[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

Asim Awadalla IS - MTN - Sudan aawadalla at mtn.sd
Sat Mar 7 14:05:20 SAST 2015

Hi Ahmed,

                If you are using a global IP as in getting an SHDSL service or leased line then you will be free on your own to modify all the settings of your router as you might be considered at this stage as a service provider, otherwise you are normal internet user in which being protected from DDoS attacks  and so on will be your service provider role. For your question regarding the open ports, generally the ISPs don not block any port at the end user terminal, but rather block it from PGW if it is of any risk, some of the ports and due to the changing technology it might be needed in certain applications or services where by the ISP cannot go individually and for all users to change their settings in order to enable the port. Hope this will clear out the conspiracy theory of the ISPs ☺ .

Asim A. Karim

From: sdnog-bounces at sdnog.sd [mailto:sdnog-bounces at sdnog.sd] On Behalf Of Ahmad Yassin
Sent: Saturday, March 07, 2015 1:27 AM
To: Nishal Goburdhan; sdnog at sdnog.sd
Subject: Re: [sdnog] Understanding the Origins of Anomalous Open DNS Resolvers

That is so interesting. So we can be a part of a huge DDoS attack without knowing and not only by getting infected by a PC virus or worm becoming part of a botnet!

I checked the setup of my own home router (Huawei b203, which I got from my ISP). I am not reachable from the internet (Carrier-Grade NAT), but I have no way in the configuration page to block incoming traffic to port 53. I haven't tried to query the WAN side for DNS resolution (I may be an AOR after all!), but if I am, I'm afraid I have nothing to do about that!

Is there any explanation on why a home router would accept ANY kind of traffic from outside? I know manufacturers and ISPs love to put backdoors just in case (no offense, but they do), so could this be some kind of a backdoor? And to do what? And is there any other research about any of these hidden services my home router is providing to the world without me knowing or even be able to control?

Nobody commented on that so I must be missing something here :)

Thank you,
A. M. Yassin
On Wed, Mar 4, 2015 at 7:42 PM Nishal Goburdhan <nishal at controlfreak.co.za<mailto:nishal at controlfreak.co.za>> wrote:
Abstract. Recent distributed denial-of-service attacks on the Internet have been exploiting necessarily open protocols, such as DNS. The Spamhaus attack is one of the largest ever examples of such attacks. Although much research has been conducted to discuss how to mitigate these threats, little has been done to understand why open resolvers exist in the first place. In particular, 60% of the open resolvers have anomalous behaviour and causes for their behavior remain a mystery, which hurts miti- gation efforts. Our research produces the first detailed investigation of the 17 million anomalous open resolvers and find that these are primarily ADSL modems made by four manufacturers. These devices behave anomalously and respond to DNS queries with the wrong source port due to improper NAT configurations and are unfortunately hard to fix without a concerted effort by ISPs and manufacturers. We also find that anomalous open resolvers are clustered, which has the potential for them to be e
 xploited in more crippling DDoS attacks.

full paper:  http://sfc-monitor.ai3.net/~dikshie/.papers/PAM/PAM2015/15.pdf


[cid:image47cf74.PNG at 69927910.4f929114]

Sdnog mailing list
Sdnog at sdnog.sd<mailto:Sdnog at sdnog.sd>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20150307/e18816db/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image47cf74.PNG
Type: image/png
Size: 50319 bytes
Desc: image47cf74.PNG
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20150307/e18816db/attachment.png>

More information about the sdnog mailing list