[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dobbins, Roland rdobbins at arbor.net
Fri Oct 26 03:33:03 UTC 2012

On Oct 26, 2012, at 9:38 AM, P Vixie wrote:

>  Let the default for new routers be s.a.v. and I don't expect much trouble.

The problem is that the increase in helpdesk call volume and trouble-tickets will have a negative economic impact on the infrastructure vendors.

Believe me, this has been a source of contentious debate within major network infrastructure vendors.  Like you, I wish it could be the default; but, absent some mechanism which doesn't cause problems in some non-isignificant fractions of deployment scenarios, it isn't going to happen.

One thing to keep in mind is that a lot of low-end gear which is really intended for internal enterprise use is deployed on public-facing networks by folks who either don't know any better or who just don't care.  Same for code trains which are oriented towards enterprise LAN/WAN rather than Internet use.  So, the infrastructure vendors can't differentiate between 'enterprise' and 'Internet' boxes/code in order to set the defaults where they'd do the least amount of harm - and even then, the economic cost of the helpdesk calls/tickets would still be prohibitive.

> Leave the default as is and I'll expect linear trouble with growth.

Assuming IPv6 is ever widely deployed, the absurd and wasteful amounts of address space which are routinely handed out will likely conjoin with spoofing to produce quite a bit of unpleasantness.  All too often, catharsis is the only way to effectuate change.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list