Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passive and Active Network Measurement

PAM 2015: Passive and Active Measurement pp 3–14Cite as

\(\sim \)Open Resolvers: Understanding the Origins of Anomalous Open DNS Resolvers

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 8995))

Abstract

Recent distributed denial-of-service attacks on the Internet have been exploiting necessarily open protocols, such as DNS. The Spamhaus attack is one of the largest ever examples of such attacks. Although much research has been conducted to discuss how to mitigate these threats, little has been done to understand why open resolvers exist in the first place. In particular, 60 % of the open resolvers have anomalous behavior and causes for their behavior remain a mystery, which hurts mitigation efforts. Our research produces the first detailed investigation of the 17 million anomalous open resolvers and find that these are primarily ADSL modems made by four manufacturers. These devices behave anomalously and respond to DNS queries with the wrong source port due to improper NAT configurations and are unfortunately hard to fix without a concerted effort by ISPs and manufacturers. We also find that anomalous open resolvers are clustered, which has the potential for them to be exploited in more crippling DDoS attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The response does not come from UDP port 53 as expected for DNS responses.

  2. 2.

    Modern firewalls, such as iptables, have the capacity to re-route packets if they meet a certain rule.

  3. 3.

    This ICMP behavior occurs on Linux machines when dealing with UDP raw sockets because we are not bound to the port, therefore the kernel responds with an ICMP regarding that no one is listening (bound) to that port.

  4. 4.

    The next number may also be a bit bigger than x \(+\) 1 because other interactions with the AOR may have incremented the counter forward.

  5. 5.

    We selected the TD-8817 (4th most common AOR) because it was sold in the US and we could gain access to it. The same cannot be said for the other devices.

References

  1. Anatomy of wordpress XML-RPC pingback attacks. https://blogs.akamai.com/2014/03/anatomy-of-wordpress-xml-rpc-pingback-attacks.html

  2. Communications security, reliability and interoperability council III — FCC.gov. http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii

  3. FTP protocol client. https://docs.python.org/2/library/ftplib.html

  4. IP to ASN mapping - Team Cymru. https://www.team-cymru.org/Services/ip-to-asn.html

  5. Million plus resolver challenge - Team Cymru. https://www.team-cymru.org/Services/Resolvers/instructions.html

  6. nmap - Network mapper. http://nmap.org/

  7. Open resolver project. http://openresolverproject.org/

  8. Scapy - Packet manipulation and construction program. http://www.secdev.org/projects/scapy/

  9. Technical details behind a 400 Gbps NTP amplification DDoS attack — CloudFlare blog. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

  10. urllib2 - Extensible library for opening urls. https://docs.python.org/2/library/urllib2.html

  11. Audet, F., Jennings, C.: Ietf RFC 4787 — network address translation (NAT) behavioral requirements for unicast UDP, Jan 2007. http://tools.ietf.org/search/rfc4787

  12. Dagon, D., Provos, N., Lee, C., Lee, W.: Corrupted DNS resolution paths: the rise of a malicious resolution authority. In: Proceedings of ISOC Network and Distributed Security Symposium (NDSS) (2008)

    Google Scholar 

  13. Duan, H., Weaver, N., Zhao, Z., Hu, M., Liang, J., Jiang, J., Li, K., Paxson, V.: Hold-on: Protecting against on-path DNS poisoning. In: Securing and Trusting Internet Names, IEEE (2012)

    Google Scholar 

  14. Measurement factory. Open DNS scanner. http://www.measurement-factory.com/

  15. Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Internet Measurement Conference, ACM (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Indiana University - Bloomington, Bloomington, USA

    Andrew J. Kaizer & Minaxi Gupta

Authors
  1. Andrew J. Kaizer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Minaxi Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrew J. Kaizer .

Editor information

Editors and Affiliations

  1. University of Southern California, Marina Del Rey, California, USA

    Jelena Mirkovic

  2. New York University, New York, New York, USA

    Yong Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Kaizer, A.J., Gupta, M. (2015). \(\sim \)Open Resolvers: Understanding the Origins of Anomalous Open DNS Resolvers. In: Mirkovic, J., Liu, Y. (eds) Passive and Active Measurement. PAM 2015. Lecture Notes in Computer Science(), vol 8995. Springer, Cham. https://doi.org/10.1007/978-3-319-15509-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15509-8_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15508-1

  • Online ISBN: 978-3-319-15509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation