[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

Ahmad Yassin amyassin77 at gmail.com
Sat Mar 7 00:27:18 SAST 2015

That is so interesting. So we can be a part of a huge DDoS attack without
knowing and not only by getting infected by a PC virus or worm becoming
part of a botnet!

I checked the setup of my own home router (Huawei b203, which I got from my
ISP). I am not reachable from the internet (Carrier-Grade NAT), but I have
no way in the configuration page to block incoming traffic to port 53. I
haven't tried to query the WAN side for DNS resolution (I may be an AOR
after all!), but if I am, I'm afraid I have nothing to do about that!

Is there any explanation on why a home router would accept ANY kind of
traffic from outside? I know manufacturers and ISPs love to put backdoors
just in case (no offense, but they do), so could this be some kind of a
backdoor? And to do what? And is there any other research about any of
these hidden services my home router is providing to the world without me
knowing or even be able to control?

Nobody commented on that so I must be missing something here :)

*Thank you*,
A. M. Yassin

On Wed, Mar 4, 2015 at 7:42 PM Nishal Goburdhan <nishal at controlfreak.co.za>

> Abstract. Recent distributed denial-of-service attacks on the Internet
> have been exploiting necessarily open protocols, such as DNS. The Spamhaus
> attack is one of the largest ever examples of such attacks. Although much
> research has been conducted to discuss how to mitigate these threats,
> little has been done to understand why open resolvers exist in the first
> place. In particular, 60% of the open resolvers have anomalous behaviour
> and causes for their behavior remain a mystery, which hurts miti- gation
> efforts. Our research produces the first detailed investigation of the 17
> million anomalous open resolvers and find that these are primarily ADSL
> modems made by four manufacturers. These devices behave anomalously and
> respond to DNS queries with the wrong source port due to improper NAT
> configurations and are unfortunately hard to fix without a concerted effort
> by ISPs and manufacturers. We also find that anomalous open resolvers are
> clustered, which has the potential for them to be e
>  xploited in more crippling DDoS attacks.
> full paper:  http://sfc-monitor.ai3.net/~dikshie/.papers/PAM/PAM2015/
> 15.pdf
> --n.
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20150306/073b8d76/attachment.html>

More information about the sdnog mailing list