31 march and root servers

Ivo ivo at nic.lv
Fri Mar 30 11:27:01 UTC 2012


Hello,


During the research on dns/dnssec amplification attacks against root
servers and evaluation of anonymous operation global blackout (we still
don't know if this is a hoax...), we came up with idea which would limit
one additional attack.

Lets imagine query source spoofed as one of the root servers IP and now
if sending query to DNS cache server, which does all the name resolving
process and finally sends reply to spoofed IP which in this case is one
of the root servers. So this may be additional network traffic during
the attack.

The idea is to filter these outgoing replies with IP matching any of the
root server IP and source port :53 on DNS cache servers, so we will
avoid loading root servers with this spoofed reply.
I hope this does not drop legitimate traffic so let me know if this is a
bad idea. :)


best regards,

Ivo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120330/0de66e63/attachment.html>


More information about the bind-users mailing list