[dns-operations] Defending against DNS reflection amplification attacks

Joe Abley jabley at hopcount.ca
Sun Feb 24 22:50:17 UTC 2013

Hi Jo,

On 2013-02-24, at 14:26, Jo Rhett <jrhett at netconsonance.com> wrote:

On 23/02/2013, at 2:53 AM, Jo Rhett <jrhett at netconsonance.com> wrote:

No. I've had this conversation many times and employees of big companies
feel that it's impossible, and don't even raise the issue with their
management. In two different occasions I arranged a meeting with their
management and made the case for it, at which point the managers told the
unbelieving employee to make it happen.

On Feb 23, 2013, at 8:36 PM, Daniel Griggs wrote:

If you have a presentation that you can share with the class, that would be
It would make a useful addition to any security workshops or discussions I
have with providers around security.

This topic really is so much simpler than most people put it out there.
Completely ignore any topic of "being a good person". There are a group of
related legal terms that come into play:

I am always wary of assertions of law, made by non-lawyers especially,
where there's an implicit assumption that there's a single legal system
we're dealing with, in a single jurisdiction, when the Internet (even
ignoring Seth Breidbart) is necessarily global and supernational.

Even with citations from case law in particular justifications, I find this
line of thinking questionable in a global context.

Boiled down, this is equivalent to technical approaches like "block
qtype=any": it's whack-a-mole, and there are many more moles in any
operational timeframe than will make any real difference, given the
practical potential for whacking. We should be looking elsewhere,
regardless of the demonstrated longevity of individual moles.

Am I wrong?


(no small burrowing mammals were harmed in the thinking that preceded this
expression of doubt)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130224/00ea7a77/attachment.html>

More information about the dns-operations mailing list