[dns-operations] Defending against DNS reflection amplification attacks

Jo Rhett jrhett at netconsonance.com
Sun Feb 24 18:26:12 UTC 2013

> On 23/02/2013, at 2:53 AM, Jo Rhett <jrhett at netconsonance.com> wrote:
>> No. I've had this conversation many times and employees of big companies feel that it's impossible, and don't even raise the issue with their management. In two different occasions I arranged a meeting with their management and made the case for it, at which point the managers told the unbelieving employee to make it happen.

On Feb 23, 2013, at 8:36 PM, Daniel Griggs wrote:
> If you have a presentation that you can share with the class, that would be great.
> It would make a useful addition to any security workshops or discussions I have with providers around security.

This topic really is so much simpler than most people put it out there. Completely ignore any topic of "being a good person". There are a group of related legal terms that come into play:

1. Gross Negligence
2. Good Faith Business Judgement
3. Commercially Reasonable Effort
...a few others, it's been a while since I had this discussion.

But the long and short is that for a person or company suing the provider to prove gross negligence, they must prove that this particular provider (1) knew that the damage it would cause and (2) failed to provide reasonable effort to prevent the damage.

It's a very short trip for a lawyer to convince even the most ignorant jury what the IETF is, and what BCP38 is, and that there is no reasonable way that the commercial entity was unaware of BCP38. Last time I was in court the lawyer threw three other RFCs into the mix but I have forgotten offhand what they are. Tail that together with the extensive promotion efforts by others, and a company would have to claim that they had never heard of the IETF and never went to any conferences and never participated any forums or mailing lists. That's a very easy bit of information to gather to prove they did.

	Note: I have always entered the conversation having this exact information in hand, to show just how easy it was to prove.

Then the lawyer must prove that it was "commercially reasonable", ie, their competition does it. In the lawsuits that I was involved in, the lawyer didn't bother making a case for the industry as a whole but instead made a case for the providers "just down the street". In particular, the fact that the customer who initiated the attack moved from a provider who was BCP38 compliant to them just days before the attack was used as evidence that the provider was directly to blame.

	Note: I don't bring this up, but several providers have asked if implementing BCP38 would make it more likely their competitors would face this lawsuit. I plead off being a lawyer but I acknowledge that it seems entirely reasonable. I do point out that if a competitor's failure to implement BCP38 was involved in an outage in their network, all of the same facters are involved. (and vice versa)

Then, the lawyer must simply provide evidence that the attacks came from the provider's network (wouldn't be a lawsuit without that part) and voila, you have a clear judgement for gross negligence.

The last bit of information that I bring is a round-up of what awards juries toss at large corporations convicted of gross negligence. Given the current anti-big-business mindset in this country, it is always ridiculously high numbers.

note 1: not a lawyer and I make it clear. In fact, I express clearly that this is something they should discuss with their own lawyer(s).

note 2: I've only done this with US companies, or companies with US divisions. Legal terms and expectations may differ elsewhere.

Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130224/5b301241/attachment.html>

More information about the dns-operations mailing list