[sdnog] Understanding the Origins of Anomalous Open DNS Resolvers
amyassin77 at gmail.com
Sat Mar 7 21:40:42 SAST 2015
otherwise you are normal internet user in which being protected from DDoS
attacks and so on will be your service provider role.
It is not about being a target of the attack, it is about participating in
the attack as an open resolver without my consent (or getting paid by
criminals lol).. Of course I'm not right now cuz I'm not reachable from the
wild internet (supposedly), but for those 17 million AORs, maybe...
generally the ISPs don not block any port at the end user terminal
The problem here is the equipments sold by ISPs (or given) which operate
services the users are not aware of (and even worse, they operate it
wrongly!). Of course a control freak would buy his own equipments and
control the services he/she operates...
Hope this will clear out the conspiracy theory of the ISPs
A. M. Yassin
On Sat, Mar 7, 2015 at 15:05 Asim Awadalla IS - MTN - Sudan <
aawadalla at mtn.sd> wrote:
> Hi Ahmed,
> If you are using a global IP as in getting an SHDSL
> service or leased line then you will be free on your own to modify all the
> settings of your router as you might be considered at this stage as a
> service provider, otherwise you are normal internet user in which being
> protected from DDoS attacks and so on will be your service provider role.
> For your question regarding the open ports, generally the ISPs don not
> block any port at the end user terminal, but rather block it from PGW if it
> is of any risk, some of the ports and due to the changing technology it
> might be needed in certain applications or services where by the ISP cannot
> go individually and for all users to change their settings in order to
> enable the port. Hope this will clear out the conspiracy theory of the ISPs
> J .
> Asim A. Karim
> *From:* sdnog-bounces at sdnog.sd [mailto:sdnog-bounces at sdnog.sd] *On Behalf
> Of *Ahmad Yassin
> *Sent:* Saturday, March 07, 2015 1:27 AM
> *To:* Nishal Goburdhan; sdnog at sdnog.sd
> *Subject:* Re: [sdnog] Understanding the Origins of Anomalous Open DNS
> That is so interesting. So we can be a part of a huge DDoS attack without
> knowing and not only by getting infected by a PC virus or worm becoming
> part of a botnet!
> I checked the setup of my own home router (Huawei b203, which I got from
> my ISP). I am not reachable from the internet (Carrier-Grade NAT), but I
> have no way in the configuration page to block incoming traffic to port 53.
> I haven't tried to query the WAN side for DNS resolution (I may be an AOR
> after all!), but if I am, I'm afraid I have nothing to do about that!
> Is there any explanation on why a home router would accept ANY kind of
> traffic from outside? I know manufacturers and ISPs love to put backdoors
> just in case (no offense, but they do), so could this be some kind of a
> backdoor? And to do what? And is there any other research about any of
> these hidden services my home router is providing to the world without me
> knowing or even be able to control?
> Nobody commented on that so I must be missing something here :)
> *Thank you*,
> A. M. Yassin
> On Wed, Mar 4, 2015 at 7:42 PM Nishal Goburdhan <nishal at controlfreak.co.za>
> Abstract. Recent distributed denial-of-service attacks on the Internet
> have been exploiting necessarily open protocols, such as DNS. The Spamhaus
> attack is one of the largest ever examples of such attacks. Although much
> research has been conducted to discuss how to mitigate these threats,
> little has been done to understand why open resolvers exist in the first
> place. In particular, 60% of the open resolvers have anomalous behaviour
> and causes for their behavior remain a mystery, which hurts miti- gation
> efforts. Our research produces the first detailed investigation of the 17
> million anomalous open resolvers and find that these are primarily ADSL
> modems made by four manufacturers. These devices behave anomalously and
> respond to DNS queries with the wrong source port due to improper NAT
> configurations and are unfortunately hard to fix without a concerted effort
> by ISPs and manufacturers. We also find that anomalous open resolvers are
> clustered, which has the potential for them to be e
> xploited in more crippling DDoS attacks.
> full paper:
> Sdnog mailing list
> Sdnog at sdnog.sd
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 50319 bytes
Desc: not available
More information about the sdnog