[sdnog] FW: Understanding the Origins of Anomalous Open DNS Resolvers

Asim Awadalla asim.awadalla at gmail.com
Sat Mar 7 14:02:21 SAST 2015 

Hi Ahmed,



                If you are using a global IP as in getting an SHDSL service
or leased line then you will be free on your own to modify all the settings
of your router as you might be considered at this stage as a service
provider, otherwise you are normal internet user in which being protected
from DDoS attacks  and so on will be your service provider role, where they
have more advanced security appliances and mechanisms. For your question
regarding the open ports, generally the ISPs do not block any port at the
end user terminal, but rather block it from PGW if it is of any risk, some
of the ports, due to the changing technology,  might be needed in certain
applications or services where by the ISP cannot go individually and for
all users to change their settings in order to enable the port. Hope this
will clear out the conspiracy theory of the ISPs J .



Regards,

Asim A. Karim


>
>
>
> *From:* sdnog-bounces at sdnog.sd [mailto:sdnog-bounces at sdnog.sd] *On Behalf
> Of *Ahmad Yassin
> *Sent:* Saturday, March 07, 2015 1:27 AM
> *To:* Nishal Goburdhan; sdnog at sdnog.sd
> *Subject:* Re: [sdnog] Understanding the Origins of Anomalous Open DNS
> Resolvers
>
>
>
> That is so interesting. So we can be a part of a huge DDoS attack without
> knowing and not only by getting infected by a PC virus or worm becoming
> part of a botnet!
>
>
>
> I checked the setup of my own home router (Huawei b203, which I got from
> my ISP). I am not reachable from the internet (Carrier-Grade NAT), but I
> have no way in the configuration page to block incoming traffic to port 53.
> I haven't tried to query the WAN side for DNS resolution (I may be an AOR
> after all!), but if I am, I'm afraid I have nothing to do about that!
>
>
>
> Is there any explanation on why a home router would accept ANY kind of
> traffic from outside? I know manufacturers and ISPs love to put backdoors
> just in case (no offense, but they do), so could this be some kind of a
> backdoor? And to do what? And is there any other research about any of
> these hidden services my home router is providing to the world without me
> knowing or even be able to control?
>
>
>
> Nobody commented on that so I must be missing something here :)
>
>
>
> --
>
> *Thank you*,
>
> A. M. Yassin
>
> On Wed, Mar 4, 2015 at 7:42 PM Nishal Goburdhan <nishal at controlfreak.co.za>
> wrote:
>
> Abstract. Recent distributed denial-of-service attacks on the Internet
> have been exploiting necessarily open protocols, such as DNS. The Spamhaus
> attack is one of the largest ever examples of such attacks. Although much
> research has been conducted to discuss how to mitigate these threats,
> little has been done to understand why open resolvers exist in the first
> place. In particular, 60% of the open resolvers have anomalous behaviour
> and causes for their behavior remain a mystery, which hurts miti- gation
> efforts. Our research produces the first detailed investigation of the 17
> million anomalous open resolvers and find that these are primarily ADSL
> modems made by four manufacturers. These devices behave anomalously and
> respond to DNS queries with the wrong source port due to improper NAT
> configurations and are unfortunately hard to fix without a concerted effort
> by ISPs and manufacturers. We also find that anomalous open resolvers are
> clustered, which has the potential for them to be e
>  xploited in more crippling DDoS attacks.
>
> full paper:
> http://sfc-monitor.ai3.net/~dikshie/.papers/PAM/PAM2015/15.pdf
>
> --n.
>
>  _______________________________________________
>
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20150307/b412d3ad/attachment.html>

More information about the sdnog mailing list