UDP port 80 DDoS attack

Joe Greco jgreco at ns.sol.net
Tue Feb 7 14:28:25 UTC 2012

> Since when are policers implemented in ram?  You're talking FPGA if you
> want to be able to make forwarding/filtering decisions assuming it's
> possible which it isn't you're 1 million dollar boxes suddenly become
> hundred million dollar boxes.  Then there's v6 info..

Of course it's not possible ... if you use a crummy design.  It's trivial
to come up with non-completely-crummy designs.  For example, adding a
front-end where you take a hash of source-ip/dest-ip and run it through
a smallish hash table, you can use that as a filter to eliminate a lot
of traffic that's just normal and non-interesting.  You want to take a
closer look at the traffic that's heaviest (read: most hits) or new and
significant (read: diff against an hour ago).  You probably don't want
to do this just per-IP, but likely also per-network.  And you probably
don't want to use just this one technique, you want to combine it with
others.  And you probably need to consider the types of attacks that
are known, likely, etc., and design accordingly, because this one little
example I've provided is just one part of a comprehensive solution, but
it is capable of dealing with any amount of traffic and it would be a
very useful filter to start pulling out potentially interesting stuff.

This stuff isn't *easy*.  Fine.  But it certainly *is* possible.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list