80/udp floods?

Deepak Jain deepak at ai.net
Thu Feb 19 01:01:24 UTC 2004




Wayne E. Bouchard wrote:

> Yes, this seems to be a common thing these days. You send udp/LAGE udp
> packets and fragments to port 80 to saturate bandwidth and you combine
> that with compromised hosts successively opening and closing TCP
> connections to port 80 (Not a syn flood, actual connections that look
> to the router in terms of packet size etc to be legitimate.) A note
> that the majority of these hosts are from LACNIC and APNIC
> space. (with a smattering from RIPE) I almost never see ARIN address
> space used for these compromised hosts.
> 
> Most of the attacks I've seen recently have used this setup.
> 
> Easy enough to fend off except for the TCP 80 bit. For most of these
> attacks, I've taken to just filtering the entire LACNIC and APNIC
> address delegations at the host level for the durration of the
> incident since, in the general case, my customers (the ones that
> suffer these incidents) do little if any business in that region.

We've seen >1Gb/s connection filling attacks from ARIN space, especially 
24.x blocks.

FYI,

Deepak Jain
AiNET



More information about the NANOG mailing list