20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
Jared Mauch
jared at puck.Nether.net
Tue Jul 21 12:43:08 UTC 2015
On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
>
> DNS is still largely UDP.
Water is also still wet :) - but you may not be doing 10% of your
links as UDP/53.
DNS can also use TCP as well, including sending more than one
query in a pipelined fashion.
The challenge that Cameron is trying to document here
is when seeing large volumes of UDP it becomes necessary to do
something to keep the network up. This response is frustrating for those
of us who prefer to have a unfiltered e2e network but maintaining
the network as up in the face of these adverse conditions is important.
- Jared
>
> --Curtis
>
> On 7/20/2015 5:40 PM, Ca By wrote:
> >Folks, it may be time to take the next step and admit that UDP is too
> >broken to support
> >
> >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> >
> >Your comments have been requested
> >
> >
> >
> >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.weaver at thenap.com> wrote:
> >
> >>Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
> >>coming from China being sent towards IP addresses which provide VoIP
> >>services?
> >>
> >>I'm talking in the 20-30Gbps range?
> >>
> >>The first incident was yesterday at around 13:00 EST, the second incident
> >>was today at 09:00 EST.
> >>
> >>I'm assuming this is just another DDoS like all others, but I would be
> >>interested to hear if I am not the only one seeing this.
> >>
> >>On list or off-list is fine.
> >>
> >>Thanks,
> >>-Drew
> >>
> >>
>
> --
> Best Regards
> Curtis Maurand
> Principal
> Xyonet Web Hosting
> mailto:cmaurand at xyonet.com
> http://www.xyonet.com
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list