DNS Amplification Attacks... and a trivial proposal

John Levine johnl at iecc.com
Fri Jun 14 02:23:05 UTC 2013

>>The real solution is BCP 38...
>I agree completely John.  I cannot do otherwise.  But I have to ask the
>obvious elephant-in-the-room question... How is that comming along so far?

Based on discussions I've had with people who work at large networks
and in policy positions in various governments (not all in the US), a
lot faster than it it was even a few months ago.

If we're going to ask people to update their networks, I'd rather
concentrate on an update that will really work, rather than some plan
B that sorta kinda helps, and gives people the excuse that since they
did that they don't have to do BCP 38.

Also, a fair amount is just education.  I ran a spoofer test on my
server and found the network wide open.  I talked to the guy who runs
the hosting center today and he said oops, he thought it was set to do
ingress filtering.  So it will in a few days when he gets his router
configs updated.


More information about the bind-users mailing list