[dns-operations] Defending against DNS reflection amplification attacks

Fri Feb 22 19:53:25 UTC 2013

On Feb 22, 2013, at 10:22 AM, Joe Abley <jabley at hopcount.ca> wrote:
> - big companies with staff who care about BCP38 have likely already deployed it;

No. I've had this conversation many times and employees of big companies feel that it's impossible, and don't even raise the issue with their management. In two different occasions I arranged a meeting with their management and made the case for it, at which point the managers told the unbelieving employee to make it happen.

BCP has some really good arguments for any public company, basically this.

> - big companies with non-trivial networks who have yet to deploy it need a business reason to do so, since the implementation and support costs are likely enough to be significant that there's probably no room under the radar to do it there;

Every implementation I have done at the edge was nearly trivial in the amount of effort involved. I've been paid as a consultation to do it, and in several situations I was able to enable BCP for 1000+ customers for less than one day's worth of billable hours. (filtering at the core is an entirely different topic and is absolutely much harder)

Not all situations are that easy, but it's often much easier than anyone believes.

> - companies have a responsibility to their shareholders to act according to a profit motive;
> - there is no profit motive in "increase my costs so that I can decrease the costs of my competitors."

There is absolutely a profit motive in preventing very costly lawsuits. I was personally involved in the complete death of an small european ISP which was used repeatedly for multi-gigabit random-source attacks. Their customer base and gear was sold off for 8% of annual operating revenue at the close of the criminal case.

Stockholders very much care about this.

> If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it.

I am seriously looking for a great opportunity to sue a very large carrier for a failure to implement BCP38, since it very clearly meets the guidelines for "reasonable and expected" that the courts love to use. One very large carrier + one very large settlement, and the other carriers will notice.