ddos attacks

cb.list6 cb.list6 at gmail.com
Wed Dec 18 23:12:28 UTC 2013

On Aug 2, 2013 10:31 AM, <sgraun at airstreamcomm.net> wrote:
> I’m curious to know what other service providers are doing to
alleviate/prevent ddos attacks from happening in your network.  Are you
completely reactive and block as many addresses as possible or null0
traffic to the effected host until it stops or do you block certain ports
to prevent them.  What’s the best way people are dealing with them?
> Scott

I am strongly considering having my upstreams to simply rate limit ipv4
UDP. It is the simplest solution that is proactive.

The facts are that during steady state less than 5% of my aggregate traffic
is ipv4 udp. During an attack, 100% of the attack traffic is ipv4 udp (dns,
chargen, whatever). The attacks last for about 10 minutes, so manual
intervention is not possible. Automated intervention has its own warts.

Conclusion: ipv4 udp is  a toxic dump.  It is a shame that DNS (can be
tcp), webrtc (should be sctp), and Google's QUIC are going to suffer the
rate limited fate.  My advice to them is to get aways from ipv4 udp, the
problem is getting worse not better.


More information about the NANOG mailing list