[dns-operations] Defending against DNS reflection amplification attacks

[Joe Abley]

On 2013-02-22, at 13:55, Jo Rhett <jrhett at netconsonance.com> wrote:

> On Feb 22, 2013, at 4:04 AM, Paul Vixie <paul at redbarn.org> wrote:
>> at which point it's easier to fix source address validation and make THAT universal. which we already know can't be done.
> 
> Don't confuse "won't" with "can't". It absolutely can be done. It won't be done because the carriers see profit in laziness, and see no profit in stopping criminals.

Before everybody starts waving red flags and marching in the streets:

 - the carriers of which you speak are big companies;

 - big companies with staff who care about BCP38 have likely already deployed it;

 - big companies with non-trivial networks who have yet to deploy it need a business reason to do so, since the implementation and support costs are likely enough to be significant that there's probably no room under the radar to do it there;

 - companies have a responsibility to their shareholders to act according to a profit motive;

 - there is no profit motive in "increase my costs so that I can decrease the costs of my competitors."

If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it.

If there's a logical or practical fallacy in here, someone please point it out. (As if I have to type that.)


Joe