specifically mention your autonomous system, we recommend resolving this issue soon before there is greater general awareness of the vulnerability. If you have already resolved these issues, you can safely ignore this message. If you would like additional details about our findings relating to your network, please see DSAV Report for ASXXX (IPv6).

We understand that email messages are sometimes lost or overlooked. For that reason, we will be sending a repeat of this message within a week, to ensure that it is received and the appropriate administrators notified.

Thank you,
IMAAL Research Lab, Brigham Young University

[1] https://imaal.byu.edu

Why am I receiving this email? We selected up to 5 contacts per autonomous system. Your email was found through the WhoisXML API. It is likely that your email was used while registering some block of IP addresses within AS3XXX. If you received this message in error and would rather not receive any further communications relating to this experiment, simply respond to this email and let us know. For any additional questions or concerns, you may email dsav-info@byu.edu.



[Dieselboy]

It may be legitimate or it may be a social engineering tactic. You'd be able to check if it was legit. Either way I wouldnt contact them if it was me, but I would research it and fix it if it exists. PS there was an AS number in the snippet so I X'd it out, hence the "last edit". Hope you're OK with that.

[Otanx]

BYU is really doing the research the email discusses. Basically testing who is doing uRPF on their edge. They list the project on their site, but the link isn't valid yet. I am assuming based on the email it will be later this month.

-Otanx

[deanwebb]

I dug in and checked as well. Not only is there an IMAAL BYU page, you can reach it from www.byu.edu 's search page, along with the persons involved with the project.

https://imaal.byu.edu/dsav/report/0afe4d03-2873-45c5-8e64-0ce40e1235b6/

https://www.byu.edu/search-all?q=IMAAL

[icecream-guy]

PS there was an AS number in the snippet so I X'd it out, hence the "last edit". Hope you're OK with that.

Thanks I thought I caught them all.

[icecream-guy]

I spoke with my DNS appliance vendor, he surmised that it may be a funding issue, trying to create legitimacy, for some off the wall project, so they can show value and continue to get funding from the Univ., and keep their jobs.

[deanwebb]

Possibly so. University funding can be a crazy game like that.