UDP port 80 DDoS attack
keegan.holley at sungard.com
Wed Feb 8 08:31:05 UTC 2012
2012/2/8 George Bonser <gbonser at seven.com>
> > -----Original Message-----
> > From: bas
> > Sent: Tuesday, February 07, 2012 11:56 PM
> > To: Dobbins, Roland; nanog
> > Subject: Re: UDP port 80 DDoS attack
> > Say eyeball provider X has implemented automated S/RTBH, and I have a
> > grudge against them.
> > I would simply DoS a couple of the subscribers *with spoofed source IP*
> > addresses from google, youtube, netflow and hulu.
> > The automated S/RTBH drops all packets coming from those IP addresses.
> > Presto; many angry consumers call the ISP's helpdesk.
> Comes back to providers allowing "spoofed" traffic into their networks
> from customers. That seems to me to be the low-hanging fruit here.
How do you stop it? Granted, traffic from 10/8 or 127.0.0.1 coming in via
an upstream is obvious, but that's about it. There's nothing in a packet
that will tell you where it came from compared to the source IP field in
the IP header. uRPF is a problem for anyone who's sufficiently multihomed
since it causes asymmetric routing.
More information about the NANOG