On Sun, Mar 17, 2013 at 11:33 AM, Arturo Servin <arturo.ser...@gmail.com> wrote: > > Yes, BCP38 is the solution. > > Now, how widely is deployed? > > Someone said in the IEPG session during the IETF86 that 80% of the > service providers had done it?
right... sure. > This raises two questions for me. One, is it really 80%, how to > measure it? > csail had a project for a while... spoofer project? <http://spoofer.csail.mit.edu/> I think the last I looked they reported ONLY 35% or so coverage of proper filtering. Looking at: <http://spoofer.csail.mit.edu/summary.php> though they report 86% non-spoofable, that seems very high to me. > Second, if it were 80%, how come the 20% makes so much trouble and how > to encourage it to deploy BCP38? some of the 20% seems to be very highspeed connected end hosts and at a 70:1 amplification ratio you don't need much bandwidth to fill a 1g pipe, eh? -chris > (well, actually 4 questions :) > > Regards, > as > > On 3/16/13 7:24 PM, Jon Lewis wrote: >> On Sat, 16 Mar 2013, Robert Joosten wrote: >> >>> Hi, >>> >>>>> Can anyone provide insight into how to defeat DNS amplification >>>>> attacks? >>>> Restrict resolvers to your customer networks. >>> >>> And deploy RPF >> >> uRPF / BCP38 is really the only solution. Even if we did close all the >> open recursion DNS servers (which is a good idea), the attackers would >> just shift to another protocol/service that provides amplification of >> traffic and can be aimed via spoofed source address packets. Going >> after DNS is playing whack-a-mole. DNS is the hip one right now. It's >> not the only one available. >
