We’ve written extensively about open DNS proxies running in home gateways (“open home gateways”). Affected devices proxy DNS queries received on their WAN interface to whatever DNS resolver they are configured to use. This is typically the DNS configured by the ISP. The DNS has always been a handy tool for various kinds of attacks and the presence of these gateways gives attackers a back door into provider networks.
“Open” DNS resolvers have been an issue on the Internet for a long time. Efforts like Open Resolver Project (openresolverproject.org) identify the scale of the problem with methodical measurements. Below is a chart based on their data showing what’s been happening. This data set represents all open resolvers, not just home gateways, but we believe they represent the substantial majority case – 85% +.
The good news is the trend is clearly down. In fact the absolute number of open resolvers has dropped by around 7 million, or about 25% over this period. That progress is all the more remarkable because remediation is non-trivial. Providers have to track down the devices and either replace them altogether or upgrade them. At scale it’s challenging especially if end users need to be involved.
Where is the biggest drop?
Among countries with more than a million open home gateways at the beginning of 2014 CN (China) and the US both fell 20% and IN (India) dropped 13%. Among all countries with more than a million home gateways at the beginning of the year more than a million devices have been removed (8.6M down to 7.5M). The biggest percentage drop among networks with large numbers of home gateways was in GB (Great Britain) with a 63% decline – they got rid of almost half a million. Unfortunately in this group there was also some growth – in MX (Mexico) the number of open home gateways increased 10% or about 120,000. Fortunately there were no other countries at similar scale with growth. So noticeable progress has been made.
DNS related DDoS has become a major problem. Providers everywhere in the world are experiencing stress on their resolvers and targeted web resources regularly experience outages. Fine grained filters have become an effective deterrent against legitimate domains used for amplification, and dynamic threat lists that track purpose built amplification domains eliminate other unwanted traffic. But attackers continue to refine their exploits – their latest attacks also take advantage of open home gateways. Reducing the base of problematic devices represents progress but in the meantime smarter DNS servers with adaptable defenses represent the best way to stay one step ahead of attacks.
To learn more about how service providers can protect themselves against open home router vulnerabilities, please contact us.