<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" LatentStyleCount="156">
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
</style>
<![endif]-->
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"><br>
During the research on dns/dnssec amplification attacks
against root servers and evaluation of anonymous operation global
blackout (we
still don't know if this is a hoax...), we came up with idea which
would limit
one additional attack.<o:p></o:p></p>
<p class="MsoNormal">Lets imagine query source spoofed as one of the
root servers
IP and now if sending query to DNS cache server, which does all
the name
resolving process and finally sends reply to spoofed IP which in
this case is
one of the root servers. So this may be additional network traffic
during the
attack.<o:p> <br>
</o:p></p>
<p class="MsoNormal">The idea is to filter these outgoing replies
with IP
matching any of the root server IP and source port :53 on DNS
cache servers, so
we will avoid loading root servers with this spoofed reply.<o:p></o:p><br>
I hope this does not drop legitimate traffic so let me know if
this is a bad idea. :)<br>
</p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal">best regards,<br>
<br>
</p>
<p class="MsoNormal">Ivo<br>
</p>
<meta name="ProgId" content="Word.Document">
<meta name="Generator" content="Microsoft Word 11">
<meta name="Originator" content="Microsoft Word 11">
<link rel="File-List"
href="file:///C:%5CDOCUME%7E1%5Civo%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
</body>
</html>