While open resolvers provide various benefits by answering DNS requests from external sources for anything, today they pose a significant threat to the stability and security of the Internet. For example, open resolvers have been recently utilized for launching amplification attacks, calling for initiating a systematic study on their population, use, and distribution, and raising the awareness on their potential roles. For example, the open resolver project (http://openresolverproject.org/) reported 32 million open resolvers, 28 million of which pose a significant threat, as of October 2013.
In this presentation, we will report on an independent study of open resolvers and their usage. Beside verifying the numbers provided by the open resolver project, we go further in understanding those resolvers. To highlight their usage, we identify open resolvers in the com/net authoritative DNS resolution, and try to answer the following questions:
• What is the intersection between the open resolvers in the wild and sources of DNS requests seen in the com/net resolution?
• How persistent are the IP addresses of open resolvers in the com/net resolution over time?
• What is the correlation between the volume of DNS requests generated by open resolvers in
the com/net resolution and their activity in the open resolvers ecosystem?
In this study, we received 32,040,586 responses from 31,424,854 unique IP addresses that used 277,048 forwarders. In comparison with the open resolver project statistics, and for the same time period (Oct 28, 2013 - Nov 3, 2013), our survey matched (number-wise) 98.7% of the responses and 99.03% of the unique IP addresses used by open resolvers.
We found that the daily intersection between open resolvers (forwarders) and sources of requests in the com/net resolution for the same day is more than 73% at any point in time over the time of the scan (of 7 days). Furthermore, over the time of the experiment, we found that only 91.9% of the total number of forwarders show up in the com/net resolution, with a non-trivial percent not showing up (8.1%). The daily pairwise intersection of forwarders (across different days) is shown to range from 87% to 95%, suggesting a level of dynamics and churn in the open resolvers population.
Second, we found that the number of open resolvers in the com/net resolution is persistent over time, with daily intersection ranging from 73% to 82%, and an average intersection (over 7 days) of about 76%. Third, we give each forwarder two scores: a popularity in the open resolvers ecosystem (unique IP addresses in the open resolver survey above), and a popularity score in the com/net resolution system (the number of queries issued by each forwarder). Interesting, we found that both scores are weakly and positively correlated (0.29).
Our presentation will also highlight other characteristics of open resolvers, such as geographical distribution, and persistence characterization over a longer period of time between consecutive scans (∼6 months), along with implications.