UDP port 80 DDoS attack

dennis dennis at justipit.com
Mon Feb 6 12:22:38 UTC 2012

The point is well taken that cloud scrubbing can be an essential component 
of mitigating a volumetric flood.  However, it is important to note that 
DDOS attacks do not only consist of volumetric floods.  Current attacks 
often incorporate a multi-vectored attack campaign including a combination 
of low and slow and application layer attacks on upper layer protocols, ie. 
DNS & HTTP(s).  These campaigns are designed to fly under the triggers of 
other flow based analysis (cloud scrubbing) protections in place today.   As 
with any security protection a layered approach is required in order to 
protect the  perimeter from DDOS.  In addition to the previous 
recommendations of ACL, uRPF, RTBH, CoPP, inspection of the full stack is 
required.    The best protection today includes a detector capable of 
inspecting the full stack and signaling back to the cloud scrubbing station 
to swing the route if the attack becomes volumetric.   The premise device 
should have technique in order to challenge the source and counter the 
attack with intelligence.    I'm aware of two vendors offering some of these 
capabilities today, Radware and Arbor.

From: "Keegan Holley" <keegan.holley at sungard.com>
Sent: Sunday, February 05, 2012 8:37 PM
To: "Dobbins, Roland" <rdobbins at arbor.net>
Cc: "NANOG Group" <nanog at nanog.org>
Subject: Re: UDP port 80 DDoS attack

> 2012/2/5 Dobbins, Roland <rdobbins at arbor.net>
>> On Feb 6, 2012, at 8:10 AM, Keegan Holley wrote:
>> > An entire power point just to recommend ACL's, uRPF, CPP, DHCP 
>> > snooping,
>> and RTBH?
>> Actually, no, that isn't the focus of the preso.
>> > The first four will not work against a DDOS attack
>> This is incorrect - suggest you read the preso.
> The ACL's are configured on the routers belonging to the victim AS which
> will not save their access pipe if it's overrun unless I'm missing
> something.  uRPF may help with spoofed traffic, but sometimes causes
> problems with multi-homing and is often more harmful than helpful 
> depending
> on the network design.
>> > and the last one just kills the patient so he does not infect other
>> patients.
>> S/RTBH - as opposed to D/RTBH - doesn't kill the patient.  Again, suggest
>> you read the preso.
> Source RTBH often falls victim to rapidly changing or spoofed source IP"s.
> It also isn't as widely supported as it should be. I never said DDOS was
> hopeless, there just aren't a wealth of defenses against it.

More information about the NANOG mailing list