[dns-operations] Defending against DNS reflection amplification attacks

Jo Rhett jrhett at netconsonance.com
Fri Feb 22 17:55:23 UTC 2013


On Feb 22, 2013, at 4:04 AM, Paul Vixie <paul at redbarn.org> wrote:
> at which point it's easier to fix source address validation and make THAT universal. which we already know can't be done.

Don't confuse "won't" with "can't". It absolutely can be done. It won't be done because the carriers see profit in laziness, and see no profit in stopping criminals. In fact, I would argue that it could be done within a month net-wide if the carriers were motivated to do it. Sadly, it will probably take a large scale event that makes large carriers implement it completely in defense of their own networks to force the small carriers to get around to it. 

...not dissing small carriers. I know many who implement it completely. It's the large carriers who tend to whine the most, but they are also the ones with a board of directors who could demand it -- thus, they are the place where the elbow could be placed.


More information about the dns-operations mailing list