[dns-operations] First experiments with DNS dampening to fight amplification attacks

Doug Barton dougb at dougbarton.us
Fri Oct 26 19:18:15 UTC 2012

On 10/26/2012 8:15 AM, WBrown at e1b.org wrote:
> I'm not an internet routing guru, so I must not be seeing something.  When 
> my organization connects to an upstream provider, they know we have a 
> block of addresses assigned (Actually, we have more than one).  They know 
> that we connect to their switch in rack X, switch Y, port Z.
> If they see a packet with a source address of appearing on that 
> port, what possible reason could they have for allowing it through? 

In addition to the (correct) reasons that Paul stated, there is also a
more fundamental issue. They are being paid by you to push packets. The
more of your packets they push, the more you pay them. So not only is
there a cost to creating the infrastructure to block the packets, there
is a direct cost for actually blocking the packets. For the bandwidth
provider, on strictly business terms, it's a lose/lose.

What we have failed to do as an industry is create sufficient incentives
to make being a good net.citizen of higher benefit than the costs


More information about the dns-operations mailing list