UDP port 80 DDoS attack

George Bonser gbonser at seven.com
Wed Feb 8 19:50:42 UTC 2012

> -----Original Message-----
> From: christopher.morrow
> to be fair: "Some Providers do not check registries for 'right to use'
> information about prefixes their customers wish to announce to them
> over BGP."

Maybe not but I would think that in practice it would be something like:

1. Provider initially filters traffic based on the address range they have issued to the customer.
2. If the customer brings their own IP addresses, the provider does a quick check to see if those have been SWIPed to the customer
3. If the customer wants the filtration opened up to include additional IPs, the do the same as #2
4. If the customer has no record of having control of those IPs, a quick call to the listed assignee of those numbers would verify that the customer is mutual and is properly sourcing traffic in that IP range and filters are adjusted accordingly. 

In about 99% of cases that would be the end of the story and everything runs merrily along after that.  Sure, there are going to be corner cases but if someone starts playing whack-a-mole with IP address assignments and is asking for frequent changes, that might be a tip-off that they might be trouble.

It *does* involve maintaining some record of the configuration settings someplace in case of equipment changes/failures, etc. but that would be a small price to pay for reducing the amount of time spent chasing DoS complaints.  It has to be a community effort with a set of best practices developed and applied by the community.  

More information about the NANOG mailing list