[dns-operations] First experiments with DNS dampening to fight amplification attacks

Dobbins, Roland rdobbins at arbor.net
Fri Oct 26 12:31:43 UTC 2012

On Oct 26, 2012, at 7:24 PM, <WBrown at e1b.org> wrote:

> If so, why can't they block anything outside that range.

This is the perpetual refrain questioning why BCP84 hasn't been universally implemented.  Lack of clue, lack of perceived economic incentive, lack of infrastructure capability (though the natural cycle of equipment upgrades has largely eliminated this issue on networks running even semi-modern gear), apathy, sloth, venality.

In the main, it isn't a question of 'can't' - it's a question of 'won't'.  Which is why Paul was saying that network infrastructure vendors should by default enable various anti-spoofing mechanisms on the gear they well.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list