[dns-operations] Defending against DNS reflection amplification attacks

Paul Ferguson fergdawgster at gmail.com
Sat Feb 23 03:33:31 UTC 2013

On Fri, Feb 22, 2013 at 7:13 PM, Randy Bush <randy at psg.com> wrote:

>> Are you willing to also help us do the hard work to do the right thing?
>> I'm pretty sure the answer is "Yes".
>> So let's get busy, and stop finding reasons not to do the Right Thing.
>> - ferg
> you may have a problem with your mail system.  it seems to be re-sending
> messages from a decade ago, though they seem to have today's date.  odd.

Not at all odd -- we still have the same problems. I think that is
indicative of several things, none of which I will expand on at this

> perhaps, after the decade of us telling others how they should run their
> networks, an actual large operator who has deployed bcp38 can give us an
> analysis of the costs, capex and opex, and how they minimized them.

I think we are far beyond that -- those are the things that have
apparently already failed.

It is several factors -- ignorance, negligence, among them. We as a
community have not a good job of boiling it down to non-technical
issues that those executives understand (with regards to revenue

I agree that we should have some hard stats on who has deployed these
measures, and how it impacted them.

Please speak up if you have any data.

I can say, however, that we *do* have data on who has *not* deployed
it, and how they are virtually criminally negligent for doing so.

And don't get me wrong -- there are still some really hard problems.

- ferg

"Fergie", a.k.a. Paul Ferguson

More information about the dns-operations mailing list