[dns-operations] Defending against DNS reflection amplification attacks

Paul Ferguson fergdawgster at gmail.com
Sat Feb 23 02:29:37 UTC 2013


On Fri, Feb 22, 2013 at 10:22 AM, Joe Abley <jabley at hopcount.ca> wrote:

> Before everybody starts waving red flags and marching in the streets:
>  - the carriers of which you speak are big companies;
>  - big companies with staff who care about BCP38 have likely already deployed it;
>  - big companies with non-trivial networks who have yet to deploy it need a business reason to do so, since the implementation and support costs are likely enough to be significant that there's probably no room under the radar to do it there;
>  - companies have a responsibility to their shareholders to act according to a profit motive;
>  - there is no profit motive in "increase my costs so that I can decrease the costs of my competitors."
> If you can describe BCP38 deployment in a non-trivial network such that deployment is to the benefit of shareholders and non-deployment is not, I'm all ears. Absent regulation and punitive fines for non-compliance, I don't see it.
> If there's a logical or practical fallacy in here, someone please point it out. (As if I have to type that.)

Are you willing to also help us do the hard work to do the right thing?

I'm pretty sure the answer is "Yes".

So let's get busy, and stop finding reasons not to do the Right Thing.

- ferg

"Fergie", a.k.a. Paul Ferguson

More information about the dns-operations mailing list