20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

Rafael Possamai rafael at gav.ufsc.br
Tue Jul 21 14:48:59 UTC 2015


Pavel, what kind of resources does the analysis of a 100G circuit require?
Or is it just counting packets?

On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov <pavel.odintsov at gmail.com>
wrote:

> You could do SQC with FastNetMon. We have per subnet / per host and
> per protocol counters. We are working on multi 100GE mode very well :)
>
> On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai <rafael at gav.ufsc.br>
> wrote:
> > Has anyone tried to implement real-time SQC in their network? You can
> > calculate summary statistics and use math to determine if traffic is
> > "normal" or if there's a chance it's garbage. You won't be able to notice
> > one-off attacks, but anything that repeats enough times should pop up.
> > Facebook uses similar technology to figure out what kind of useless news
> to
> > display on your feed.
> >
> > In summary, instead of blocking an entire country, we should be able to
> > analyze traffic as it comes, and determine a DDoS attack without human
> > intervention.
> >
> > On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <jared at puck.nether.net>
> wrote:
> >
> >> On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> >> >
> >> > DNS is still largely UDP.
> >>
> >>         Water is also still wet :) - but you may not be doing 10% of
> your
> >> links as UDP/53.
> >>
> >>         DNS can also use TCP as well, including sending more than one
> >> query in a pipelined fashion.
> >>
> >>         The challenge that Cameron is trying to document here
> >> is when seeing large volumes of UDP it becomes necessary to do
> >> something to keep the network up.  This response is frustrating for
> those
> >> of us who prefer to have a unfiltered e2e network but maintaining
> >> the network as up in the face of these adverse conditions is important.
> >>
> >>         - Jared
> >>
> >> >
> >> > --Curtis
> >> >
> >> > On 7/20/2015 5:40 PM, Ca By wrote:
> >> > >Folks, it may be time to  take the next step and admit that UDP is
> too
> >> > >broken to support
> >> > >
> >> > >https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> >> > >
> >> > >Your comments have been requested
> >> > >
> >> > >
> >> > >
> >> > >On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.weaver at thenap.com
> >
> >> wrote:
> >> > >
> >> > >>Has anyone else seen a massive amount of illegitimate UDP 1720
> traffic
> >> > >>coming from China being sent towards IP addresses which provide VoIP
> >> > >>services?
> >> > >>
> >> > >>I'm talking in the 20-30Gbps range?
> >> > >>
> >> > >>The first incident was yesterday at around 13:00 EST, the second
> >> incident
> >> > >>was today at 09:00 EST.
> >> > >>
> >> > >>I'm assuming this is just another DDoS like all others, but I would
> be
> >> > >>interested to hear if I am not the only one seeing this.
> >> > >>
> >> > >>On list or off-list is fine.
> >> > >>
> >> > >>Thanks,
> >> > >>-Drew
> >> > >>
> >> > >>
> >> >
> >> > --
> >> > Best Regards
> >> > Curtis Maurand
> >> > Principal
> >> > Xyonet Web Hosting
> >> > mailto:cmaurand at xyonet.com
> >> > http://www.xyonet.com
> >>
> >> --
> >> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> >> clue++;      | http://puck.nether.net/~jared/  My statements are only
> >> mine.
> >>
>
>
>
> --
> Sincerely yours, Pavel Odintsov
>



More information about the NANOG mailing list