20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
John Weekes
jw at nuclearfallout.net
Mon Jul 20 23:24:45 UTC 2015
Ca,
> Folks, it may be time to take the next step and admit that UDP is too
> broken to support
>
> https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
>
> Your comments have been requested
My comment would be that UDP is still widely used for game server
traffic. This is unlikely to change in the near future because TCP (by
default) is not well-suited for highly time-sensitive data, as even a
small amount of packet loss causes significant delays.
In light of this, it is a bad idea for network operators to apply
overall rate-limits to UDP traffic right now. Rate-limiting specific UDP
/ports/ that are frequently seen in reflection attacks -- such as 19,
123, and 1900 -- is a more reasonable practice, however, and it is
becoming more common/.
/UDP-based application protocols can be implemented correctly, such that
they also have handshakes that limit their ability to be used for
reflection attacks, and modern services (including modern game servers)
do this.
TCP and UDP can both be spoofed and used for direct attacks; we see this
all the time. UDP is preferred due to many applications protocols'
susceptibility to amplification attacks, but spoofed TCP attacks are
often a bit thornier to deal with from the standpoint of a host
attempting to externally mitigate, because tracking the three-way
handshake requires keeping state.
I spoke with Drew earlier and his attacks do not appear to be reflected,
so this is orthogonal to his concern today. He is seeing
directly-generated traffic, which could use any protocol.
-John
More information about the NANOG
mailing list