automatic rtbh trigger using flow data
rdobbins at arbor.net
Fri Aug 31 17:13:20 UTC 2018
On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:
> Instead of rtbh I would suggest blocking/rate limiting common ports
> used in DDoS attacks.
This isn't an 'instead of', it's an 'in addition to'. And it must be
done judiciously; many operators doing this have concentrated on common
port-pairs observed in UDP reflection/amplification attacks.
It's important to understand that any kind of packet of any
protocol/ports (if such concepts apply on the protocol in question) can
be used to launch DDoS attacks.
We've many tools in the toolbox, and should use them in a
situationally-appropriate manner. And when we're using techniques like
QoSing down certain ports/protocols, we must err on the side of caution,
lest we cause larger problems than the attacks themselves.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG