Abstract
Recent distributed denial-of-service attacks on the Internet have been exploiting necessarily open protocols, such as DNS. The Spamhaus attack is one of the largest ever examples of such attacks. Although much research has been conducted to discuss how to mitigate these threats, little has been done to understand why open resolvers exist in the first place. In particular, 60 % of the open resolvers have anomalous behavior and causes for their behavior remain a mystery, which hurts mitigation efforts. Our research produces the first detailed investigation of the 17 million anomalous open resolvers and find that these are primarily ADSL modems made by four manufacturers. These devices behave anomalously and respond to DNS queries with the wrong source port due to improper NAT configurations and are unfortunately hard to fix without a concerted effort by ISPs and manufacturers. We also find that anomalous open resolvers are clustered, which has the potential for them to be exploited in more crippling DDoS attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The response does not come from UDP port 53 as expected for DNS responses.
- 2.
Modern firewalls, such as iptables, have the capacity to re-route packets if they meet a certain rule.
- 3.
This ICMP behavior occurs on Linux machines when dealing with UDP raw sockets because we are not bound to the port, therefore the kernel responds with an ICMP regarding that no one is listening (bound) to that port.
- 4.
The next number may also be a bit bigger than x \(+\) 1 because other interactions with the AOR may have incremented the counter forward.
- 5.
We selected the TD-8817 (4th most common AOR) because it was sold in the US and we could gain access to it. The same cannot be said for the other devices.
References
Anatomy of wordpress XML-RPC pingback attacks. https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html
Communications security, reliability and interoperability council III — FCC.gov. http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii
FTP protocol client. https://docs.python.org/2/library/ftplib.html
IP to ASN mapping - Team Cymru. https://www.team-cymru.org/Services/ip-to-asn.html
Million plus resolver challenge - Team Cymru. https://www.team-cymru.org/Services/Resolvers/instructions.html
nmap - Network mapper. http://nmap.org/
Open resolver project. http://openresolverproject.org/
Scapy - Packet manipulation and construction program. http://www.secdev.org/projects/scapy/
Technical details behind a 400 Gbps NTP amplification DDoS attack — CloudFlare blog. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
urllib2 - Extensible library for opening urls. https://docs.python.org/2/library/urllib2.html
Audet, F., Jennings, C.: Ietf RFC 4787 — network address translation (NAT) behavioral requirements for unicast UDP, Jan 2007. http://tools.ietf.org/search/rfc4787
Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: Proceedings of ISOC Network and Distributed Security Symposium (NDSS) (2008)
Duan, H., Weaver, N., Zhao, Z., Hu, M., Liang, J., Jiang, J., Li, K., Paxson, V.: Hold-on: Protecting against on-path DNS poisoning. In: Securing and Trusting Internet Names, IEEE (2012)
Measurement factory. Open DNS scanner. http://www.measurement-factory.com/
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Internet Measurement Conference, ACM (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kaizer, A.J., Gupta, M. (2015). \(\sim \)Open Resolvers: Understanding the Origins of Anomalous Open DNS Resolvers. In: Mirkovic, J., Liu, Y. (eds) Passive and Active Measurement. PAM 2015. Lecture Notes in Computer Science(), vol 8995. Springer, Cham. https://doi.org/10.1007/978-3-319-15509-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-15509-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15508-1
Online ISBN: 978-3-319-15509-8
eBook Packages: Computer ScienceComputer Science (R0)