If your routers utilize protections such as TTL security and uRPF to prevent IP spoofing, and only accept TCP packets addressed to RE, from proper sources, then the firewall filter could be 98% effective if you have analyzed your situation carefully.

Some network operators who already utilize these mitigation strategies fully, may have been mislead into thinking the issue effected them more seriously than it does.

Some juniper customers may have created unnecessary service-effecting outages for their clients, to perform an emergency upgrade on reliance of the Juniper bulletin implying firewall was not a usable workaround in any case.

That could have been delayed until a proper maintenance window, or until proper notice could be delivered.

In other words, Juniper should have been more upfront and disclosed more information regarding WHY firewall cannot be used as an effective workaround.

On our end, we repeated the assertion from Juniper in the bulletin (citing Juniper) that such filtering would not be totally effective (our primary purpose being to publish our confirmation that this was an exploitable problem, and the header value not hard to find quickly so people could consider this in their risk evaluation on patching quickly). To that end, the second link to our blog in the post as a resource needing refuting is probably not appropriate 4 days after the fact.

We continue to think and advise that reliance on such defenses (while most should be in place regardless) is not a substitute for quick analysis and patching of this problem.