1. DDoS The present is bleak The future uncertain

2. DNS is a distributed database Consequently your name service has many dependencies 3. TLDs COM, NET, RU, TU YOUR DNS hosting Your ISPs LOTS OF OTHER ISPs Internet devices and servers 4. Your adversaries in RED 5. Your response against DNS attacks also depends on these and other parties 6. Think global not local Your abatement is your last line of defense not first Be prepared to ask for help from your access provider upstream providers CERTs/CSIRTs/CIRTs Do you have these PoCs in your action plan? 7. Provide Good Intel Time information Attack characteristics Attack evolution Impact assessment 8. Encourage global mitigation 9. DDoS attacks will continue to increase in scale, intensity, and frequency 10. Fighting back 11. Your options Voluntary adoption of best practices Self-regulation Regulatory action Litigation 12. Voluntary adoption of best practices Cost, complexity Incentive, perceived direct value Progressing at a snails pace 13. Call the bluff? "Doing this [DDoS mitigation] right takes a fraction of the resources that it would take to comply with a mountain of regulation, John Bambenek, SANS Internet Storm Center 14. Self-regulation? The self-regulators of the Internet need to change behavior by providing strong disincentives to misbehave. Disincentives could take the forms of refusal to peer or accept traffic from non-compliant networks. Dr. Joel Snyder, Opus One 15. Bring lawyers, guns and money? Victims should start filing suit against non-BCP38 ISPs for something like contributory negligence. Paul Vixie, Farsight 16. The R word Procurement Requirements "Don't connect to ISP's who don't enforce BCP38 at their customer edge. Don't buy transit from them. Don't peer with them. Tell them why. Make them pay the highest possible cost to deliver reflected DDoS traffic to victims in your network, Paul Vixie, Farsight 17. What actions are you willing to take to reduce the growing risk from DDoS attacks?