UDP port 80 DDoS attack
Sven Olaf Kamphuis
sven at cb3rob.net
Thu Feb 9 07:07:50 CST 2012
> Stop paying transit providers for delivering spoofed packets to the edge of your network and they will very quickly develop methods of proving that the traffic isn't spoofed, or block it altogether. =)
yes, very smart idea... which makes it completely impossible to have
multihomed networks or simply kick out tunnel originated traffic over
default gateways ... so, no, thanks.
we usually do it the other way around, if providers block "spoofed"
traffic, we tell them to put their serverfarms somewhere else as thats not
very optimized for tunnel termination at their facilities :P
(yes leaseweb, that means you ;)
> -----Original Message-----
> From: George Bonser [mailto:gbonser at seven.com]
> Sent: Wednesday, February 08, 2012 1:27 PM
> To: bas; nanog
> Subject: RE: UDP port 80 DDoS attack
>> 77% of all networks seem to think so.
> And it would be the remaining 23% that really need to understand how difficult they are making life for the rest of the Internet.
>> However the remaining networks allow spoofed traffic to egress their
>> When that traffic enters my network, I have no method whatsoever to
>> differentiate it from any other traffic.
> I'm not really thinking about traffic coming from the Internet. I'm thinking about its originating location. Correct, once it gets into the Internet, you really have no way to tell.
>> I could ask my upstream where they see it coming from, which will be
>> quite hard if they do not have pretty fancy systems.
> At that point the game is really hard, agreed. And if it is distributed, it could be coming from any number of places or from every single one of their upstreams.
>> But if they receive it from a peer, I am as good as lost in trying to
>> find the culprit.
> Agreed. That's why it is important to stop it at the source.
More information about the NANOG