20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

Pavel Odintsov pavel.odintsov at gmail.com
Tue Jul 21 13:11:52 UTC 2015


You could do SQC with FastNetMon. We have per subnet / per host and
per protocol counters. We are working on multi 100GE mode very well :)

On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai <rafael at gav.ufsc.br> wrote:
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
>
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.
>
> On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <jared at puck.nether.net> wrote:
>
>> On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
>> >
>> > DNS is still largely UDP.
>>
>>         Water is also still wet :) - but you may not be doing 10% of your
>> links as UDP/53.
>>
>>         DNS can also use TCP as well, including sending more than one
>> query in a pipelined fashion.
>>
>>         The challenge that Cameron is trying to document here
>> is when seeing large volumes of UDP it becomes necessary to do
>> something to keep the network up.  This response is frustrating for those
>> of us who prefer to have a unfiltered e2e network but maintaining
>> the network as up in the face of these adverse conditions is important.
>>
>>         - Jared
>>
>> >
>> > --Curtis
>> >
>> > On 7/20/2015 5:40 PM, Ca By wrote:
>> > >Folks, it may be time to  take the next step and admit that UDP is too
>> > >broken to support
>> > >
>> > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
>> > >
>> > >Your comments have been requested
>> > >
>> > >
>> > >
>> > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.weaver at thenap.com>
>> wrote:
>> > >
>> > >>Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
>> > >>coming from China being sent towards IP addresses which provide VoIP
>> > >>services?
>> > >>
>> > >>I'm talking in the 20-30Gbps range?
>> > >>
>> > >>The first incident was yesterday at around 13:00 EST, the second
>> incident
>> > >>was today at 09:00 EST.
>> > >>
>> > >>I'm assuming this is just another DDoS like all others, but I would be
>> > >>interested to hear if I am not the only one seeing this.
>> > >>
>> > >>On list or off-list is fine.
>> > >>
>> > >>Thanks,
>> > >>-Drew
>> > >>
>> > >>
>> >
>> > --
>> > Best Regards
>> > Curtis Maurand
>> > Principal
>> > Xyonet Web Hosting
>> > mailto:cmaurand at xyonet.com
>> > http://www.xyonet.com
>>
>> --
>> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
>> clue++;      | http://puck.nether.net/~jared/  My statements are only
>> mine.
>>



-- 
Sincerely yours, Pavel Odintsov



More information about the NANOG mailing list